Share Filter

Summary

By enabling the Intrusion Detection, "Share" P2P software detects packets used and rejects communications.
Additionally, you will be notified of detection information by Intrusion Detection Email Notification.

There are two types of "Share", but this functionality only handles EX2.

  • Share version 1.0 EX2 (ShareTCP ver.)
  • Share version 1.0 NT5 (ShareUDPver.)

Compatible Models & Firmware Revisions

Model Revision
RTX5000 Rev.14.00.15 or later
FWX120 Rev.11.03.16 or later
RTX810 Rev.11.01.15 or later

Details

On detection and rejection

Enable "Share" Filters with the "ip I/F intrusion detection" command.
When the "reject" option is โ€˜offโ€™ only packet detection occurs, when on communications are rejected.

Warning: detection only includes packets sent from inside to outside.

On Logs

When Share packets are detected and discarded by the "Share" filter, the following log is output at the debug level.
Additionally, the same log will also show with the "show ip intrusion detection" command.

# show log
2008/01/18 11:17:14   Share version 1       ("global IP address)      >      192.168.100.2 

# show ip intrusion detection

LAN1[out]
---------------------------------------------------------------------
Configuration: 
         IP:  on (pass)
  IP Option:  on (pass)
   Fragment:  on (pass)
       ICMP:  on (pass)
        UDP:  on (pass)
        TCP:  on (pass)
        FTP:  on (pass)
      Winny:  on (pass)
      Share:  on (pass)
    Default:  on (pass)
Log: 
    2008/01/18 11:17:14   Share version 1       (*"global IP address)      >      192.168.100.2 

Mail notification

If the Intrusion Detection Mail Notification has been configured, you will be notified with the following email when Share packets are detected and discarded.

Model:  FWX120
Revision:  Rev.11.03.xx
Name:  yamaha-fwx120-00a0de82a40b
Time:  2016/11/09 18:49:29
Template ID:  1

ID                 Time  Interface    Intrusion detection details
------------------------------------------------------------------------------
0001 2016/11/09 18:49:29        LAN1 [ out] Share version 1
                                           ((*Global IP address)     ->   192.168.100.2) 

On Automatic Policy Set Switching

As described in Inbound Filter and Policy Filter, taking the opportunity of detection and discarding of Share packets, the policy set can be automatically switched.
Specifically, refer to the specifications of the "ip policy filter set switch" command.

GUI

This section describes the GUI for the FWX120.

1. Intrusion detection settings screen (ids/ids.html)

Settings Screen

The settings screen shows "Share" items, where we will set up the intrusion detection.
Configuration via the above image is equivalent to the following commands:

  • ip I/F intrusion detection DIRECTION share on OPTION

2. Intrusion detection status screen (ids/status.html)

Status Screen

The status screen shows "Share" items and detection status.

3. Policy set switch settings screen (policy/pswitch_conf.html)

Policy set switch screen

To set up a policy set switch, select the configuration value "Detect Share" on the item "Trigger of switching".
Configuration via the above image is equivalent to the following commands:

  • ip policy filter set switch ORIGINAL_ID BACKUP_ID trigger share [count=COUNT] [interval=INTERVAL]

Command

Set the Operation of the Intrusion Detection Function

[Syntax]
ip INTERFACE intrusion detection DIRECTION [TYPE] SWITCH [OPTION]
ip pp intrusion detection DIRECTION [TYPE] SWITCH [OPTION]
ip tunnel intrusion detection DIRECTION [TYPE] SWITCH [OPTION]
no ip INTERFACE intrusion detection DIRECTION [TYPE] SWITCH [OPTION]
no ip pp intrusion detection DIRECTION [TYPE] SWITCH [OPTION]
no ip tunnel intrusion detection DIRECTION [TYPE] SWITCH [OPTION] 
[Setting Value]
  • INTERFACE ........ LAN or WAN interface name
  • DIRECTION ........ Packet connection direction to be monitored
    • in ........... Into the interface
    • out .......... Out of the interface
  • TYPE ............. Packet connection type to be monitored
    • ip ........... IP header
    • ip-option .... IP options header
    • fragment ..... fragment
    • icmp ......... ICMP
    • udp .......... UDP
    • tcp .......... TCP
    • ftp .......... FTP
    • winny ........ Winny
    • share ........ Share
    • default ...... All unspecified types
  • SWITCH
    • on ........... Enable
    • off .......... Disable
  • OPTION
    • reject=on .... Discards invalid packets
    • reject=off ... Not discard invalid packets
[Initial Value]
  • SWITCH
    • When TYPE is not specified=off
    • When TYPE is specified=on
    • OPTION
      • off
[Description]

Detects intrusion in packets of the specified direction on the specified interface.
When the TYPE option is omitted, the settings apply to all types of intrusion detection.

[Note]

For high-risk attacks, the router always discards the packet regardless of the reject option setting.

Concerning Winny, the version 2 can be detected, but no other previous versions are covered.

Concerning Share, the version 1.0 EX2 (Share TCP version) can be detected, but no other previous versions are covered.

RTX5000 does not support WAN interface for INTERFACE parameter.

[Applicable Models]
RTX5000 RTX810 FWX120

Show the History of Intrusion Information

[Syntax]
show ip intrusion detection
show ip intrusion detection INTERFACE [DIRECTION]
show ip intrusion detection pp [PEER_NUM [DIRECTION]]
show ip intrusion detection tunnel [TUNNEL_NUM [DIRECTION]] 
[Setting Value]
  • INTERFACE ........ LAN or WAN interface name
  • PEER_NUM ......... Peer number
  • TUNNEL_NUM ....... Tunnel interface number
  • DIRECTION
    • in ........... Input direction
    • out .......... Output direction
[Description]

Shows the recent intrusion information. Intrusion information is shown for each direction of each interface. The maximum number of incidents that are shown is the value specified by following commands.

  • ip interface intrusion detection report
  • ip pp intrusion detection report
  • ip tunnel intrusion detection report
[Note]

RTX5000 does not support WAN interface for INTERFACE parameter.

[Applicable Models]
RTX5000 RTX810 FWX120

Automatically Switch Policy Sets

[Syntax]
ip policy filter set switch ORIGINAL BACKUP trigger TRIGGER ... [count=COUNT] [interval=INTERVAL] [recoverytime=TIME]
ipv6 policy filter set switch ORIGINAL BACKUP trigger TRIGGER ... [count=COUNT] [interval=INTERVAL] [recoverytime=TIME]
no ip policy filter set switch ORIGINAL BACKUP [trigger TRIGGER ... [count=COUNT] [interval=INTERVAL] [recovery-time=TIME]]
no ipv6 policy filter set switch ORIGINAL BACKUP [trigger TRIGGER ... [count=COUNT] [interval=INTERVAL] [recovery-time=TIME]] 
[Settings Values]
  • ORIGINAL .............. Original policy set number (1..65535)
  • BACKUP ................ Backup policy set number (1..65535)
  • TRIGGER ............... Trigger for switching
    • winny ............. Detection of Winny by the unauthorized access detection function
    • share2 ............ Detection of Share by the unauthorized access detection function
    • ethernet-filter ... Discarding of an IP packet by the Ethernet filter
    • qos-class-control ... Detection of bandwidth use by DCC (Dynamic Class Control)
  • COUNT .............. The number of triggers that have to be received for the policy set to be changed. The policy set is switched when the number of triggers specified by COUNT are received within the time specified by INTERVAL.
    • 1..10
  • INTERVAL ................ The period of time over which triggers are counted. The policy set is switched when the number of triggers specified by COUNT are received within the time specified by INTERVAL.
    • Number of seconds (2..600)
  • TIME .............. The time after the last trigger occurs until the router returns to the original policy set
    • 60..604800 .......... Number of seconds
    • infinity .......... Never switch back to the original policy
[Initial Value]
  • COUNT .............. 1[time]
  • INTERVAL ................ 5[seconds]
  • TIME .............. 3600[seconds]
[Description]

Automatically switches the policy set according to the occurrence of the event specified by the TRIGGER parameter.
For the ORIGINAL and BACKUP parameters, specify policy set IDs that have been defined by the ip/ipv6 policy filter set command.

You can change policy sets according to different events by using multiple commands as shown below.

  • ip policy filter set switch 1 2 triger winny
  • ip policy filter set switch 1 3 triger ethernet-filter
  • ip policy filter set switch 1 4 triger qos-class-control

The COUNT and INTERVAL parameters set the timing at which policy sets are switched in response to events.
The policy set is switched when the number of triggers specified by COUNT are received within the time specified by INTERVAL.
When COUNT is set to one, the policy set is switched upon the occurrence of the first event, so the setting of INTERVAL is irrelevant.
Use the TIME parameter to set the time after the last trigger occurs until the router returns to the original policy set.
If you set time to infinity, the router never switches back to the original policy set.
You can switch back to the original policy set by executing the ip/ipv6 policy filter set enable command.
After the policy set has been switched, if the settings of the ip/ipv6 policy filter set or ip/ipv6 policy filter set enable command are changed, the policy set switch is cancelled and the router switches back to the original policy.
You cannot specify the same the same policy set for both ORIGINAL and BACKUP.
Also, if the policy set that you specify with ORIGINAL or BACKUP is undefined, policy set switching does not take place.

[Example]

Change the policy set from 1 to 2 upon the detection of Winny or upon the discarding of an IP packet by the Ethernet filter.

ip policy filter set 1 name="main" 101 102 103 104 105 106
ip policy filter set 2 name="backup" 201 202 203 204 205 206
ip policy filter set switch 1 2 trigger winny ethernet-filter
[Applicable Models]
FWX120

Settings Examples

Topology

       +-----------------------+
       |                       |
       |     Internet          |
       |                  ↑   |
       +-----------||------|---+
                   ||      |
             PPPoE ||      |
                   ||      |
     +-----------[LAN2]----|---------------+ FWX120
     |                     |               |
     |                 ((( | )))           | ←Share Filter Detection 
     |                     |Detailed check |  (Policy Filter + Intrusion Detection)
     +-----------[LAN1]----|---------------+
   192.168.100.1/24 |      |
                    |      |
--------------------+------|------+------------
                         ←+→    |
                           |      | 192.168.100.2
                        +--|--[LAN]----+
                        |  |           |
                        | โ–ˆโ–ˆ           |
                        | (Share)      |
                        |              |
                        +--------------+
                        <PC using Share>

Settings

Providers registered with initial Setup Wizard

# show config
# FWX120 (en) Rev.11.03.16 (Wed Nov  9 18:49:29 2016)
# MAC Address : 00:a0:de:82:a4:0b, 00:a0:de:82:a4:0c
# Memory 256Mbytes, 2LAN
# main:   FWX120 ver=00 serial=S42001978 MAC-Address=00:a0:de:82:a4:0b MAC-Addre
ss=00:a0:de:82:a4:0c
# Reporting Date:  Dec 14 20:59:29 2016
ip route default gateway pp 1
ip lan1 address 192.168.100.1/24
pp select 1
 description pp PRV/PPPoE/0: 
 pp keepalive interval 30 retry-interval=30 count=12
 pp always-on on
 pppoe use lan2
 pppoe auto disconnect off
 pp auth accept pap chap
 pp auth myname xxxxxxx xxxxxxx
 ppp lcp mru on 1454
 ppp ipcp ipaddress on
 ppp ipcp msext on
 ppp ccp type none
 ip pp inbound filter list 1001 1002 1003 1004 1005 1006 1007 1008
 ip pp nat descriptor 1000
 pp enable 1
ip inbound filter 1001 reject-nolog * * tcp,udp * 135
ip inbound filter 1002 reject-nolog * * tcp,udp 135 *
ip inbound filter 1003 reject-nolog * * tcp,udp * netbios_ns-netbios_ssn
ip inbound filter 1004 reject-nolog * * tcp,udp netbios_ns-netbios_ssn *
ip inbound filter 1005 reject-nolog * * tcp,udp * 445
ip inbound filter 1006 reject-nolog * * tcp,udp 445 *
ip inbound filter 1007 reject-nolog 192.168.100.0/24 * * * *
ip inbound filter 1008 pass-nolog * * * * *
ip policy service group 101 name="Open Services"
ip policy service group 102 name=General dns
ip policy service group 103 name=Mail pop3 smtp
ip policy filter 1100 reject-nolog lan1 * * * *
ip policy filter 1110 pass-nolog * * * * 102
ip policy filter 1122 static-pass-nolog * lan1 * * *
ip policy filter 1123 static-pass-nolog * local * * *
ip policy filter 1124 static-pass-log * * 192.168.100.0/24 * http
ip policy filter 1140 pass-nolog * pp1 * * *
ip policy filter 1500 reject-nolog pp* * * * *
ip policy filter 1520 pass-log * lan1 * * 101
ip policy filter 1700 pass-nolog local * * * *
ip policy filter 1710 static-pass-nolog * lan1 * * *
ip policy filter 2000 reject-nolog * * * * *
ip policy filter set 101 name="Internet Access" 1100 [1110 1123 [1124] 1122 114
0] 1500 [1520] 1700 [1710] 2000
ip policy filter set enable 101
nat descriptor type 1000 masquerade
syslog notice on
syslog debug on
dhcp service server
dhcp server rfc2131 compliant except remain-silent
dhcp scope 1 192.168.100.2-192.168.100.191/24
dns server pp 1
dns server select 500001 pp 1 any . restrict pp 1
dns private address spoof on
snmp sysname yamaha-fwx120-00a0de82a40b
statistics cpu on
statistics memory on 

Add the following settings and enable "Share" filter setting in inside-to-outside direction.

ip pp intrusion detection out on
ip pp intrusion detection out share on
ip pp intrusion detection out default off 

Execution Results

When a "Share" is running on a PC under your control, a history and log of Share packet detection is maintained.

# show log
2008/01/18 11:17:14:  [POLICY] Share version 1 xxx.xxx.xxx.xxx > 192.168.100.2

# show ip intrusion detection

PP[01][out]
---------------------------------------------------------------------
Configuration: 
         IP:  off
  IP Option:  off
   Fragment:  off
       ICMP:  off
        UDP:  off
        TCP:  off
        FTP:  off
      Winny:  off
      Share:  on (pass)
    Default:  off
Log: 
 2008/01/18 11:17:14:  Share version 1        xxx.xxx.xxx.xxx > 192.168.100.2 

Return to Top