The condition associated command sets a check item for a user-defined associated signature.
The undo condition associated command cancels the settings of the check item for a user-defined associated signature.
condition associated signature-id signature-id [ threshold threshold-value | interval interval-value | block-time block-time | correlateby { source | destination | source-destination } ] *
undo condition associated
| Parameter | Description | Value |
|---|---|---|
signature-id signature-id |
Specifies an associated signature ID. The value can be the ID of a user-defined or predefined signature, but cannot be the ID of a user-defined or predefined associated signature. The associated signature and user-defined associated signature must use the same protocol and object information. |
The value is an integer ranging from 1 to 16777215. |
threshold threshold-value |
Specifies the threshold for signature association times. |
The value is an integer ranging from 1 to 500. The default value is 30. |
interval interval-value |
Specifies the measurement period. If the number of times the associated signature is detected exceeds threshold-value within this period, the user-defined associated signature is matched. |
The value is an integer ranging from 1 to 7200. The default value is 60. |
block-time block-time |
Specifies the time when the IP address is blacklisted if the action is block for the signature. |
The value is an integer ranging from 1 to 1000, in minutes. The default value is 5. |
correlateby |
Indicates the association mode. |
The default mode is source-destination. |
source |
Counts the times the associated signature is matched based on source IP addresses. |
- |
destination |
Counts the times the associated signature is matched based on destination IP addresses. |
- |
source-destination |
Counts the times the associated signature is matched based on a pair of source and destination IP addresses. |
- |
Only one rule can be configured for a user-defined associated signature. Only one check item can be configured in the rule.
If a user-defined signature is configured as an associated signature, you must remove the association relationship of the signature before deleting the user-defined signature. Only enabled predefined signatures can be configured as associated signatures.
During the IPS signature database update, if the associated signature configured for correlation detection does not exist in the IPS signature database, the corresponding configurations are reserved but do not take effect. When the current configurations are queried, the following message is displayed: Invalid configuration. The specified signature (signature-id) does not exist in the current library. Please check and delete it.
# Configure a check item for a user-defined associated signature.
<sysname> system-view [sysname] ips signature-id 1 [sysname-ips-signature-1] rule name rule1 [sysname-ips-signature-1-rule-rule1] condition associated signature-id 1000 threshold 20 interval 23 block-time 30 correlateby source-destination