display soc attack-trace threshold configuration
Function
The display soc attack-trace threshold configuration command displays attack source tracing thresholds.
Usage Guidelines
Usage Scenario
To check thresholds for determining the location, cause, and probability of the attack events, run the display soc attack-trace threshold configuration command. If some parameters are not configured, their default values are displayed.
In VS mode, this command is supported only by the admin VS.
Example
The actual command output varies according to the device. The command output here is only an example.
<HUAWEI> display soc attack-trace threshold configuration
The following is reason configuration.
------------------------------------------------------------------------------
Item Percentage(%)
change-source-packet 5
broadcast-flood 50
app-packet 30
------------------------------------------------------------------------------
The following is location-type configuration.
---------------------------------------------------------------------------
Item Threshold(%)
interface 20
sub-interface 10
vlan 20
source-ip 10
source-mac 10
qinq 10
vni 20
---------------------------------------------------------------------------
The following is probability configuration.
------------------------------------------------------------------------------
Item Determined(%) Suspicion(%) Notification(%)
top5-user 80 60 40
top5-source-ip 80 60 40
top5-source-mac 80 60 40
broadcast-flood 90 70 50
app-error-percent 90 75 60
------------------------------------------------------------------------------
| Item | Description |
|---|---|
| change-source-packet | Threshold for determining a cause for the attack event based on an attack source change. |
| broadcast-flood | Threshold for determining a cause for the attack event based on broadcast traffic flooding. |
| app-packet | Threshold for determining a cause for the attack event based on application protocol traffic flooding. |
| interface | Threshold for determining an attack location based on the physical interface. |
| sub-interface | Threshold for determining an attack location based on the sub-interface. |
| vlan | Threshold for determining an attack location based on the single VLAN tag. |
| source-ip | Threshold for determining an attack location based on the source IP address. |
| source-mac | Threshold for determining an attack location based on the source MAC address. |
| qinq | Threshold for determining an attack location based on the inner and outer VLAN tags. |
| vni | Threshold for determining an attack location based on the VNI. |
| top5-user | Threshold for determining the probability of the attack event based on the top 5 percentage of the single-tagged and double-tagged VLAN packets to the total number of sampled packets. |
| top5-source-ip | Threshold for determining the probability of the attack event based on top 5 packets listed by source MAC addresses. |
| top5-source-mac | Threshold for determining the probability of the attack event based on top 5 packets listed by source IP addresses. |
| app-error-percent | Threshold for determining the probability of the attack event based on the percentage of the number of invalid packets or sessions to the total number of packets or sessions on a protocol module. |