This article offers detailed information about the ExtremeXOS implementation of CLEAR-Flow. This section provides an overview, as well as specific information on how to configure CLEAR-Flow, add CLEAR-Flow rules, and provides examples.
CLEAR-Flow Overview
CLEAR-Flow is a broad framework for implementing security, monitoring, and anomaly detection in ExtremeXOS software. Instead of simply looking at the source and destination of traffic, CLEAR-Flow allows you to specify certain types of traffic that require more attention. After certain criteria for this traffic are met, the switch can either take an immediate, predetermined action, or send a copy of the traffic off-switch for analysis.
CLEAR-Flow is an extension to Access Control Lists (ACLs). You create ACL policy rules to count packets of interest. CLEAR-Flow rules are added to the policy to monitor these ACL counter statistics. The CLEAR-Flow agent monitors the counters for the situations of interest to you and your network. You can monitor the cumulative value of a counter, the change to a counter over a sampling interval, the ratio of two counters, or even the ratio of the changes of two counters over an interval. For example, you can monitor the ratio between TCP SYN and TCP packets. An abnormally large ratio may indicate a SYN attack.
If the rule conditions are met, the CLEAR-Flow actions configured in the rule are executed. The switch can respond by modifying an ACL that will block, prioritize, or mirror the traffic, executing a set of CLI commands, or sending a report using a SNMP trap or EMS log message.
Configuring CLEAR-Flow
CLEAR-Flow is an extension to ACLs, so you must be familiar with configuring ACLs before you add CLEAR-Flow rules to your ACL policies. Creating ACLs is described in detail in the ACLs chapter. The chapter describes how to create ACL policies, the syntax of an ACL policy file, and how to apply ACL policies to the switch.
In this chapter, you will find information about the CLEAR-Flow rules that you add to ACL policies, including the CLEAR-Flow rules' syntax and behavior.
After creating the ACLs that contain CLEAR-Flow rules, and after applying the ACLs to the appropriate interface, you enable CLEAR-Flow on the switch. When CLEAR-Flow is enabled, the agent on the switch evaluates the rules, and when any rules are triggered, the CLEAR-Flow actions are executed.
Displaying CLEAR-Flow Configuration and Activity
• Dsplay the state of the CLEAR-Flow agent, any CLEAR-Flow policies on each interface, and the number of CLEAR-Flow rules by entering the command:
show clear-flow
• Display the CLEAR-Flow rules and configuration by entering the command:.
show clear-flow rule
• Display all the rules by entering the command:
show clear-flow rule-all
When CLEAR-Flow is enabled, any rules that satisfy the threshold will trigger and take action.
• Display the CLEAR-Flow rules that have been triggered by entering the command:.
show clear-flow rule-triggered
• Display which ACLs have been modified by CLEAR-Flow rules.
show clear-flow acl-modified
Adding CLEAR-Flow Rules to ACLs
each ACL policy file consists of a number of named entries. Each entry consists of match conditions and actions to take if the entry is matched. CLEAR-Flow builds on the ACL concept to include rules that are periodically checked, and actions to take if a rule is triggered.
The CLEAR-Flow entries are similar to the ACL entries.
The syntax of a CLEAR-Flow rule entry is:
entry <CLFrulename> {
if <match-type> { <match-conditions>;
}
Then {
<actions>;
}
}
Or you can specify an optional else clause:
entry <CLFrulename> {
if <match-type> { <match-conditions>;
}
Then {
<actions>;
} else {
<actions>;
}
}
In the CLEAR-Flow rule syntax, the CLF rulename is the name of the rule (maximum of 31 characters). The match-type specifies whether the rule is triggered when any of the expressions that make up the conditions are true (logical OR), or only when all of the expressions are true (logical AND). The matchtype is an optional element. The match-conditions specifies the conditions that will trigger the rule, and how often to evaluate the rule. The actions in the then clause is the list of actions to take when the rule is triggered, and the optional else clause actions is the list of actions to take after the rule is triggered, and when the match-conditions later become false.
CLEAR-Flow Rule Match Type
Match types are optional; the possible choices are:
• match all—All the match expressions must be true for a match to occur. This is the default.
• match any—If any match expression is true, then a match occurs.
CLEAR-Flow Rule Match Conditions
In a CLEAR-Flow rule, the match-conditions portion consists of one to four expressions, an
optional global-rule statement, and an optional period statement:
entry <CLFrulename> {
if <match-type> { <expression>;
<expression>;
<expression>;
<expression>;
global-rule;
period <interval>;
}
Then {
<actions>;
} else {
<actions>;
}
}
In the following example, the CLEAR-Flow rule (named cflow_count_rule_example) will be evaluated every ten seconds. The actions statements will be triggered if the value of counter1 (defined earlier in the ACL policy file) is greater than 1,000,000:
entry cflow_count_rule_example {
if { count counter1 > 1000000 ;
period 10 ;
}
Then {
<actions>;
}
}
The global-rule statement is optional and affects how the counters are treated. An ACL that defines counters can be applied to more than one interface. You can specify the global-rule statement so that counters are evaluated for all the applied interfaces. For example, if a policy that defines a counter is applied to port 1:1 and 2:1, a CLEAR-Flow rule that used the global-rule statement would sum up the counts from both ports. Without the global-rule statement, the CLEAR-Flow rule would look at only the counts received on one port at a time.
The period interval statement is optional and sets the sampling interval, in seconds. This statement specifies how often the rule is evaluated by the CLEAR-Flow agent. If not specified, the default value is 5 seconds.
The five CLEAR-Flow rule expressions are: count; delta; ratio; delta-ratio; and rule. All of these expressions check the values of counters to evaluate if an action should be taken. The counters are either defined in the ACL entries that are defined on the switch, or are the predefined CLEAR-Flow counters. When you use a counter statement in an ACL, you are defining the counter used by CLEARFlow to monitor your system.
1. Count Expression
A CLEAR-Flow count expression compares a counter with the threshold value.
The following is the syntax for a CLEAR-Flow count expression:
count <counterName> REL_OPER <countThreshold> ;
hysteresis <hysteresis> ;
The value of countThreshold and hysteresis can be specified as floating point numbers. The
count statement specifies how to compare a counter with its threshold. The counterName is the name of an ACL counter referred to by an ACL rule entry and the countThreshold is the value compared with the counter. The REL_OPER is selected from the relational operators for greater than, greater than or equal to, less than, or less than or equal to (>, >=, <, <=).
The hysteresis hysteresis statement is optional and sets a hysteresis value for the threshold. After the count statement is true, the value of the threshold is adjusted so that a change smaller than the hysteresis value will not cause the statement to become false. For statements using the REL_OPER > or >=, the hysteresis value is subtracted from the threshold; for < or <=, the hysteresis value is added to the threshold.
Following is an example of a count expression used in a CLEAR-Flow rule:
entry cflow_count_rule_example {
if { count counter1 > 1000000 ;
period 10 ;
}
Then {
<actions>;
}
}
The following table is an example of evaluating the CLEAR-Flow count expression above multiple times.
Notice that the rule is not triggered until evaluation 3, when the value of the counter is greater than 1,000,000.
[ Count Expression Evaluation Example ]
2. Delta Expression
A CLEAR-Flow delta expression computes the difference from one sample to the next of a counter value.
This difference is compared with the threshold value. The following is the syntax for a CLEAR-Flow delta expression:
delta <counterName> REL_OPER <countThreshold> ;
hysteresis <hysteresis> ;
The values of countThreshold and hysteresis can be specified as floating point numbers. The
delta expression specifies how to compare the difference in a counter value from one sample to the next with its threshold. The counterName is the name of an ACL counter referred to by an ACL rule entry and the countThreshold is the value compared with the difference in the counter from one sample to the next. The REL_OPER is selected from the relational operators for greater than, greater than or equal to, less than, or less than or equal to (>, >=, <, <=).
The hysteresis statement is optional and sets a hysteresis value for the threshold. After the delta statement is true, the value of the threshold is adjusted so that a change smaller than the hysteresis value will not cause the statement to become false. For statements using the REL_OPER > or >=, the hysteresis value is subtracted from the threshold; for < or <=, the hysteresis value is added to the threshold.
For example, the following delta expression:
delta counter1 >= 100 ;
hysteresis 10 ;
will only be true after the delta of the counter reaches at least 100. At the time it becomes true, the hysteresis value is subtracted from the threshold (setting the threshold to 90). With the threshold now at 90, the condition would stay true until the delta of the counter becomes less than 90.
If the expression becomes false, the threshold is reset to its original value. You would use the hysteresis value to prevent the expression from vacillating between the true and false states if the difference between the counter values is near the threshold. If the hysteresis value is greater than the threshold value, the hysteresis value will be set to 0.
The following table is an example of evaluating the CLEAR-Flow delta expression above multiple times.Notice that the rule is not triggered until evaluation 4, when the delta value (the change in the counter value from one evaluation to the next) is greater than or equal to 100. After the rule is triggered, it remains triggered until the delta value is less than 90 (the original threshold minus the hysteresis), at evaluation 7. At evaluation 9, the rule is again triggered when the delta reaches 100. The rule will remain triggered until the delta drops below 90.
3. Ratio Expression
A CLEAR-Flow ratio expression compares the ratio of two counter values with the threshold value.
The following is the syntax for a CLEAR-Flow ratio expression:
ratio <counterNameA> <counterNameB> REL_OPER <countThreshold> ;
min-value <min-value> ;
hysteresis <hysteresis> ;
The values of countThreshold and hysteresis can be specified as floating point numbers, and
the ratio is computed as a floating point number. The ratio statement specifies how to compare the ratio of two counters with its threshold. To compute the ratio, the value of counterNameA is divided by the value of counterNameB. That ratio is then compared with the countThreshold. The REL_OPER is selected from the relational operators for greater than, greater than or equal to, less than, or less than or equal to (>, >=, <, <=).
The min-value statement is optional, and sets a minimum value for the counters. If either counter is less than the minimum value, the expression evaluates to false. If not specified, the minimum value is 1.
The hysteresis hysteresis statement is optional and sets a hysteresis value for the threshold. After the ratio statement is true, the value of the threshold is adjusted so that a change smaller than the hysteresis value will not cause the statement to become false. For statements using the REL_OPER > or >=, the hysteresis value is subtracted from the threshold; for < or <=, the hysteresis value is added to the threshold.
For example, the following ratio expression:
ratio counter1 counter2 >= 5 ;
min-value 100;
hysteresis 1 ;
is true only after the ratio of the counters reaches at least 5 and the counter values are at least 100. At the time it became true, the hysteresis value would be subtracted from the threshold (setting the threshold to 4). With the threshold now at 4, the condition would stay true until the ratio of the counters became less than 4.
If the statement becomes false, the threshold is reset to its original value. You can use the hysteresis value to prevent the rule from vacillating between the true and false states if the ratio between the counter values is near the threshold. If the hysteresis value is greater than the threshold value, the hysteresis value will be set to 0.
The following table is an example of evaluating the CLEAR-Flow ratio expression above multiple times.
Notice that the rule is not triggered at the first evaluation because both counters have not yet reached the min-value of 100. The rule first triggers at evaluation 3, when ratio of the two counters exceeds 5.
After the rule is triggered, it remains triggered until the ratio value is less than 4 (the original threshold minus the hysteresis), at evaluation 5. At evaluation 7, the rule is again triggered when the ratio reaches 5. The rule will remain triggered until the ratio drops below 4.
4. Delta-Ratio Expression
A CLEAR-Flow delta-ratio expression is a combination of the delta and ratio expressions.
The CLEAR-Flow agent computes the difference from one sample to the next for each of the two counters. The ratio of the differences is then compared to the threshold value. The following is the syntax for a CLEAR-Flow delta-ratio expression (note the similarity to the delta expression):
delta-ratio <counterNameA> <counterNameB> REL_OPER <countThreshold> ;
min-value <min-value> ;
hysteresis <hysteresis> ;
The values of countThreshold and hysteresis can be specified as floating point numbers, and
the delta-ratio is computed as a floating point number. The delta-ratio statement specifies how to compare the ratio of the counter differences with its threshold. The difference of the sample values of counterNameA is divided by the difference of the sample values of counterNameB, to compute the ratio that is compared with the countThreshold. The REL_OPER is selected from the relational operators for greater than, greater than or equal to, less than, or less than or equal to (>, >=, <, <=).
The min-value statement is optional and sets a minimum value for the counters. If either counter is less than the minimum value, the expression evaluates to false. If not specified, the minimum value is 1.
The hysteresis hysteresis statement is optional, and sets a hysteresis value for the threshold. After the ratio statement is true, the value of the threshold is adjusted so that a change smaller than the hysteresis value will not cause the statement to become false. For statements using the REL_OPER > or >=, the hysteresis value is subtracted from the threshold; for < or <=, the hysteresis value is added to the threshold.
For example, the following delta-ratio expression:
delta-ratio counter1 counter2 >= 5 ;
min-value 100 ;
hysteresis 1 ;
will only be true after the ratio of the deltas of the counters reached at least 5. At the time it became true, the hysteresis value would be subtracted from the threshold (setting the threshold to 4). With the threshold now at 4, the condition would stay true until the ratio of the deltas of the counters became less than 4.
If the statement becomes false, the threshold is reset to its original value. You can use the hysteresis value to prevent the rule from vacillating between the true and false states if the ratio of the deltas of the counters is near the threshold. If the hysteresis value is greater than the threshold value, the hysteresis value will be set to 0.
The following table is an example of evaluating the CLEAR-Flow delta-ratio expression above multiple times. Notice that the rule is not triggered at the second evaluation because both counters have not yet reached the min-value of 100. The rule first triggers at evaluation 4, when ratio of the two counters exceeds 5. After the rule is triggered, it remains triggered until the ratio value is less than 4 (the original threshold minus the hysteresis), at evaluation 6. At evaluation 8, the rule is again triggered when the ratio reaches 5. The rule will remain triggered until the ratio drops below 4.
5. Rule-True-Count Expression
A CLEAR-Flow rule-true-count expression compares how many times a CLEAR-Flow rule is true with a threshold value.
One use is to combine multiple rules together into a complex rule. The following is the syntax for a CLEAR-Flow rule-true-count expression:
rule-true-count <ruleName> REL_OPER <countThreshold> ;
The rule-true-count statement specifies how to compare how many times a CLEAR-Flow rule is true with the expression threshold. The ruleName is the name of the CLEAR-Flow rule to monitor and the countThreshold is the value compared with the number of times the rule is true. The REL_OPER is selected from the relational operators for greater than, greater than or equal to, less than, or less than or equal to (>, >=, <, <=).
For example, the following delta-ratio expression:
rule-true-count cflow_count_rule_example >= 5 ;
will only be true after the CLEAR-Flow rule cflow_count_rule_example has been true at least five times.
If the rule cflow_count_rule_example becomes true and remains true, and the period for
cflow_count_rule_example is the default five seconds, the rule would have to be true for at least 20 seconds before the rule-true-count expression will become true. If the period of the rule cflow_count_rule_example is 10 seconds, it will need to be true for at least 40 seconds before the ruletrue_count expression becomes true.
CLEAR-Flow Rule Actions
CLEAR-Flow rules specify an action to take when the rule is triggered and can optionally specify an action to take when the expression is false.
Because more than one action can be taken in a single rule, the collection of actions is referred to as an action list. The following sections describe the different rule actions:
• Permit/Deny
• QoS Profile
• Mirror
• SNMP Trap
• Syslog
• CLI
Additionally, the SNMP trap, syslog, and CLI rule actions can use keyword substitution to make the rule actions more flexible. The keyword substitutions are described at the end of the rule action descriptions.
Permit/Deny
This action modifies an existing ACL rule to permit or block traffic that matches that rule.
• To change an ACL to permit, use the following syntax:
permit <ACLRuleName>
• To change an ACL to deny, use the following syntax:
deny <ACLRuleName>
QoS Profile
This action modifies an existing ACL rule to set the QoS profile for traffic that matches that rule.
• To change the ACL to forward to QoS profile <QPx>, use the following syntax:
qosprofile <ACLRuleName> <QPx>
For example:
qosprofile acl_rule_1 QP3
Mirror
This action modifies an existing ACL rule to mirror traffic that matches that rule, or to stop mirroring that traffic. The mirroring port must be enabled when mirroring on an ACL rule is turned on. This could be configured earlier, or use the CLI action to execute CLI commands to configure mirroring at the same time.
• To change the ACL to mirror traffic, use the following syntax:
mirror [add|delete] <ACLRuleName>
For example (enabling mirroring from within CLEAR-Flow rule):
enable mirror to port 7:4 tagged
mirror add acl_rule_1
SNMP Trap
This action sends an SNMP trap message to the trap server, with a configurable ID and message string, when the rule is triggered. The message is sent periodically with interval period seconds. If period is 0, or if this optional parameter is not present, the message is sent only once when the rule is triggered.
The interval must be a multiple of the rule sampling/evaluation interval, or the value will be rounded down to a multiple of the rule sampling/evaluation interval.
• To send an SNMP trap, use the following syntax:
snmptrap <id> <message> <period>
Syslog
This action sends log messages to the ExtremeXOS EMS sever. The possible values for message level are: DEBU, INFO, NOTI, WARN, ERRO, and CRIT.
The message is sent periodically with interval period seconds. If period is 0, or if this optional
parameter is not present, the message is sent only once when the rule is triggered. The interval must be a multiple of the rule sampling/evaluation interval, or the value will be rounded down to a multiple of the rule sampling/evaluation interval.
• To send a log message, use the following syntax:
syslog <message> <level> <period>
CLI
This action executes a CLI command. There is no authentication or checking the validity of each command. If a command fails, the CLI will log a message in the EMS log.
• To execute a CLI command, use the following syntax:
cli <cliCommand>
where <cliCommand> is a quoted string.
Keyword Substitution
To make the SNMP trap, syslog, and CLI actions more flexible, keyword substitutions are supported in the syslog and SNMP trap message strings, as well as in the CLI command strings.
The following table lists the keywords and their substitutions.
If a keyword is not supported, or a counter name is not found, a string of
"unknownKeyword[$keyword]" will be substituted.
For the $vlanName and $port keyword, the keyword all will be substituted for those rules in the
wildcard ACL Some CLI commands do not support the all keyword, so caution must be used with CLI commands that use this feature.
A maximum of ten different counter substitutions can be used per rule, including counters used in expressions. For example, if a rule uses four counters in its expressions, then we can use six more different counters in keyword substitutions, for a total of ten.
Predefined CLEAR-Flow Counters
A number of packet statistics are gathered by the ExtremeXOS kernel.
To allow you to use these statistics in CLEAR-Flow expressions, these kernel counters are now available for use with CLEAR-Flow. Most of the counter names are based directly on well known names from common kernel structures and MIBs. The names are modified from their familiar form by pre-pending the characters sys_ to the counter names.
CLEAR-Flow Rule Examples
In the examples that follow, one to two ACL rule entries are followed by a CLEAR-Flow rule entry. The examples illustrate the four CLEAR-Flow rule expressions: count, delta, ratio, and delta-ratio.
1. Count Expression Example
In the following example, every ten seconds the CLEAR-Flow agent will request the counter1 statistics from the hardware.
After it receives the counter value, it will evaluate the CLEAR-Flow rule. If the value of c1 is greater than 5 packets, the CLEAR-Flow agent will send a syslog, and change the ACL acl_rule1 to block traffic (acl_rule1 is modified to a deny rule).
[ Policy: count ]
entry acl_rule1 {
if match all {
protocol icmp ;
}
then {
count c1 ;
}
}
entry cflow_count_rule_example {
if match all {
count c1 > 5 ;
period 10 ;
}
then {
syslog "rule $ruleName has c1 value $c1 and c1 exceed the threshold ratio is $ruleValue exceeds limit $ruleThreshold" WARN ;
deny acl_rule1 ;
}
}
[ Result ]
* ACCESS-U29.152 # sh log
05/15/2017 02:43:45.10 <Warn:ACL.CLEARFlow.Warning> rule cflow_count_rule_example has c1 value 9 and c1 exceed the threshold ratio is 9.000000 exceeds limit 5.000000
05/15/2017 02:43:25.27 <Warn:ACL.CLEARFlow.Warning> rule cflow_count_rule_example has c1 value 10 and c1 exceed the threshold ratio is 10.000000 exceeds limit 5.000000
Before applying the ACL.
After applying the ACL.
2. Delta Expression Example
In this example, every ten seconds the CLEAR-Flow agent will request the c1 statistics from the hardware.
After it receives the counter value, it will then evaluate the rule. If the delta (change) of the counter1 value from the last sampled value ten seconds ago is greater than 3 packets, the CLEAR-Flow agent will send syslog message ACL acl_rule1 to prevent the relevant traffic.
[ Policy: delta ]
entry acl_rule1 {
if match all {
protocol icmp ;
}
then {
count c1 ;
}
}
entry cflow_delta_rule_example {
if match all {
delta c1 > 3 ;
period 10 ;
}
then {
syslog "rule $ruleName has delta value $ruleValue and this exceeds limit $ruleThreshold" WARN ;
deny acl_rule1 ;
}
}
[result]
ACCESS-U29.168 # sh log
05/15/2017 03:01:54.31 <Warn:ACL.CLEARFlow.Warning> rule cflow_delta_rule_example has delta value 5.000000 and this exceeds limit 3.000000
05/15/2017 03:01:24.56 <Warn:ACL.CLEARFlow.Warning> rule cflow_delta_rule_example has delta value 5.000000 and this exceeds limit 3.000000
05/15/2017 03:00:54.79 <Warn:ACL.CLEARFlow.Warning> rule cflow_delta_rule_example has delta value 6.000000 and this exceeds limit 3.000000
05/15/2017 03:00:25.04 <Warn:ACL.CLEARFlow.Warning> rule cflow_delta_rule_example has delta value 5.000000 and this exceeds limit 3.000000
3. Ratio Expression Example
In this example, every two seconds the CLEAR-Flow agent will request the counter1 and counter2 statistics from the hardware.
After it receives the two counter values, it will then check each counter value against its minimum valid threshold, which is 1,000. If both of the counter values is greater than 1,000, it then calculates the ratio of counter1 and counter2. If the ratio is greater than 5, the agent will execute the actions in the then clause, which consists of logging a message to the syslog server. Before logging the syslog string, the agent will replace the $ruleName keyword with the string cflow_ratio_rule_example, the $ruleValue keyword with the calculated ratio value, and the $ruleThreshold keyword with a value of 5. If either of the counter values is below the minimum value of 1,000, or the ratio is below the threshold of 5, the expression is false and no action is taken.
[ Policy: ratio ]
entry acl_rule1 {
if match all {
protocol icmp ;
}
then {
count c1 ;
}
}
entry acl_rule2 {
if match all {
protocol tcp ;
}
then {
count c2 ;
}
}
entry cflow_ratio_rule_example {
if match all {
ratio c1 c2 > 2 ;
period 10 ;
min-value 2 ;
}
then {
syslog "rule $ruleName has c1 value $c1 and c2 value $c2, so threshold ratio is $ruleValue exceeds limit $ruleThreshold" WARN ;
}
}
[ result ]
ACCESS-U29.114 # sh log
05/15/2017 02:36:58.33 <Warn:ACL.CLEARFlow.Warning> rule cflow_ratio_rule_example has c1 value 160 and c2 value 50 , so threshold ratio is 3.200000 exceeds limit 2.000000
05/15/2017 02:36:48.40 <Warn:ACL.CLEARFlow.Warning> rule cflow_ratio_rule_example has c1 value 150 and c2 value 50 , so threshold ratio is 3.000000 exceeds limit 2.000000
05/15/2017 02:36:38.50 <Warn:ACL.CLEARFlow.Warning> rule cflow_ratio_rule_example has c1 value 140 and c2 value 50 , so threshold ratio is 2.800000 exceeds limit 2.000000
05/15/2017 02:36:28.57 <Warn:ACL.CLEARFlow.Warning> rule cflow_ratio_rule_example has c1 value 130 and c2 value 50 , so threshold ratio is 2.600000 exceeds limit 2.000000
05/15/2017 02:36:18.65 <Warn:ACL.CLEARFlow.Warning> rule cflow_ratio_rule_example has c1 value 120 and c2 value 50 , so threshold ratio is 2.400000 exceeds limit 2.000000
05/15/2017 02:36:08.74 <Warn:ACL.CLEARFlow.Warning> rule cflow_ratio_rule_example has c1 value 110 and c2 value 50 , so threshold ratio is 2.200000 exceeds limit 2.000000
05/15/2017 02:35:58.82 <Warn:ACL.CLEARFlow.Warning> rule cflow_ratio_rule_example has c1 value 101 and c2 value 50 , so threshold ratio is 2.020000 exceeds limit 2.000000
4. Delta-Ratio Expression Example
In this example, every two seconds, the CLEAR-Flow agent will request the tcpSynCounter and tcpCounter values from the hardware.
After it receives the two counter values, it will first calculate the delta for each of the counters and then check each counter’s delta value for its minimum value, which is 100. If both of the counters’ delta values are greater than 100, it then calculates the ratio of the delta of two counters. If the ratio is greater than 10, then the agent will log a warning message and deny all SYN traffic on the interface. No period value for the syslog message is given, so the message will be logged once when the expression first becomes true. When the expression transitions from true to false, a different message will be logged and the SYN traffic on the interface will be permitted again. The delta-ratio value has to fall below a threshold of 8 for the expression to be evaluated to be false.
entry acl_syn {
if {
protocol tcp_flags SYN;
} then {
count tcpSynCounter;
}
}
entry acl_tcp {
if {
protocol tcp;
} then {
count tcpCounter;
}
}
entry cflow_delta_ratio_rule_example {
if { delta-ratio tcpSynCounter tcpCounter > 10 ;
period 2;
min-value 100;
threshold 8;
} then {
syslog "Syn attack on port $port is detected" WARN;
deny acl_syn;
} else {
syslog "Syn attack on port $port is no longer detected" WARN;
permit acl_syn;
}
}
No comments:
Post a Comment