Intrusion Prevention

  • 1.  DSCP Action matching "default" traffic

    Posted 05-19-2009 20:11

    Hi there,

     

    I've got an issue regarding traffic matching.  I have an IDP with some simple rules configured:

     

    ANY to ANY - Terminate - Look for: VoIP Attacks - Action: DSCP 10

    ANY to ANY - Terminate - Look for: HTTP Attacks - Action: DSCP 12

    ANY to ANY - No Terminate - Look for: None - Action DSCP 1

     

    I want to be able to mark all traffic that isn't VoIP or HTTP to be DSCP 1.  My logs show traffic being matched by rule 3, with action DSCP 1, but the traffic is unmarked.  VoIP and HTTP traffic however are being marked.

     

    I suspect this has something to do with the "Look for: None" not triggering any action if no attacks are found.  Is there another way of getting the IDP to mark DSCP on all traffic that isn't matched by a specific policy?

     

     



  • 2.  RE: DSCP Action matching "default" traffic
    Best Answer

    Posted 05-20-2009 01:56

    Hi,

    try this:

    view -> show expanded mode

     

    you'll see in the IDP policy a new column "service".

    You should have "default" in there... change it to "any" and try to see if this mark the packets.

     

    "default" means that the rule will trigger for the services defined by the attacks. but in your case there are no attacks in the rule.

     

    Let me know!

     

    Ciao 🙂

    Daniele