Chapter 22 IDP Commands

Table 84 Editing/Creating Anomaly Profiles (continued)

COMMAND

DESCRIPTION

[no] scan-detection {ip-xxx} {activate log

Activates or deactivates IP scan detection

[alert] block}

options where {ip-xxx} = {ip-protocol-scan ip-

 

decoy-protocol-scan ip-protocol-sweep ip-

 

distributed-protocol-scan ip-filtered-protocol-

 

scan ip-filtered-decoy-protocol-scan ip-

 

filtered-distributed-protocol-scan ip-filtered-

 

protocol-sweep}. Also sets IP scan-detection

 

logs or alerts and blocking. no deactivates IP

 

scan detection, its logs, alerts or blocking.

[no] scan-detection {icmp-sweep icmp-

Activates or deactivates ICMP scan detection

filtered-sweep} {activate log [alert]

options. Also sets ICMP scan-detection logs or

block}

alerts and blocking. no deactivates ICMP scan

 

detection, its logs, alerts or blocking.

[no] scan-detection open-port {activate log

Activates or deactivates open port scan

[alert] block}

detection options. Also sets open port scan-

 

detection logs or alerts and blocking. no

 

deactivates open port scan detection, its logs,

 

alerts or blocking.

 

 

flood-detection block-period <1..3600>

Sets for how many seconds the NXC blocks all

 

packets from being sent to the victim

 

(destination) of a detected anomaly attack.

 

 

[no] flood-detection {tcp-flood udp-flood

Activates or deactivates TCP, UDP, IP or ICMP

ip-flood icmp-flood} {activate log

flood detection. Also sets flood detection logs

[alert] block}

or alerts and blocking. no deactivates flood

 

detection, its logs, alerts or blocking.

[no] http-inspection {http-xxx} activate

Activates or deactivates http-inspection options

 

where http-xxx = {ascii-encoding u-encoding

 

bare-byte-unicode-encoding base36-encoding

 

utf-8-encoding iis-unicode-codepoint-

 

encoding multi-slash-encoding iis-backslash-

 

evasion self-directory-traversal directory-

 

traversal apache-whitespace non-rfc-http-

 

delimiter non-rfc-defined-char oversize-

 

request-uri-directory oversize-chunk-encoding

 

webroot-directory-traversal}

 

 

http-inspection {http-xxx} log [alert]

Sets http-inspection log or alert.

no http-inspection {http-xxx} log

Deactivates http-inspection logs.

[no] http-inspection {http-xxx} action {drop

Sets http-inspection action

reject-sender reject-receiver reject-

 

both}}

 

[no] tcp-decoder {tcp-xxx} activate

Activates or deactivates tcp decoder options

 

where {tcp-xxx} = {undersize-len undersize-

 

offset oversize-offset bad-length-options

 

truncated-options ttcp-detected obsolete-

 

options experimental-options}

 

 

tcp-decoder {tcp-xxx} log [alert]

Sets tcp decoder log or alert options.

no tcp-decoder {tcp-xxx} log

Deactivates tcp decoder log or alert options.

[no] tcp-decoder {tcp-xxx} action {drop

Sets tcp decoder action

reject-sender reject-receiver reject-

 

both}}

 

[no] udp-decoder {truncated-header

Activates or deactivates udp decoder options

undersize-len oversize-len} activate

 

150

 

NXC CLI Reference Guide