Use the IDSAction statement to define the action taken by the IDS rule. This statement is associated with an IDS rule with the same ActionType value.
>>-IDSAction--name--| Put Braces and Parameters on Separate Lines |->< Put Braces and Parameters on Separate Lines |--+-{------------------------+---------------------------------| +-| IDSAction Parameters |-+ '-}------------------------' IDSAction Parameters .-----------------------------------------. V | |----ActionType--+-Attack--+-discard-----+-+-+--| ReportSet |---| | +-nodiscard---+ | | +-resetconn---+ | | '-noresetconn-' | +-TR--+-limit---+---------+ | '-nolimit-' | +-ScanGlobal--------------+ '-ScanEvent--count--------' ReportSet |--+----------------------+-------------------------------------| +-IDSReportSet---------+ '-IDSReportSetRef name-'
Parameters
- name
- A string 1 - 32 characters in length that specifies the name of this IDSAction statement.
- ActionType
- Indicates the type of IDS action associated with a policy rule.
- Attack
- Indicates that this is an attack action.
- Discard
- Discard packets that match the associated rule.
- NoDiscard
- Do not discard packets that match the associated rule.
- ResetConn
- Reset the TCP connection or connections associated with the attack.
Restriction: This value is valid only for V1R13 and later releases. See General syntax rules for Policy Agent for details.
- NoResetConn
- Do not reset the TCP connection or connections associated with
the attack.
Restriction: This value is valid only for V1R13 and later releases. See General syntax rules for Policy Agent for details.
Rules:- The Discard and NoDiscard values are valid for the following attack
types:
- DATA_HIDING
- ICMP_REDIRECT
- IP_FRAGMENT
- OUTBOUND_RAW
- OUTBOUND_RAW_IPV6
- PERPETUAL_ECHO
- RESTRICTED_IP_OPTIONS
- RESTRICTED_IP_PROTOCOL
- RESTRICTED_IPV6_DST_OPTIONS
- RESTRICTED_IPV6_HOP_OPTIONS
- RESTRICTED_IPV6_NEXT_HDR
- FLOOD (NoDiscard is ignored because the stack always discards packets associated with a flood.)
- MALFORMED_PACKET (NoDiscard is ignored because the stack always discards malformed packets.)
- EE_MALFORMED_PACKET
- EE_PORT_CHECK
- EE_LDLC_CHECK
- EE_XID_FLOOD (The Discard value is not valid. Use the NoDiscard value.)
- The ResetConn and NoResetConn values are valid for the following
attack types:
- TCP_QUEUE_SIZE
- GLOBAL_TCP_STALL
- An IDSAction statement can include two ActionType attack parameters, one with the action Discard or NoDiscard and the other with the action ResetConn or NoResetConn. If more than one ActionType attack parameter is coded with the action Discard or NoDiscard, the last action is used. If more than one ActionType attack parameter is coded with the action ResetConn or NoResetConn, the last action is used.
- ScanGlobal
- Indicates that this is a scan global action that specifies global scan detection values.
- ScanEvent count
- Indicates that this is a scan event action for individual scan
detection.
- count
- Increment the scan event counter for this rule.
- TR
- Indicates that this is a traffic regulation action.
- Limit
- For TCP, this value prevents connections, for UDP, it limits the length of inbound UDP queues.
- NoLimit
- No limits are placed on the number of TCP connections or the length of inbound UDP queues.
Rule: If you specify more than one ActionType TR parameter, the setting from the last parameter that you specified is used.
- IDSReportSet
- An inline specification of an IDSReportSet statement.
- IDSReportSetRef name
- The name of a globally defined IDSReportSet statement.
Rules:
- The IDSReportSet parameter is allowed for all ActionType values. However, it has no effect if specified for ActionType ScanEvent.
- Not all parameters specified on the IDSReportSet statement apply to all ActionType values. Such values are ignored by the stack when not applicable to the IDS policy.