IDSReportSet statement

Use the IDSReportSet statement to specify a report set that you want to associate with actions. A report set can include type of action, statistics interval, logging level, trace data, and trace record size. If a packet meets a policy rule's condition during its validity period, the reports specified in the policy rule's action, such as logging the packet, are produced.

Syntax


>>-IDSReportSet--+------+--| Put Braces and Parameters on Separate Lines |-><
                 '-name-'                                                    

Put Braces and Parameters on Separate Lines

|--+-{---------------------------+------------------------------|
   +-| IDSReportSet Parameters |-+   
   '-}---------------------------'   

IDSReportSet Parameters

   .------------------------------------------------.   
   V                                                |   
|----+--------------------------------------------+-+-----------|
     '-TypeActions--+-CONSOLE--| ConsoleData |--+-'     
                    +-LOG--| LogData |----------+       
                    +-STATISTICS--| StatsData |-+       
                    '-TRACE--| TraceData |------'       

ConsoleData

   .-MaxEventMessage 5-.   
|--+-------------------+----------------------------------------|
   '-MaxEventMessage n-'   

LogData

   .-LogDetail No-------.  .-LoggingLevel 4-.   
|--+--------------------+--+----------------+-------------------|
   '-LogDetail--+-Yes-+-'  '-LoggingLevel n-'   
                '-No--'                         

StatsData

   .-StatType Normal---------.  .-StatInterval 60-.   
|--+-------------------------+--+-----------------+-------------|
   '-StatType--+-Exception-+-'  '-StatInterval n--'   
               '-Normal----'                          

TraceData

   .-TraceData HEADER----------.  .-TraceRecordSize 100-.   
|--+---------------------------+--+---------------------+-------|
   '-TraceData--+-FULL-------+-'  '-TraceRecordSize n---'   
                +-HEADER-----+                              
                +-NONE-------+                              
                '-RECORDSIZE-'

Parameters

name

A string 1 - 32 characters in length specifying the name of this IDSReportSet statement.

Rule: If this IDSReportSet statement is not specified inline within another statement, you must provide a name value. If a name is not specified for an inline IDSReportSet statement, a nonpersistent system name is created.

TypeActions

Indicates the type of actions to be taken for IDS events. The default value is no TypeActions are defined.

CONSOLE

Report IDS events to the system console.

LOG

Log IDS information to the syslog daemon. Low-level detail records are optionally logged based on the LogDetail value.

STATISTICS

Log statistics to the syslog daemon based on the StatType value.

Result: Statistics are always written to the syslog INFO level.

Rule: The statistics value is applicable when the ConditionType parameter on the IDSRule statement is Attack or TR. For other ConditionType values, the STATISTICS value is ignored.

TRACE

Trace IDS information to the IDS event trace based on the TraceData value. For attack types TCP_QUEUE_SIZE, GLOBAL_TCP_STALL, and EE_XID_FLOOD, the TRACE value is ignored. No tracing is done for those attack types.

MaxEventMessage

Indicates the maximum number of event messages to be displayed on the console during a 5-minute period for an IDS attack type. Valid values are in the range 0 - 4 294 967 295. A value of 0 indicates that attack console messages are not limited. The default value is 5.

Rule: The MaxEventMessage parameter is applicable when the ConditionType parameter in the IDSRule statement is Attack. For other ConditionType values, the MaxEventMessage parameter is ignored.

LogDetail

Indicates whether detailed information is logged to the syslog daemon.

No: Do not log low-level details to the syslog daemon. This is the default value.
Yes: Log low-level details to the syslog daemon when detailed information is available. Low-level details are available when a scan is detected and when a Global TCP Stall attack is detected.

LoggingLevel

Indicates the syslog daemon logging level for logging IDS information. Valid values are in the range 0 - 7. The following values map to syslog daemon priority levels.

0: Emerg/Panic
1: Alert
2: Crit
3: Error
4: Warning
5: Notice
6: Info
7: Debug

The default value is 4.

StatType

Indicates the type of statistics to be gathered.

Normal: Gather all statistics. This is the default value.
Exception: Gather only exception statistics.

StatInterval

Indicates the interval length in minutes for collecting IDS statistics. Valid values are in the range 0 - 4 294 967 295. The default value is 60.

TraceData

Specifies the amount of information written to the IDS event trace.

HEADER: For IPv4 packets, trace the IP and transport headers in the packets. For IPv6 packets, trace the IPv6 header, any extension headers, and the transport header. This is the default value.
FULL: Trace the entire packet.
NONE: No tracing is done.
RECORDSIZE: Trace the amount of data specified by the TraceRecordSize parameter.

TraceRecordSize

Indicates the amount in bytes of packet data to trace, when TraceData is set to RECORDSIZE. Valid values are in the range 0 - 4 294 967 295. The default value is 100.