adaptive-firewall
Prev Kernun UTM Reference (5) Next

Name

adaptive-firewall — format of adaptive-firewall component configuration

DESCRIPTION

General syntax rules of Kernun Firewall configuration files are described in configuration(7). This man page describes types, sections and items specific for the adaptive-firewall component configuration.

Repeatable sections/items are marked by the '*' before section/item name.

TYPES

Configuration directives have attributes of several value-types. For the basic types description, see configuration(7).

Enumeration is a list of words (names) representing integer values. Some enumerations accept both names and direct integer values; in this case, enumeration description contains values for every name (in parenthesis next to name). For other enumerations, using of names is obligatory.

The following enumerations are used in adaptive-firewall configuration directives:

yes-no (see common(5))

ip-version (see common(5))

osi4-proto (see common(5))

report-mode (see common(5))

time-cond (see common(5))

zip-mode (see common(5))

task-frequency (see common(5))

listen-on-sock (see listen-on(5))

ids-agent-log-level (name-usage obligatory)

IDS log level

none

No messages are logged

emergency

Only emergency messages are logged

alert

Alert messages and above are logged

critical

Critical messages and above are logged

error

Error messages and above are logged

warning

Warning messages and above are logged

notice

Notice messages and above are logged

info

Informational messages and above are logged

perf

Performance messages and above are logged

config

Configuration messages and above are logged

debug

All possible messages are logged

ids-agent-detection-direction (name-usage obligatory)

Which address to detect as suspicious

src

Report source address

dst

Report destination address

both

Report both source and destination addresses

ids-agent-protocol (name-usage obligatory)

IDS protocols to inspect

any

Scan any protocol

tcp

Scan TCP protocol

udp

Scan UDP protocol

dcerpc

Scan DCERPC protocol

dhcp

Scan DHCP protocol

dns

Scan DNS protocol

ftp

Scan FTP protocol

http

Scan HTTP protocol

icmp

Scan ICMP protocol

ikev2

Scan IKEV2 protocol

imap

Scan IMAP protocol

krb5

Scan KRB5 protocol

msn

Scan MSN protocol

nfs

Scan NFS protocol

ntp

Scan NTP protocol

smtp

Scan SMTP protocol

ssh

Scan SSH protocol

tls

Scan TLS protocol

ids-agent-rule-action (name-usage obligatory)

IPS rule action

alert

Generate an alert but do not block the traffic.

The alerts are sent to Kernun base station for further analysis.

pass

Ignore the packet

block

Generate an alert and block the traffic.

IPS mode needs to be enabled by specifying section ADAPTIVE-FIREWALL.IPS, otherwise this action behaves like ALERT.

Note that it may take up to a minute for the traffic to be blocked.

ids-agent-threshold-type (name-usage obligatory)

IDS rules threshold type

threshold

Sets a minimum threshold for a rule before it generates an alert.

A threshold setting of COUNT means on the COUNT-th time the rule matches an alert is generated.

limit

If set to limit COUNT, it alerts at most COUNT times.

both

Applies both thresholding and limiting.

ids-agent-threshold-track-by (name-usage obligatory)

IDS rules threshold track by

src

Track the policy rule by source.

dst

Track the policy rule by destination.

ids-agent-rate-filter-track-by (name-usage obligatory)

IDS rules filter track by

src

Track the policy rule by source.

The tracking is done per IP-address.

dst

Track the policy rule by destination.

The tracking is done per IP-address.

rule

Track the policy rule globally for the rule.

both

Track the policy rule by a pair of source and destination.

The tracking is done per IP-address. Packets going to opposite directions between same addresses tracked as the same pair.

ids-agent-suppress-direction (name-usage obligatory)

IDS rules suppress direction

src

Suppress the IDS rule for given source addresses.

dst

Suppress the IDS rule for given destination addresses.

any

Suppress the IDS rule for given addresses (source or destination).

policy-level (name-usage obligatory)

Adaptive Database Record Levels

medium, high, highest

ITEMS AND SECTIONS

Configuration of adaptive-firewall library component consists of following prototypes:


* ids-watchdog name { ... }
  ids-agent-from-to ... ;
* ids-agent-rule-def name { ... }
* ids-agent-base-rule-policy name { ... }
* ids-agent-base-rate-filter name { ... }
* ids-agent-base-threshold name { ... }
* ids-agent-base-suppress name { ... }
  ids-agent-base-change-rule ... ;
  ids-agent { ... }
  adaptive-firewall { ... }
    

Description:

ids-watchdog name {


  id ... ;
  file ... ;
* pattern ... ;
* threshold ... ;
  record-lifetime ... ;
  blocking ... ;
  max-entries ... ;
}

        

A detector that monitors files for patterns.

It watches lines being added to given file and searches for given patterns.

Constraints:

Watchdog identification must be specified.

At least one pattern must be specified.

Items & subsections:

id key;

Watchdog Identification.

key (type: str)

Source ID.

file path;

Path to the file being monitored.

path (type: str)

pattern pat;

Pattern being searched for.

pat (type: regexp)

Searched pattern.

IP adress position should be marked by parenthesis.

threshold count sec;

Thresholds for watchdog failures.

If given number of attempts is found within given time period in the file, the client IP address is reported by the watchdog.

count (type: uint8)

sec (type: uint32)

Constraints:

Maximum COUNT value is 10..

record-lifetime [sec];

Address record lifetime.

Addresses not seen within this period are removed from the IDS database.

sec (type: uint32, optional, default: 86400)

blocking [mode];

Address blocking configuration.

mode (type: yes-no, optional, default: yes)

max-entries [size];

Maximum number of IPS table entries held in PF.

size (type: uint32, optional, default: 200000)

Maximum table size.

[End of section ids-watchdog description.]

ids-agent-from-to [hosts [ports]];

hosts (type: host-set, optional, default: *)

Set of hosts to apply the rule to

ports (type: port-set, optional, default: *)

Set of ports to apply the rule to

ids-agent-rule-def name {


  action ... ;
  protocol ... ;
  src ... ;
  dst ... ;
  options ... ;
}

        

IDS rule to be added

Constraints:

ACTION must be specified.

OPTIONS must be specified.

Items & subsections:

action action;

Rule action.

action (type: ids-agent-rule-action)

protocol [proto];

Protocol to be scanned. Defaults to any protocol if omited.

The available protocols depend on the agent configuration. The protocols that are listed here are available in the default agent configuration.

proto (type: ids-agent-protocol, optional, default: any)

src [hosts [ports]];

Source addresses and ports. Defaults to any address and any port if omitted.

hosts (type: host-set, optional, default: *)

Set of hosts to apply the rule to

ports (type: port-set, optional, default: *)

Set of ports to apply the rule to

dst [hosts [ports]];

Destination addresses and ports. Defaults to any address and any port if omitted.

hosts (type: host-set, optional, default: *)

Set of hosts to apply the rule to

ports (type: port-set, optional, default: *)

Set of ports to apply the rule to

options options;

Rule definition.

See suricata documentation for the options syntax.

For example: "msg:\"Testing rule\"; flow:to_server,established; content:\"TEST\"; sid:1999999; classtype:unknown;"

Note that SID numbers have to be unique, range between 1500000 and 1999999 can be used for custom rules.

options (type: str)

[End of section ids-agent-rule-def description.]

ids-agent-base-rule-policy name {


* sid ... ;
}

        

IDS rule policy base.

Items & subsections:

sid sid;

Signature identifier

sid (type: uint64)

[End of section ids-agent-base-rule-policy description.]

ids-agent-base-rate-filter name {


* sid ... ;
  track-by ... ;
  count ... ;
  seconds ... ;
  new-action ... ;
  timeout ... ;
}

        

IDS rule rate filter base.

The ids-agent-base-rate-filter section is derived from ids-agent-base-rule-policy section prototype. For detail description of it, see above.

Changes to the ids-agent-base-rate-filter section:

Item TRACK-BY required.

Item COUNT required.

Item SECONDS required.

Item NEW-ACTION required.

Item TIMEOUT required.

Added items & subsections:

track-by src;

track-by dst;

track-by rule;

track-by both;

How to track the exception.

<branching element> (type: ids-agent-rate-filter-track-by)

count count;

Number of rule hits before this exception is activated.

count (type: uint64)

seconds seconds;

Time period within which the COUNT needs to be reached to activate this exception.

seconds (type: uint64)

new-action action;

The rule action is changed to this action when this exception matches.

action (type: ids-agent-rule-action)

timeout timeout;

Time in seconds during which this exception remains active

timeout (type: uint64)

[End of section ids-agent-base-rate-filter description.]

ids-agent-base-threshold name {


* sid ... ;
  type ... ;
  track-by ... ;
  count ... ;
  seconds ... ;
}

        

Threshold base.

The ids-agent-base-threshold section is derived from ids-agent-base-rule-policy section prototype. For detail description of it, see above.

Changes to the ids-agent-base-threshold section:

Item TYPE required.

Item TRACK-BY required.

Item COUNT required.

Item SECONDS required.

Added items & subsections:

type threshold;

type limit;

type both;

Threshold type.

<branching element> (type: ids-agent-threshold-type)

track-by src;

track-by dst;

How to track the threshold.

<branching element> (type: ids-agent-threshold-track-by)

count count;

The COUNT as described by TYPE.

count (type: uint64)

seconds seconds;

Time period within which the COUNT needs to be reached to activate this threshold.

seconds (type: uint64)

[End of section ids-agent-base-threshold description.]

ids-agent-base-suppress name {


* sid ... ;
  direction ... ;
  address ... ;
}

        

Exception base.

The ids-agent-base-suppress section is derived from ids-agent-base-rule-policy section prototype. For detail description of it, see above.

Added items & subsections:

direction src;

direction dst;

direction [any];

Direction of the suppression.

<branching element> (type: ids-agent-suppress-direction, optional, default: any)

address [address];

The addresses and ports to base the suppression on.

address (type: host-set, optional, default: *)

Set of hosts to apply the rule to

[End of section ids-agent-base-suppress description.]

ids-agent-base-change-rule sid;

Change rule base.

sid (type: uint64-list)

Constraints:

SID list must not be empty.

ids-agent {


  phase ... ;
* tag ... ;
* iface ... ;
  record-lifetime ... ;
  max-entries ... ;
  rules { ... }
  blocking { ... }
  engine { ... }
  rotate-log ... ;
}

        

An IDS application for advanced inspection of network traffic.

It uses complex rules downloaded from a central server to monitor traffic on given interfaces.

Constraints:

At least one IFACE has to be specified.

Items & subsections:

phase [number];

Application Startup Phase.

number (type: uint8, optional, default: 50)

Phase number; the lower one, the earlier start.

tag value;

Configuration factorization tag.

This feature allows admin to create groups of Kernun applications (specially proxies and servers) according to various aspects (belonging to one customer, applications of particular network traffic etc.).

Each application can have several tag attributes and the KAT tool can run some commands (like 'ps', 'start' atc.) for applications with or without given tag.

value (type: str)

Constraints:

Tag must contain letters, digits, hyphens and dots, only.

iface name;

Network interfaces watched by the IDS agent.

Warning!:

For all interfaces IDS-AGENT listens on, it is necessary to disable various hardware offloadings by adding flags -rxcsum -tso -toe -lro to ifconfig.

Otherwise, IDS-AGENT will set these flags when starting and unset them when stopping which will cause the interface to be restarted.

This is done automatically for all hardware interfaces and for interfaces of types vlan, vmx and lagg.

It is therefore recommended to perform a reboot after adding, changing or removing item IDS-AGENT.IFACE, especially if you have a cluster.

name (type: name of interface, see interface(5))

record-lifetime [sec];

Address record lifetime.

Hosts not seen within this period are removed from the DB.

sec (type: uint32, optional, default: 86400)

max-entries [size];

Maximum number of IPS table entries held in PF.

size (type: uint32, optional, default: 200000)

Maximum table size.

rules {


* add-rule name { ... }
* include-rules ... ;
* modify-rules ... ;
  enable-rules ... ;
  disable-rules ... ;
  change-rules-to-block ... ;
* rule-rate-filter name { ... }
* global-rate-filter name { ... }
* rule-threshold name { ... }
* global-threshold name { ... }
* rule-suppress name { ... }
* global-suppress name { ... }
}

            

IDS rules configuration and modification.

Items & subsections:

add-rule name {


  action ... ;
  protocol ... ;
  src ... ;
  dst ... ;
  options ... ;
}

                

Custom IDS rule

The add-rule section is derived from ids-agent-rule-def section prototype. For detail description of it, see above.

include-rules file;

Include raw-defined rules from a file.

file (type: name of shared-file, see common(5))

File to include raw-defined rules from

modify-rules sid replace-regex replace-with;

Modify IDS rules.

sid (type: uint64-list)

replace-regex (type: regexp)

replace-with (type: str)

Constraints:

SID list must not be empty.

enable-rules sid;

Enable IDS rules

sid (type: uint64-list)

Constraints:

SID list must not be empty.

disable-rules sid;

Disable IDS rules.

A disabled rule is not passed to the agent.

sid (type: uint64-list)

Constraints:

SID list must not be empty.

change-rules-to-block sid;

Change the action of IDS rules to block

sid (type: uint64-list)

Constraints:

SID list must not be empty.

rule-rate-filter name {


* sid ... ;
  track-by ... ;
  count ... ;
  seconds ... ;
  new-action ... ;
  timeout ... ;
}

                

Conditionally change the action of selected IDS rules

The rule-rate-filter section is derived from ids-agent-base-rate-filter section prototype. For detail description of it, see above.

Changes to the rule-rate-filter section:

At least one SID must be entered.

global-rate-filter name {


  track-by ... ;
  count ... ;
  seconds ... ;
  new-action ... ;
  timeout ... ;
}

                

Conditionally change the action of all IDS rules

The global-rate-filter section is derived from ids-agent-base-rate-filter section prototype. For detail description of it, see above.

Changes to the global-rate-filter section:

Item sid is not valid.

rule-threshold name {


* sid ... ;
  type ... ;
  track-by ... ;
  count ... ;
  seconds ... ;
}

                

Conditionally limit the selected IDS rules

The rule-threshold section is derived from ids-agent-base-threshold section prototype. For detail description of it, see above.

Changes to the rule-threshold section:

At least one SID must be entered.

global-threshold name {


  type ... ;
  track-by ... ;
  count ... ;
  seconds ... ;
}

                

Conditionally limit all IDS rules

The global-threshold section is derived from ids-agent-base-threshold section prototype. For detail description of it, see above.

Changes to the global-threshold section:

Item sid is not valid.

rule-suppress name {


* sid ... ;
  direction ... ;
  address ... ;
}

                

Conditionally suppress selected IDS rules.

A suppressed rule acts the same as a rule with action "pass", which means:

- it doesn't generate an alert,

- it prevents other rules from matching on that packet.

The rule-suppress section is derived from ids-agent-base-suppress section prototype. For detail description of it, see above.

Changes to the rule-suppress section:

At least one SID must be entered.

Item ADDRESS requires item DIRECTION to be specified..

Item DIRECTION requires atleast one item ADDRESS to be specified..

global-suppress name {


  direction ... ;
  address ... ;
}

                

Conditionally suppress all IDS rules.

A suppressed rule acts the same as a rule with action "pass", which means:

- it does not generate an alert,

- it prevents other rules from matching on that packet.

The global-suppress section is derived from ids-agent-base-suppress section prototype. For detail description of it, see above.

Changes to the global-suppress section:

Item sid is not valid.

At least one address must be specified..

[End of section ids-agent.rules description.]

blocking {


  direction ... ;
  alerts ... ;
  log ... ;
  block ... ;
}

            

IDS agent blocking configuration.

IDS agent has two levels of detecting suspicious traffic:

- alerts, which are only mildly suspicious and thus are only logged, and

- blocks, which are severe alerts that are also reported to the IPS module for blocking

Items & subsections:

direction src;

direction dst;

direction [both];

Which addresses to block when IPS mode is enabled.

<branching element> (type: ids-agent-detection-direction, optional, default: both)

alerts [val];

Whether to consider rules with action ALERT to have action BLOCK.

val (type: yes-no, optional, default: no)

log [val];

Whether to log IDS blocks to /var/log/kernun-ids-agent

val (type: yes-no, optional, default: yes)

block [val];

Whether to actually block the addresses or just log what would be blocked.

This item makes difference only when IPS is configured. It can be used to disable the blocking mechanism of IDS-AGENT without having to disable the entire IPS.

val (type: yes-no, optional, default: yes)

[End of section ids-agent.blocking description.]

engine {


  flags ... ;
  cfg-file ... ;
  log-level ... ;
}

            

IDS agent engine configuration

Items & subsections:

flags flags;

Flags to be passed to the engine upon start.

flags (type: str)

cfg-file file;

The configuration file for the agent.

Default value is "samples/shared/ids-agent.yaml" from distribution. CML modifies this file according to its purpose, i.e:

- CML overwrites variable definitions according to ADDRESS-GROUPS and PORT-GROUPS

- CML overwrites the path and generates the content of threshold file if atleast one item GLOBAL-RATE-FILTER, RULE-RATE-FILTER, GLOBAL-THRESHOLD, RULE-THRESHOLD, GLOBAL-SUPPRESS or RULE-SUPPRESS is specified

- CML overwrites the pcap section according to IFACE item

- CML appends the path to the downloaded rules to the rule-files list when item RULES-DOWNLOAD is specified

file (type: name of shared-file, see common(5))

log-level none;

log-level emergency;

log-level alert;

log-level critical;

log-level error;

log-level warning;

log-level [notice];

log-level info;

log-level perf;

log-level config;

log-level debug;

Engine log level

<branching element> (type: ids-agent-log-level, optional, default: notice)

[End of section ids-agent.engine description.]

rotate-log [user user] [group group] [mode mode] [count count] [size size] [when [zip]];

Log file rotation description.

Use the SIZE elem if log file size criterion required. Use the WHEN elem if periodical rotation required. If used both SIZE and WHEN elems, the log file is rotated at a proper time only if size limit is reached.

user user (type: str, optional, default: <NULL>)

Log file owner - user.

group group (type: str, optional, default: "wheel")

Log file owner - group.

mode mode (type: uint16, optional, default: 640)

Log file permissions.

count count (type: uint16, optional, default: 31)

Number of days being archived.

size size (type: uint16, optional, default: 0)

Size limit for rotation in KB (ignore log file size if omitted).

when (type: time-cond, optional, default: anytime)

Rotation periodicity (use SIZE condition if omitted).

zip (type: zip-mode, optional, default: bzip2)

Zipping mode.

Constraints:

Use either size criterion or defined periodicity.

[End of section ids-agent description.]

adaptive-firewall {


  ids-agent { ... }
* watchdog name { ... }
  honeypot { ... }
  auto-blocking { ... }
  adaptive-database { ... }
  address-groups { ... }
  port-groups { ... }
  whitelist ... ;
  blacklist ... ;
  stats-daily { ... }
  stats-weekly { ... }
  stats-monthly { ... }
}

        

Configuration of adaptive IDS/IPS system.

Constraints:

IDS-AGENT requires non-empty ADDRESS-GROUPS.HOME-NET.

Items & subsections:

ids-agent {


  phase ... ;
* tag ... ;
* iface ... ;
  record-lifetime ... ;
  max-entries ... ;
  rules { ... }
  blocking { ... }
  engine { ... }
  rotate-log ... ;
}

            

The ids-agent section is derived from ids-agent section prototype. For detail description of it, see above.

watchdog name {


  id ... ;
  file ... ;
* pattern ... ;
* threshold ... ;
  record-lifetime ... ;
  blocking ... ;
  max-entries ... ;
}

            

The watchdog section is derived from ids-watchdog section prototype. For detail description of it, see above.

honeypot {


* non-transparent ... ;
  record-lifetime ... ;
  blocking ... ;
  max-entries ... ;
}

            

A detector that provides a dummy TCP server which listens on an address that is not assigned to a real host.

A client attempting to connect to this server is assumed to be a port scanner.

The honeypot section is derived from listen-on section prototype. For detail description of it, see listen-on(5).

Changes to the honeypot section:

Item transparent is not valid.

Added items & subsections:

record-lifetime [sec];

Address record lifetime.

Addresses not seen within this period are removed from the IDS database.

sec (type: uint32, optional, default: 86400)

blocking [mode];

Address blocking configuration.

mode (type: yes-no, optional, default: yes)

max-entries [size];

Maximum number of IPS table entries held in PF.

size (type: uint32, optional, default: 200000)

Maximum table size.

[End of section adaptive-firewall.honeypot description.]

auto-blocking {


  record-lifetime ... ;
  save-delay ... ;
  refresh ... ;
  cleanup-time ... ;
}

            

Autonomous blocking guard parameters.

It blocks addresses added to the blacklist by internal detectors (honeypot, watchdog etc.).

Items & subsections:

record-lifetime [sec];

Blacklist record lifetime.

Addresses not seen within this period are removed from the database.

sec (type: uint32, optional, default: 86400)

save-delay [sec];

SQL transaction maximum duration.

sec (type: uint32, optional, default: 1)

refresh daily [time time] [report report];

refresh hourly [minute minute] [report report];

refresh [every] [period period] [at at] [report report];

refresh raw raw raw [report report];

refresh manually;

Schedule refresh of internal blocking rules.

<branching element> (type: task-frequency, optional, default: every)

raw raw (type: str)

Raw line to be placed into crontab. First 5 columns (the time specification) must be specified.

minute minute (type: time, optional, default: 0)

Starting time of task (mm, hour ignored).

time time (type: time, optional, default: 415)

Starting time of task (hhmm).

period period (type: uint8, optional, default: 1)

Run the task every PERIOD minutes (mm, hours ignored).

at at (type: uint8, optional, default: 0)

Starting time of task (mm, hours ignored)

report report (type: report-mode, optional, default: nothing=0)

Task output (stdout and stderr) delivery.

cleanup-time [hhmm];

Time of day when the database cleanup is done.

At time given in this item, records for address not seen within particular RECORD-LIFETIME period are removed.

hhmm (type: time, optional, default: 303)

[End of section adaptive-firewall.auto-blocking description.]

adaptive-database {


  policy ... ;
  max-entries ... ;
}

            

Kernun Adaptive Database application.

Items & subsections:

policy [from from];

Address blocking policy.

The higher the policy is, the more IP addresses are blocked.

from from (type: policy-level, optional, default: high)

max-entries [size];

Maximum number of Adaptive Database table entries held in PF.

size (type: uint32, optional, default: 100000)

Maximum table size.

[End of section adaptive-firewall.adaptive-database description.]

address-groups {


  home-net ... ;
  external-net ... ;
  http-servers ... ;
  sql-servers ... ;
  smtp-servers ... ;
  dns-servers ... ;
}

            

Address variables.

Defining these variables according to your network will increase the accuracy of the Adaptive Firewall.

Items & subsections:

home-net [home-net];

Set of addresses in your network that are to be protected by the Adaptive Firewall.

These addresses are by default added to the whitelist and thus cannot end up on the blacklist.

Note that when running IDS agent on external interface (or any interface with NAT), it is necessary to include the external address in this set because otherwise the traffic will not get matched by most rules.

About 75 % of IDS rules use this variable.

home-net (type: net-list, optional, default: {})

external-net external-net;

Set of addresses that are not in your network.

Defaults to negation of HOME-NET when unspecified.

About 85 % of IDS rules use this variable.

external-net (type: net-list)

http-servers http-servers;

Set of DNS servers used in your network.

Defaults to HOME-NET when unspecified.

About 25 % of IDS rules use this variable.

http-servers (type: net-list)

sql-servers sql-servers;

Set of SQL servers used in your network.

Defaults to HOME-NET when unspecified.

About 2 % of IDS rules use this variable.

sql-servers (type: net-list)

smtp-servers smtp-servers;

Set of SMTP servers used in your network.

Defaults to HOME-NET when unspecified.

About 1 % of IDS rules use this variable.

smtp-servers (type: net-list)

dns-servers dns-servers;

Set of DNS servers used in your network.

Defaults to HOME-NET when unspecified.

Less than 1 % of IDS rules use this variable.

dns-servers (type: net-list)

[End of section adaptive-firewall.address-groups description.]

port-groups {


  http-ports ... ;
  oracle-ports ... ;
  shellcode-ports ... ;
  ssh-ports ... ;
}

            

Port variables.

Defining these variables according to your network will increase the accuracy of the Adaptive Firewall.

Items & subsections:

http-ports http-ports;

Set of HTTP ports used in your network.

Defaults to { 80, 8080 } when unspecified.

About 25 % of IDS rules use this variable.

http-ports (type: port-set)

oracle-ports oracle-ports;

Set of SSH ports used in your network.

Defaults to { 1521 } when unspecified.

About 1 % of IDS rules use this variable.

oracle-ports (type: port-set)

shellcode-ports shellcode-ports;

Set of SSH ports used in your network.

Defaults to ! { 80 } when unspecified.

Less than 1 % of IDS rules use this variable.

shellcode-ports (type: port-set)

ssh-ports ssh-ports;

Set of SSH ports used in your network.

Defaults to { 22 } when unspecified.

Less than 1 % of IDS rules use this variable.

ssh-ports (type: port-set)

[End of section adaptive-firewall.port-groups description.]

whitelist [no-home-net] [no-servers] [list];

Whitelisted addresses.

These addresses are never blocked by IPS but their traffic can still be blocked due to the other side of communication getting blocked by IPS.

The addresses can get detected by some IDS detectors but most will not even report them.

no-home-net (type: key, optional)

Whether to put addresses from ADDRESS-GROUPS.HOME-NET on the whitelist. It can be useful to disable this if you want to allow IPS to potentially block some addresses in your network.

no-servers (type: key, optional)

Whether to put addresses from the following items on the whitelist:

- ADDRESS-GROUPS.DNS-SERVERS

- ADDRESS-GROUPS.HTTP-SERVERS

- ADDRESS-GROUPS.SMTP-SERVERS

- ADDRESS-GROUPS.SQL-SERVERS

It can be useful to disable this if you want these addresses to be temporarily blockable when someone is spoofing them.

list (type: host-set, optional, default: {})

blacklist [list];

Blacklisted addresses.

These addresses are always blocked by IPS.

list (type: net-list, optional, default: {})

stats-daily {


  top-clients ... ;
  top-servers ... ;
  top-src-ips ... ;
  top-dst-ips ... ;
  top-rules ... ;
}

            

The stats-daily section is derived from summary section prototype. For detail description of it, see application(5).

Changes to the stats-daily section:

Item top-users is not valid.

Item top-groups is not valid.

Item top-categories is not valid.

Item top-senders is not valid.

Item top-recipients is not valid.

Item top-mime-types is not valid.

Item top-qnames is not valid.

Item top-qtypes is not valid.

Item top-callers is not valid.

Item top-receivers is not valid.

Item top-sids is not valid.

Item top-server-ports is not valid.

Item spam-threshold is not valid.

Section activity-report is not valid.

stats-weekly {


  top-clients ... ;
  top-servers ... ;
  top-src-ips ... ;
  top-dst-ips ... ;
  top-rules ... ;
}

            

The stats-weekly section is derived from summary section prototype. For detail description of it, see application(5).

Changes to the stats-weekly section:

Item top-users is not valid.

Item top-groups is not valid.

Item top-categories is not valid.

Item top-senders is not valid.

Item top-recipients is not valid.

Item top-mime-types is not valid.

Item top-qnames is not valid.

Item top-qtypes is not valid.

Item top-callers is not valid.

Item top-receivers is not valid.

Item top-sids is not valid.

Item top-server-ports is not valid.

Item spam-threshold is not valid.

Section activity-report is not valid.

stats-monthly {


  top-clients ... ;
  top-servers ... ;
  top-src-ips ... ;
  top-dst-ips ... ;
  top-rules ... ;
}

            

The stats-monthly section is derived from summary section prototype. For detail description of it, see application(5).

Changes to the stats-monthly section:

Item top-users is not valid.

Item top-groups is not valid.

Item top-categories is not valid.

Item top-senders is not valid.

Item top-recipients is not valid.

Item top-mime-types is not valid.

Item top-qnames is not valid.

Item top-qtypes is not valid.

Item top-callers is not valid.

Item top-receivers is not valid.

Item top-sids is not valid.

Item top-server-ports is not valid.

Item spam-threshold is not valid.

Section activity-report is not valid.

[End of section adaptive-firewall description.]

SEE ALSO

configuration(7), application(5), common(5), interface(5), listen-on(5)

Prev Up Next
acl Home alertd