Signature Detect - H3C MSR Series Command Reference Manual
Comware 7 security
Hide thumbs
Also See for MSR Series:
- Command reference manual (174 pages) ,
- Configuration manual (80 pages) ,
- Manual (33 pages)
Table of Contents
Advertisement
Parameters
large-icmp: Specifies large ICMP packet attack signature.
large-icmpv6: Specifies large ICMPv6 packet attack signature.
length: Specifies the maximum length of safe ICMP or ICMPv6 packets, in bytes. The value range for
ICMP packet is 28 to 65534. The value range for ICMPv6 packet is 48 to 65534.
Examples
# Set the maximum length of safe ICMP packets for large ICMP attack to 50000 bytes in the attack
defense policy atk-policy-1.
<Sysname> system-view
[Sysname] attack-defense policy atk-policy-1
[Sysname-attack-defense-policy-atk-policy-1] signature large-icmp max-length 50000
Related commands
signature detect
signature detect
Use signature detect to enable signature detection for single-packet attacks and specify the
prevention actions.
Use undo signature detect to disable signature detection for single-packet attacks.
Syntax
signature detect { fraggle | fragment | impossible | land | large-icmp | large-icmpv6 | smurf |
snork | tcp-all-flags | tcp-fin-only | tcp-invalid-flags | tcp-null-flag | tcp-syn-fin | tiny-fragment |
traceroute | udp-bomb | winnuke } [ action { { drop | logging } * | none } ]
undo signature detect { fraggle | fragment | impossible | land | large-icmp | large-icmpv6 |
smurf | snork | tcp-all-flags | tcp-fin-only | tcp-invalid-flags | tcp-null-flag | tcp-syn-fin |
tiny-fragment | traceroute | udp-bomb | winnuke }
signature detect { ip-option-abnormal | ping-of-death | teardrop } action [ logging ] drop
undo signature detect { ip-option-abnormal | ping-of-death | teardrop }
signature detect icmp-type { icmp-type-value | address-mask-reply | address-mask-request |
destination-unreachable | echo-reply | echo-request | information-reply | information-request
| parameter-problem | redirect | source-quench | time-exceeded | timestamp-reply |
timestamp-request } [ action { { drop | logging } * | none } ]
undo
signature
address-mask-request
information-reply | information-request | parameter-problem | redirect | source-quench |
time-exceeded | timestamp-reply | timestamp-request }
signature detect icmpv6-type { icmpv6-type-value | destination-unreachable | echo-reply |
echo-request
parameter-problem | time-exceeded } [ action { { drop | logging } * | none } ]
undo signature detect icmpv6-type { icmpv6-type-value | destination-unreachable | echo-reply
| echo-request | group-query | group-reduction | group-report | packet-too-big |
parameter-problem | time-exceeded }
signature detect ip-option { option-code | internet-timestamp | loose-source-routing |
record-route | route-alert | security | stream-id | strict-source-routing } [ action { { drop |
logging } * | none } ]
undo signature detect ip-option { option-code | internet-timestamp | loose-source-routing |
record-route | route-alert | security | stream-id | strict-source-routing }
detect
icmp-type
|
destination-unreachable
|
group-query
|
group-reduction
{
icmp-type-value
|
echo-reply
|
group-report
1076
|
address-mask-reply
|
echo-request
|
packet-too-big
|
|
|
Advertisement
Table of Contents
