The attack-trace probability command configures the threshold for determining the probability of an attack event.
The undo attack-trace probability command deletes the configured threshold for determining the probability of an attack event.
The default parameters for configuring the threshold for determining the probability of an attack event are described in the parameter description.
attack-trace probability { top5-user { determined threshold-value | suspicion threshold-value | notification threshold-value } | top5-source-mac { determined threshold-value | suspicion threshold-value | notification threshold-value } | top5-source-ip { determined threshold-value | suspicion threshold-value | notification threshold-value } | broadcast-flood { determined threshold-value | suspicion threshold-value | notification threshold-value } | app-error-percent { determined threshold-value | suspicion threshold-value | notification threshold-value } }
undo attack-trace probability { top5-user { determined [ threshold-value ] | suspicion [ threshold-value ] | notification [ threshold-value ] } | top5-source-mac { determined [ threshold-value ] | suspicion [ threshold-value ] | notification [ threshold-value ] } | top5-source-ip { determined [ threshold-value ] | suspicion [ threshold-value ] | notification [ threshold-value ] } | broadcast-flood { determined [ threshold-value ] | suspicion [ threshold-value ] | notification [ threshold-value ] } | app-error-percent { determined [ threshold-value ] | suspicion [ threshold-value ] | notification [ threshold-value ] } }
| Parameter | Description | Value |
|---|---|---|
| top5-user |
Indicates the top 5 VLAN packets in sampled packets, including single-tagged and double-tagged VLAN packets. |
- |
| determined threshold-value |
Specifies the threshold for the percentage of the number of packets with specified characteristics to the total number of sampled packets. If the percentage is greater than or equal to the threshold, an attack event is determined. |
|
| suspicion threshold-value |
Specifies the suspicion threshold for the percentage of the number of packets with specified characteristics to the total number of sampled packets. If the percentage is greater than or equal to the threshold, an attack event is suspicious. |
|
| notification threshold-value |
Specifies the notification threshold for the percentage of the number of packets with specified characteristics to the total number of sampled packets. If the percentage is greater than or equal to the threshold, the system displays a possible attack event. If the percentage is lower than the threshold, no action is required. notification indicates a lower probability of an attack event than suspicion. |
|
| top5-source-mac |
Indicates the top 5 packets listed by source MAC addresses in sampled packets. |
- |
| top5-source-ip |
Indicates the top 5 packets listed by source IP addresses in sampled packets. |
- |
| broadcast-flood |
Indicates the broadcast packets in sampled packets. |
- |
| app-error-percent |
Indicates the invalid packets and sessions on a protocol module. |
- |
Usage Scenario
If the threshold for determining the probability of an attack event does not satisfy the existing network conditions, and attack event reports present incorrect or missing decisions on attack events, run the attack-trace probability command to adjust the threshold for determining the probability of an attack event based on actual conditions to allow attack source tracing to function precisely.
NOTE: top5-user, top5-source-mac, top5-source-ip, broadcast-flood, and app-error-percent parameters can be separately configured in different command instances, and the configurations do not override.Configuration Impact
Inappropriate attack source tracing thresholds may cause incorrect or missing decisions on attack events.
Precautions
It is recommended that you run this command with assistance from Huawei engineers.
In VS mode, this command is supported only by the admin VS.
<HUAWEI> system-view [~HUAWEI] soc [*HUAWEI-soc] attack-trace probability top5-source-mac determined 95