Watchguard Firebox X1000 User Manual page 218

Chapter 11: Intrusion Detection and Prevention
Return value
The return value of fbidsmate is zero if the command exe-
cuted successfully; otherwise it is non-zero. This value
should be checked upon return if calling fbidsmate from a
shell script or through some other interface.
Examples
In the following examples, the IP address of the Firebox is
10.0.0.1 with a configuration passphrase of "secure1".
Example 1
Example 2
Example 3
196
The IDS detects a port scan from 209.54.94.99 and
asks the Firebox to block that site:
fbidsmate 10.0.0.1 secure1 add_hostile
209.54.94.99
The 209.54.94.99 site appears on the auto-blocked
sites list and remains there for the duration set in
Policy Manager. In addition, the following message
appears in the log file:
Temporarily blocking host 209.54.94.99
The IDS adds a message to the Firebox's log
stream:
fbidsmate 10.0.0.1 secure1 add_log_message 3
"IDS system temp. blocked 209.54.94.99"
With the IDS running on host 10.0.0.2, the
following message appears in the Firebox log file:
msg from 10.0.0.2: IDS system temp. blocked
209.54.94.99
Because you are running your IDS application
outside the firewall perimeter, you decide to
encrypt the configuration passphrase used in your
IDS scripts. Note that even with encryption, you
should lock down the IDS host as tightly as
WatchGuard Firebox System