show services ids
Syntax
show services ids (destination-table | pair-table | source-table) <brief | extensive | terse> <destination-prefix destination-prefix-name> <interface interface-name> <limit number> <order (anomalies | bytes | flows | packets)> <service-set service-set-name> <source-prefix source-prefix-name> <threshold number>
Description
Display information about intrusion detection service (IDS) events. All events gathered by IDS are reported as anomalies. For example, events such as create forward or watch flow, FTP passive, and FTP active are genuinely allowed by the stateful firewall but are logged as anomalies to track the rates and number for these events.
Options
| destination-table | Display information for an address under possible attack. |
| pair-table | Display information for a particular suspected attack source and destination address pair. |
| source-table | Display information for an address that is a suspected attacker. |
| brief | extensive | terse | (Optional) Display the specified level of output. |
| destination-prefix destination-prefix-name | (Optional) Display information for a particular destination prefix. |
| interface interface-name | (Optional) On M Series and T Series routers, the interface-name can be sp-fpc/pic/port or rspnumber. |
| limit number | (Optional) Maximum number of entries to display. By default, all tables display the top 32 entries sorted by the number of events for the criteria chosen. To display additional entries, configure the limit option to set up to 256 entries. |
| order | (Optional) Display events according to one of the following table-ordering criteria. The default is anomalies.
|
| service-set service-set-name | (Optional) Display information about a particular service set. |
| source-prefix source-prefix-name | (Optional) Display information about a particular source prefix. |
| threshold number | (Optional) Limit the display to events with this number of anomalies, bytes, flows, or packets, whichever criterion you specify for order. For example, to display all events with more than 100 flows, specify order flows and threshold 100. |
Required Privilege Level
view
Output Fields
Table 1 lists the output fields for the show services ids command.
Output fields are listed in the approximate order in which they appear.
Field Name |
Field Description |
Output Level |
|---|---|---|
Interface |
Name of an adaptive services interface. |
All levels |
Service set |
Name of a service set. Individual empty service sets are not displayed, but if no service set has any flows, a flow table header is printed for each service set. |
All levels |
Sorting order |
Primary mode to display information: Anomalies, Bytes, Flows, or Packets. |
All levels |
Source address |
Name of the source address. |
All levels |
Dest address |
Name of the destination address. |
All levels |
Time |
Total time the information has been in the table. |
All levels |
Flags |
Flags can be Forced, F (terse output only), SYNcookie, S (terse output only), Forced+SYNcookie, and F+S (terse output only). The SYNcookie flag is visible only in the destination table. |
All levels |
Application |
Configured application, such as FTP or Telnet. |
All levels |
Bytes |
Total number of bytes sent from the source to the destination address, in thousands (k) or millions (m). |
All levels |
Packets |
Total number of packets sent from the source to the destination address, in thousands (k) or millions (m). |
All levels |
Flows |
Total number of flows of packets sent from the source to the destination address, in thousands (k) or millions (m). |
All levels |
Anomalies |
Total number of packets in the anomaly table, in thousands (k) or millions (m). |
All levels |
Anomaly description |
One or more of the following types of anomalies. For more information, see the detailed descriptions in the stateful firewall section of the System Log Explorer.
|
extensive |
Anomaly description (continued) |
|
extensive |
Count |
Number of times that a particular anomaly occurred, in thousands (k) or millions (M). |
extensive |
Rate (eps) |
Anomaly events per second. The IDS subsystem attempts to maintain a weighted average of rates, which might not reflect the exact incoming rate of attack at low rates. However, at high rates exceeding 160 events per second, the rates generally match. |
extensive |
Elapsed |
Time since the same type of event last occurred. |
extensive |
Total IDS table entries |
Number of entries in the IDS table. This number is not necessarily the sum of all entries displayed. |
All levels |
Total failed IDS table entry insertions |
Number of IDS entries not allowed into the table because the table was full |
All levels |
Total number of events (closed flows and anomalies detected) |
Total number of events since the
system was started or since the |
All levels |
Sample Output
- show services ids destination-table
- show services ids destination-table extensive
- show services ids destination-table extensive order anomalies
- show services ids pair-table extensive
- show services ids pair-table extensive limit
- show services ids source-table extensive
- show services ids source-table extensive limit
show services ids destination-table
user@host> show services ids destination-table Interface: sp-1/3/0, Service set: null-sfw Sorting order: Packets Source address Dest address Time Flags Application any -> 10.58.255.146 36m12s SYN cookie Bytes: 35.0 m, Packets: 822.0 k, Flows: 274.0 k, Anomalies: 2251.0 k Total IDS table entries: 87 Total failed IDS table entry insertions 0 Total number of events (closed flows and anomalies detected): 2606018
show services ids destination-table extensive
user@host> show services ids destination-table extensive
Interface: sp-1/3/0, Service set: null-sfw
Sorting order: Packets
Source address Dest address Time Flags Application
any -> 10.58.255.146 35m52s SYN cookie
Bytes: 34.0 m, Packets: 798.0 k, Flows: 266.0 k, Anomalies: 2251.0 k
Anomalies Count Rate(eps) Elapsed
First packet of TCP session not SYN 160.0 k 0 14s
TCP source or destination port zero 634.0 k 154.6 3m37s
UDP source or destination port zero 633.0 k 170.0 3m37s
ICMP header length check failed 2875 0.9 3m37s
IP fragment assembly timeout 820.0 k 12.8 3m18s
UDP header length check failed 385 0.5 3m53s
TCP header length check failed 383 0.5 3m53s
Total IDS table entries:
87
Total failed IDS table entry insertions
0
Total number of events (closed flows and anomalies detected):
2598063
show services ids destination-table extensive order anomalies
user@host> show services ids destination-table extensive order anomalies Interface: sp-0/2/0, Service set: ss1 IDS sorting order: Anomalies Source address Dest address Time Flags Application 192.0.2.1 -> 198.51.100.1 1m28s junos-ftp Bytes: 1065, Packets: 18, Flows: 1, Anomalies: 10 Anomaly description Count Rate(eps) Elapsed creating forward or watch flow 1 15.6 1m28s Number of open sessions exceeds IDS limit 9 0.8 18s Total IDS table entries: 3 Total failed IDS table entry insertions 0 Total number of events (closed flows and anomalies): 11
show services ids pair-table extensive
user@host> show services ids pair-table extensive
Interface: sp-3/2/0, Service set: ss_all_limits
IDS sorting order: Packets
Source address Dest address Time Flags Application
198.51.100.4 198.51.100.4 2m20s junos-ftp
Bytes: 5.7k, Packets: 102.0, Flows: 41.0, Anomalies: 462.0
Anomaly description Count Rate Elapsed
creating forward or watch flow 41.0 8.8 2m17s
Packet rate exceeds IDS src limit 21.0 7.1 2m17s
Session creation rate exceeds IDS src limit 359.0 99.7 2m16s
TCP SYN flood attack 41.0 1.9 1m30s
Total IDS table entries: 3
Total failed IDS table entry insertions 0
Total number of events (closed flows and anomalies): 462 show services ids pair-table extensive limit
user@host> show services ids pair-table extensive limit 3
Interface: sp-1/3/0, Service set: null-sfw
Sorting order: Packets
Source address Dest address Time Flags Application
10.58.255.18 -> 10.58.255.146 38m41s SYN cookie
Bytes: 286.0 m, Packets: 2823.0 k, Flows: 324.0 k, Anomalies: 387.0 k
Anomalies Count Rate(eps) Elapsed
First packet of TCP session not SYN 160.0 k 0.1 25s
TCP source or destination port zero 69.0 k 14.1 6m26s
UDP source or destination port zero 68.0 k 12.7 6m26s
ICMP header length check failed 318 0.1 7m6s
IP fragment assembly timeout 88.0 k 1.3 6m7s
UDP header length check failed 39 0.0 6m58s
TCP header length check failed 46 0.0 6m45s
10.58.255.23 -> 10.58.255.146 18m48s SYN cookie
Bytes: 104.0 m, Packets: 421.0 k, Flows: 230, Anomalies: 124.0 k
Anomalies Count Rate(eps) Elapsed
TCP source or destination port zero 37.0 k 9.8 6m26s
UDP source or destination port zero 37.0 k 8.4 6m26s
IP fragment assembly timeout 48.0 k 1.0 6m7s
ICMP header length check failed 190 0.2 6m47s
UDP header length check failed 29 0.0 6m51s
TCP header length check failed 23 0.0 6m59s
10.58.255.25 -> 10.58.255.146 18m48s SYN cookie
Bytes: 104.0 m, Packets: 420.0 k, Flows: 232, Anomalies: 123.0 k
Anomalies Count Rate(eps) Elapsed
TCP source or destination port zero 37.0 k 9.8 6m26s
UDP source or destination port zero 37.0 k 8.6 6m26s
IP fragment assembly timeout 48.0 k 1.5 6m7s
ICMP header length check failed 173 0.1 6m43s
UDP header length check failed 24 0.0 6m43s
TCP header length check failed 19 0.0 6m56s
Total IDS table entries:
87
Total failed IDS table entry insertions
0
Total number of events (closed flows and anomalies detected):
2659291
show services ids source-table extensive
user@host> show services ids source-table extensive
Interface: sp-3/2/0, Service set: ss_all_limits
IDS sorting order: Packets
Source address Dest address Time Flags Application
198.51.100.4 any 2m43s junos-ftp
Bytes: 5.7k, Packets: 102.0, Flows: 41.0, Anomalies: 462.0
Anomaly description Count Rate Elapsed
creating forward or watch flow 41.0 8.8 2m40s
Packet rate exceeds IDS src limit 21.0 7.1 2m40s
Session creation rate exceeds IDS src limit 359.0 99.7 2m39s
TCP SYN flood attack 41.0 1.9 1m53s
Total IDS table entries: 3
Total failed IDS table entry insertions 0
Total number of events (closed flows and anomalies): 462
show services ids source-table extensive limit
user@host> show services ids source-table extensive limit 3
Interface: sp-1/3/0, Service set: null-sfw
Sorting order: Packets
Source address Dest address Time Flags Application
10.58.255.18 -> any 40m 0s SYN cookie
Bytes: 250.0 m, Packets: 1978.0 k, Flows: 356.0 k, Anomalies: 387.0 k
Anomalies Count Rate(eps) Elapsed
TCP source or destination port zero 37.0 k 9.8 6m26s
First packet of TCP session not SYN 160.0 k 0.0 40s
TCP source or destination port zero 69.0 k 62.5 7m45s
UDP source or destination port zero 68.0 k 56.2 7m45s
ICMP header length check failed 319 0.1 7m49s
IP fragment assembly timeout 89.0 k 4.4 7m26s
UDP header length check failed 39 0.0 8m17s
TCP header length check failed 46 0.0 8m4s
10.58.255.30 -> any 20m 7s SYN cookie
Bytes: 107.0 m, Packets: 427.0 k, Flows: 264, Anomalies: 125.0 k
Anomalies Count Rate(eps) Elapsed
UDP source or destination port zero 38.0 k 65.5 7m45s
TCP source or destination port zero 37.0 k 38.1 7m45s
IP fragment assembly timeout 49.0 k 4.1 7m26s
TCP header length check failed 24 0.0 9m23s
ICMP header length check failed 165 0.1 8m6s
UDP header length check failed 26 0.0 8m13s
10.58.255.17 -> any 20m10s SYN cookie
Bytes: 107.0 m, Packets: 426.0 k, Flows: 262, Anomalies: 125.0 k
Anomalies Count Rate(eps) Elapsed
TCP source or destination port zero 38.0 k 55. 7m45s
UDP source or destination port zero 38.0 k 55.1 7m45s
ICMP header length check failed 147 0.1 7m50s
IP fragment assembly timeout 49.0 k 2.8 7m26s
TCP header length check failed 22 0.0 9m33s
UDP header length check failed 22 0.0 8m1s
Total IDS table entries:
87
Total failed IDS table entry insertions
0
Total number of events (closed flows and anomalies detected):
2691423
Interface: sp-1/3/0, Service set: blue
NAT pool Address Port Ports in use
d2-pool 10.59.16.100-10.59.16.100 4000-4002 1
Release Information
Command introduced before Junos OS Release 7.4.