display soc attack-detect car threshold configuration
Function
The display soc attack-detect car threshold configuration command displays the configured CP-CAR thresholds for attack detection.
Usage Guidelines
Usage Scenario
The security operations center (SOC) determines whether the system security is being attacked based on the statistics analysis. To correctly obtain these statistics on a live network, you must set proper alarm thresholds for security attack events. For different networkings in different scenarios, the traffic statistics modules, however, vary from one another. Therefore, you must adjust the existing security alarm thresholds. Before the adjustment, run the display soc attack-detect threshold configuration command to view the existing thresholds, so that you can set proper alarm thresholds for determining security attack events.
Prerequisites
The SOC function has been enabled.
Precautions
If the configured security alarm threshold is too high, some minor security attack events may fail to be detected. If the configured security alarm threshold is too low, some security attack events may be mistakenly reported, affecting network maintenance and management. Before you configure security alarm thresholds, view the current security alarm thresholds and raise the thresholds for frequently mistakenly reported security events to minimize false security events.
In VS mode, this command is supported only by the admin VS.
Example
The actual command output varies according to the device. The command output here is only an example.
<HUAWEI> display soc attack-detect car threshold configuration
---------------------------------------------------------------------
Attack detect CPU-usage Threshold : 1
Attack alarm CPU-usage Threshold : 60
---------------------------------------------------------------------
Protocol Car Rate(pps) Car DropPktPct(%)
arp 500 30
icmp 300 30
dhcp 500 20
pppoe 500 20
ftp-server 500 30
ssh-server 500 30
snmp 500 30
telnet-server 500 30
tftp 500 30
bgp 500 30
ldp 500 30
rsvp 500 30
ospfv2 500 30
rip 500 30
ospfv3 500 30
msdp 500 30
pim 500 30
igmp 500 30
mld 500 30
isis 500 30
pimv6 500 30
sftp-server 500 30
ftp-client 500 30
telnet-client 500 30
ssh-client 500 30
sftp-client 500 30
ntp 500 30
radius 500 30
hwtacacs 500 30
lspping 500 30
vgmp 500 30
vrrp 500 30
bfd 500 30
dns-client 500 30
telnetv6-server 500 30
telnetv6-client 500 30
tftpv6-client 500 30
icmpv6 500 30
dnsv6 500 30
sshv6-server 500 30
mpls-oam 500 30
rrpp 500 30
802.1ag 500 30
lacp 500 30
unknown 500 30
white-list 500 30
hgmp 500 30
bgpv6 500 30
ftpv6-client 500 30
ftpv6-server 500 30
ipfpm 500 30
snmpv6 500 30
multicast 500 30
multicastv6 500 30
ipv6 500 30
tcp 500 30
udp 500 30
eapol 500 30
portal 500 30
web 500 30
l2tp 500 30
dhcpv6 500 30
nd 500 30
fib-miss 500 30
fib-missv6 500 30
ttl-expired 500 30
ttl-expiredv6 500 30
lldp 500 30
bfdv6 500 30
arpmiss 500 30
pim_mc 500 30
openflow 500 30
ra 500 30
rs 500 30
na 500 30
ns 500 30
web_auth_server 500 30
diameter 500 30
http-redirect-chasten 500 30
atm-inarp 500 30
unicast-vrrp 500 30
dlp-bgp 500 30
dlp-ldp 500 30
dlp-ospf 500 30
tcp-65410 500 30
padi 500 30
mka 500 30
icmp-broadcast-address-echo 500 30
dlp-rsvp 500 30
dlp-isis 500 30
dlp-radius 500 30
dlp-ipv6-bgp 500 30
dlp-ipv6-ospf 500 30
dcn-pkt-fin 500 30
pcep 500 30
vrrpv6 500 30
radiusv6 500 30
hwtacacsv6 500 30
lsppingv6 500 30
syslogv6 500 30
web-auth-serverv6 500 30
ipv6-ndh-miss 500 30
---------------------------------------------------------------------
| Item | Description |
|---|---|
| Attack detect CPU-usage Threshold | CPU usage threshold for attack detection. |
| Attack alarm CPU-usage Threshold | CPU usage threshold for attack alarms. |
| Protocol | Protocol. |
| Car Rate(pps) | Minimum CPCAR rate for sending packets to the CPU. |
| Car DropPktPct(%) | CPCAR drop percent for packet loss. |