Signature Detect - HP FlexNetwork MSR Series Command Reference Manual
Comware 7 security
Hide thumbs
Also See for FlexNetwork MSR Series:
- Configuration manual (392 pages) ,
- Configuration manuals (159 pages)
Advertisement
Examples
# Set the maximum length of safe ICMP packets for large ICMP attack to 50000 bytes in the attack
defense policy atk-policy-1.
<Sysname> system-view
[Sysname] attack-defense policy atk-policy-1
[Sysname-attack-defense-policy-atk-policy-1] signature large-icmp max-length 50000
Related commands
signature detect
signature detect
Use signature detect to enable signature detection for single-packet attacks and specify the
prevention actions.
Use undo signature detect to disable signature detection for single-packet attacks.
Syntax
signature detect { fraggle | fragment | impossible | land | large-icmp | large-icmpv6 | smurf |
snork | tcp-all-flags | tcp-fin-only | tcp-invalid-flags | tcp-null-flag | tcp-syn-fin | tiny-fragment |
traceroute | udp-bomb | winnuke } [ action { { drop | logging } * | none } ]
undo signature detect { fraggle | fragment | impossible | land | large-icmp | large-icmpv6 |
smurf | snork | tcp-all-flags | tcp-fin-only | tcp-invalid-flags | tcp-null-flag | tcp-syn-fin |
tiny-fragment | traceroute | udp-bomb | winnuke }
signature detect { ip-option-abnormal | ping-of-death | teardrop } action [ logging ] drop
undo signature detect { ip-option-abnormal | ping-of-death | teardrop }
signature detect icmp-type { icmp-type-value | address-mask-reply | address-mask-request |
destination-unreachable | echo-reply | echo-request | information-reply | information-request
| parameter-problem | redirect | source-quench | time-exceeded | timestamp-reply |
timestamp-request } [ action { { drop | logging } * | none } ]
undo
signature
address-mask-request
information-reply | information-request | parameter-problem | redirect | source-quench |
time-exceeded | timestamp-reply | timestamp-request }
signature detect icmpv6-type { icmpv6-type-value | destination-unreachable | echo-reply |
echo-request
parameter-problem | time-exceeded } [ action { { drop | logging } * | none } ]
undo signature detect icmpv6-type { icmpv6-type-value | destination-unreachable | echo-reply
| echo-request | group-query | group-reduction | group-report | packet-too-big |
parameter-problem | time-exceeded }
signature detect ip-option { option-code | internet-timestamp | loose-source-routing |
record-route | route-alert | security | stream-id | strict-source-routing } [ action { { drop |
logging } * | none } ]
undo signature detect ip-option { option-code | internet-timestamp | loose-source-routing |
record-route | route-alert | security | stream-id | strict-source-routing }
signature detect ipv6-ext-header ext-header-value [ action { { drop | logging } * | none } ]
undo signature detect ipv6-ext-header next-header-value
Default
Signature detection is disabled for all single-packet attacks.
detect
icmp-type
|
destination-unreachable
|
group-query
|
group-reduction
{
icmp-type-value
|
echo-reply
|
group-report
911
|
address-mask-reply
|
echo-request
|
packet-too-big
|
|
|
Advertisement
