The ips collect-attack-evidence max-session-number command sets the maximum number of attack evidence collection sessions for each IPS signature on each CPU.
The undo ips collect-attack-evidence max-session-number command restores the default maximum number of attack evidence collection sessions for each IPS signature on each CPU.
ips collect-attack-evidence max-session-number session-number [ signature-id signature-id ]
undo ips collect-attack-evidence max-session-number [ signature-id signature-id ]
| Parameter | Description | Value |
|---|---|---|
session-number |
Specifies the maximum number of attack evidence collection sessions. |
The value is an integer ranging from 0 to 50. The default value is 5. The value 0 means no limit. |
signature-id signature-id |
Specifies the ID of an IPS signature. |
The value is an integer ranging from 1025 to 16777215. |
After the collect-attack-evidence enable command is executed, the device starts to collect attack evidences that match the intrusion prevention profile. You can set the maximum number of sessions in which the device collects attack evidences that match the intrusion prevention profile for each IPS signature on each CPU to collect necessary information for packet tracing, with the impact on system performance controlled to the minimum extent. When the device provides multiple CPUs, the maximum number of attack evidence collection sessions for each IPS signature is the value of session-number multiplying the number of CPUs.
This command can be executed in the public system. Do not run this command in virtual systems.
The device collects all packets in a matched session. This command specifies the maximum number of matched sessions, not the number of matched packets.
If signature-id signature-id is not specified, the ips collect-attack-evidence max-session-number session-number command specifies the maximum number of attack evidence collection sessions for all IPS signatures, including the ones in both the public and virtual systems.
If signature-id signature-id is specified, the ips collect-attack-evidence max-session-number session-number signature-id signature-id command specifies the maximum number of attack evidence collection sessions for the specified pre-defined signature. The total number of attack evidence collection sessions that match the specified pre-defined signature in all virtual systems cannot exceed the specified maximum number of attack evidence collection sessions.
During the IPS signature database update, if the predefined signature for which the maximum number of attack evidence collection sessions is set does not exist in the IPS signature database, the corresponding configurations are reserved but do not take effect. When the current configurations are queried, the following message is displayed: Invalid configuration. The specified signature (signature-id) does not exist in the current library. Please check and delete it.