Use
the IDSAction statement to define the action taken by the IDS rule.
This statement is associated with an IDS rule with the same ActionType
value.
>>-IDSAction--name--| Put Braces and Parameters on Separate Lines |-><
Put Braces and Parameters on Separate Lines
|--+-{------------------------+---------------------------------|
+-| IDSAction Parameters |-+
'-}------------------------'
IDSAction Parameters
.-----------------------------------------.
V |
|----ActionType--+-Attack--+-discard-----+-+-+--| ReportSet |---|
| +-nodiscard---+ |
| +-resetconn---+ |
| '-noresetconn-' |
+-TR--+-limit---+---------+
| '-nolimit-' |
+-ScanGlobal--------------+
'-ScanEvent--count--------'
ReportSet
|--+----------------------+-------------------------------------|
+-IDSReportSet---------+
'-IDSReportSetRef name-'
Parameters
- name
- A string 1 - 32 characters in length that specifies the name of
this IDSAction statement.
- ActionType
- Indicates the type of IDS action associated with a policy rule.
- Attack
- Indicates that this is an attack action.
- Discard
- Discard packets that match the associated rule.
- NoDiscard
- Do not discard packets that match the associated rule.
- ResetConn
- Reset the TCP connection or connections associated with the attack.
Restriction: This value is valid only for V1R13 and later
releases. See General syntax rules for Policy Agent for
details.
- NoResetConn
- Do not reset the TCP connection or connections associated with
the attack.
Restriction: This value is valid only for V1R13
and later releases. See General syntax rules for Policy Agent for details.
Rules: - The Discard and NoDiscard values are valid for the following attack
types:
- DATA_HIDING
- ICMP_REDIRECT
- IP_FRAGMENT
- OUTBOUND_RAW
- OUTBOUND_RAW_IPV6
- PERPETUAL_ECHO
- RESTRICTED_IP_OPTIONS
- RESTRICTED_IP_PROTOCOL
- RESTRICTED_IPV6_DST_OPTIONS
- RESTRICTED_IPV6_HOP_OPTIONS
- RESTRICTED_IPV6_NEXT_HDR
- FLOOD (NoDiscard is ignored because the stack always discards
packets associated with a flood.)
- MALFORMED_PACKET (NoDiscard is ignored because the stack always
discards malformed packets.)
- EE_MALFORMED_PACKET
- EE_PORT_CHECK
- EE_LDLC_CHECK
- EE_XID_FLOOD (The Discard value is not valid. Use the NoDiscard
value.)
The Discard and NoDiscard values are ignored for all other attack
types. For more information, see IDSAttackCondition statement.
- The ResetConn and NoResetConn values are valid for the following
attack types:
- TCP_QUEUE_SIZE
- GLOBAL_TCP_STALL
ResetConn and NoResetConn will be ignored for all other attack
types. For more information, see IDSAttackCondition statement.
- An IDSAction statement can include two ActionType attack parameters,
one with the action Discard or NoDiscard and the other with the action
ResetConn or NoResetConn. If more than one ActionType attack parameter
is coded with the action Discard or NoDiscard, the last action is
used. If more than one ActionType attack parameter is coded with
the action ResetConn or NoResetConn, the last action is used.
- ScanGlobal
- Indicates that this is a scan global action that specifies global
scan detection values.
- ScanEvent count
- Indicates that this is a scan event action for individual scan
detection.
- count
- Increment the scan event counter for this rule.
- TR
- Indicates that this is a traffic regulation action.
- Limit
- For TCP, this value prevents connections, for UDP, it limits the
length of inbound UDP queues.
- NoLimit
- No limits are placed on the number of TCP connections or the length
of inbound UDP queues.
Rule: If
you specify more than one ActionType TR parameter, the setting from
the last parameter that you specified is used.
- IDSReportSet
- An inline specification of an IDSReportSet statement.
- IDSReportSetRef name
- The name of a globally defined IDSReportSet statement.
Rules: - The IDSReportSet parameter is allowed for all ActionType values.
However, it has no effect if specified for ActionType ScanEvent.
- Not all parameters specified on the IDSReportSet statement apply
to all ActionType values. Such values are ignored by the stack when
not applicable to the IDS policy.