< Home

display ips-signature

Function

The display ips-signature command displays information about an IPS signature.

Format

display ips-signature ips-signature-id

display ips-signature [ { pre-defined | user-defined } [ associated ] ] [ application { application-name | all } | category { category-name | all } | os { all | android | ios | unix-like | windows | other } * | protocol { protocol-name | all } | severity { information | low | medium | high } * | state { disabled | enabled | retired } | target { server | client | both } ] *

Parameters

Parameter Description Value

ips-signature-id

Specifies the ID of an IPS signature.

The value is an integer ranging from 1 to 16777215.

The value must be the ID of an existing IPS signature.

pre-defined

Displays information about a predefined signature.

-

user-defined

Displays information about a user-defined signature.

-

associated

Displays information about a associated signature.

-

application { application-name | all }

Specifies an application name.

  • application-name: displays information about signatures in application application-name.

  • all: displays information about signatures in all applications.

category { category-name | all }

Displays signatures by category.

  • category-name: displays information about signatures in category category-name.

  • all: displays information about signatures in all categories.

os { all | android | ios | unix-like | windows | other } *

Displays signatures by operating system.

  • all: displays information about all signatures.

  • android: displays information about signatures for the Android operating system.

  • ios: displays information about signatures for the iOS operating system.

  • unix: displays information about signatures for the UNIX operating system.

  • windows: displays information about signatures for the Windows operating system.

  • other: displays information about signatures for other operating systems.

protocol { protocol-name | all }

Displays signatures by protocol.
  • protocol-name: displays information about signatures of protocol protocol-name.
  • all: displays information about signatures of all protocols.

severity { information | low | medium | high }*

Displays signatures by severity.

  • information: displays information about signatures with informational severity.

  • low: displays information about signatures with low severity.

  • medium: displays information about signatures with medium severity.

  • high: displays information about signatures with high severity.

state { disabled | enabled | retired }

Indicates the state of a predefined signature.

  • disabled: The predefined signature is disabled.

  • enabled: The predefined signature is enabled.

  • retired: The predefined signature is deprecated.

target { server | client | both }

Displays signatures by target.

  • server: displays information about signatures for detecting intrusions into a server.

  • client: displays information about signatures for detecting intrusions into a client.

  • both: displays information about signatures for detecting intrusions into both a client and a server.

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

The display ips-signature pre-defined associated command displays information about predefined associated signatures and user-defined associated signature.

If the IPS signature file is not loaded, predefined signatures are not displayed, the protocol cannot be specified, and the category must be set to all. You can upgrade services to load the IPS signature file.

Example

# Display all predefined signatures.

<sysname> display ips-signature pre-defined
 ----------------------------------------------------------------------------   
 *                          Pre-defined Signature                           *   
 *                             (Counts: 5538)                               *   
 ----------------------------------------------------------------------------   
 Sig-ID   Protocol   Target  Severity OS        Category         Event Counts   
 ----------------------------------------------------------------------------   
 1030     HTTP       server  high     windows   Overflow                    0   
 1040     HTTP       client  high     windows   Overflow                    0   
 1050     TCP        server  high     all       Dos                         0   
 1060     HTTP       server  high     windows   Overflow                    0   
 1080     TCP        server  high     windows   Overflow                    0   
 1090     UDP        server  high     all       Code-execution              0   
 1100     MSRPC      server  high     windows   Overflow                    0   
 1102     MSRPC      server  high     windows   Overflow                    0   
 1110     TCP        both    high     all       Code-execution              0   
 1120     TCP        server  high     all       Overflow                    0   
 1140     IMAP4      server  high     unix-like Code-execution              0   
 1150     MSRPC      server  high     windows   Overflow                    0   
 1160     MSRPC      server  medium   windows   Dos                         0   
 1170     MSRPC      server  medium   windows   Dos                         0   
 1189     TCP        server  medium   windows   Dos                         0   
 1200     SUNRPC     server  high     unix-like Overflow                    0   
 1220     HTTP       client  high     windows   Overflow                    0   
 1230     SUNRPC     server  high     all       Overflow                    0   
  ---- More ----

# Display all user-defined signatures.

<sysname> display ips-signature user-defined
 ----------------------------------------------------------------------------   
 *                         User-defined Signature                           *   
 *                              (Counts:   1)                               *   
 ----------------------------------------------------------------------------   
 Sig-ID   Protocol   Target  Severity OS        Category         Event Counts   
 ----------------------------------------------------------------------------   
 1        TCP        both    high     N/A       User-defined                0
Table 1 Description of the display ips-signature pre-defined and display ips-signature user-defined command output

Item

Description

Counts

Number of signatures

Sig-ID

Signature ID

Protocol

Protocol of packets matching the signature

Target

Detection target of the signature

Severity

Severity of intrusions matching the signature

OS

Operating system attacked by intrusions matching the signature

Category

Signature category

Event Counts

Match count of a signature

NOTE:

The FW does not clear the match count of a modified or a deleted user-defined signature. When you create a user-defined signature with an ID the same as that of a deleted signature, the match count increases on the basis of the match count of the deleted signature. For example, the match count of user-defined signature 12 is 10, and the signature is deleted using the undo ips signature-id 12 command. If you use the ips signature-id 12 command to create a user-defined signature with the same name 12. The match count of the new user-defined signature 12 is 10.

To clear the match count of a user-defined or predefined signature, run the reset ips-signature statistics command.

# Display the signature with ID 16042.

<sysname> display ips-signature 16042
 -------------------------------------------------------------------------------                                                    
   SignatureID                         : 16042                                                                                      
   Name                                : VideoLAN VLC ActiveX Control Crafted Parameter Memory Corruption                           
   Protocol                            : TCP                                                                                       
   Target                              : client                                                                                     
   Severity                            : medium                                                                                     
   OS                                  : all                                                                                        
   Category                            : Overflow                                                                                   
   Action                              : alert
   Threshold                           : 1
   Interval                            : 2
   Block-time                          : 1
   Correlateby                         : session   
   EventCounts                         : 0                                                                                          
   AttackEvidenceCollectionCounts      : 0(slot 0 cpu 0)                                                                            
   Reference                           : CVE:CVE-2007-6262                                                                          
   State                               : enabled                                                                                    
   Description                         : CVE-2007-6262 : A certain ActiveX control in axvlc.dll in VideoLAN VLC 0.8.6 before 0.8.6d 
allows remote attackers to execute arbitrary code via crafted arguments to the (1) addTarget, (2) getVariable, or (3) setVariable fu
nction, resulting from a "bad initialized pointer," aka a "recursive plugin release vulnerability."                                 
 -------------------------------------------------------------------------------
Table 2 Description of the display ips-signature ips-signature-id command output

Item

Description

SignatureID

Signature ID

Name

Signature name

Protocol

Protocol of packets matching the signature

Target

Detection target of the signature

Severity

Severity of intrusions matching the signature

OS

Operating system attacked by the intrusions matching the signature

Category

Signature category

Action

Signature action

Threshold

Threshold for signature association times

Interval

Measurement period

Block-time

Time when the IP address is blacklisted

Correlateby

Association mode

EventCounts

Match count of a signature

NOTE:

To clear the match count of a signature, run the reset ips-signature statistics command.

AttackEvidenceCollectionCounts

Number of attack evidence collection sessions obtained by evidence collection based on IPS user-defined signatures

Reference

Reference information of a signature

  • CVE: indicates the Common Vulnerabilities and Exposures (CVE) ID of a signature. You can query the CVE ID on the https://cve.mitre.org/ website and obtain detailed information based on the CVE ID.

  • BID: indicates the Bugtraq ID (BID) of a signature. You can query the BID on the https://www.securityfocus.com/bid website and obtain detailed information based on the BID.
  • CNNVD: indicates the China National Vulnerability Database of Information Security (CNNVD) ID of a signature. You can query the CNNVD ID on the http://www.cnnvd.org.cn/ website and obtain detailed information based on the CNNVD ID.

State

Signature state

Application

Application to which a signature applies

Description

Description of a signature
Parent Topic: Intrusion Prevention Configuration Commands
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >