Chapter 22 IDP Commands

Note: You CANNOT change the base profile later!

Table 103 Editing/Creating Anomaly Profiles

COMMAND

DESCRIPTION

idp anomaly newpro [base {all none}]

Creates a new IDP anomaly profile called newpro.

 

newpro uses the base profile you specify. Enters sub-

 

command mode. All the following commands relate to

 

the new profile. Use exit to quit sub-command mode.

scan-detection sensitivity {low medium high}

Sets scan-detection sensitivity.

no scan-detection sensitivity

Clears scan-detection sensitivity. The default sensitivity

 

is medium.

 

 

scan-detection block-period <1..3600>

Sets for how many seconds the ZyWALL blocks all

 

packets from being sent to the victim (destination) of a

 

detected anomaly attack.

 

 

[no] scan-detection {tcp-xxx} {activate log

Activates TCP scan detection options where {tcp-xxx} =

[alert] block}

{tcp-portscan tcp-decoy-portscan tcp-portsweep

 

tcp-distributed-portscan tcp-filtered-portscan tcp-

 

filtered-decoy-portscan tcp-filtered-distributed-

 

portscan tcp-filtered-portsweep}. Also sets TCP scan-

 

detection logs or alerts and blocking. no deactivates

 

TCP scan detection, its logs, alerts or blocking.

[no] scan-detection {udp-xxx} {activate log

Activates or deactivates UDP scan detection options

[alert] block}

where {udp-xxx} = {udp-portscan udp-decoy-

 

portscan udp-portsweep udp-distributed-portscan

 

udp-filtered-portscan udp-filtered-decoy-portscan

 

udp-filtered-distributed-portscan udp-filtered-

 

portsweep}. Also sets UDP scan-detection logs or alerts

 

and blocking. no deactivates UDP scan detection, its

 

logs, alerts or blocking.

[no] scan-detection {ip-xxx} {activate log

Activates or deactivates IP scan detection options where

[alert] block}

{ip-xxx} = {ip-protocol-scan ip-decoy-protocol-scan

 

ip-protocol-sweep ip-distributed-protocol-scan ip-

 

filtered-protocol-scan ip-filtered-decoy-protocol-scan

 

ip-filtered-distributed-protocol-scan ip-filtered-

 

protocol-sweep}. Also sets IP scan-detection logs or

 

alerts and blocking. no deactivates IP scan detection,

 

its logs, alerts or blocking.

[no] scan-detection {icmp-sweep icmp-filtered-

Activates or deactivates ICMP scan detection options.

sweep} {activate log [alert] block}

Also sets ICMP scan-detection logs or alerts and

 

blocking. no deactivates ICMP scan detection, its logs,

 

alerts or blocking.

[no] scan-detection open-port {activate log

Activates or deactivates open port scan detection

[alert] block}

options. Also sets open port scan-detection logs or

 

alerts and blocking. no deactivates open port scan

 

detection, its logs, alerts or blocking.

flood-detection block-period <1..3600>

Sets for how many seconds the ZyWALL blocks all

 

packets from being sent to the victim (destination) of a

 

detected anomaly attack.

 

 

[no] flood-detection {tcp-flood udp-flood ip-

Activates or deactivates TCP, UDP, IP or ICMP flood

flood icmp-flood} {activate log [alert]

detection. Also sets flood detection logs or alerts and

block}

blocking. no deactivates flood detection, its logs, alerts

 

or blocking.

 

185

ZyWALL (ZLD) CLI Reference Guide