[ Contents] [ Prev] [ Next] [ Index] [ Report an Error]

tcp

See the following sections:

tcp (Protocol Binding Custom Attack)

Syntax

tcp {
minimum-port port-number maximum-port port-number;
}

Hierarchy Level

[edit security idp custom-attack attack-name attack-type chain protocol-binding]
[edit security idp custom-attack attack-name attack-type signature protocol-binding]

Release Information

Statement introduced in Release 9.3 of JUNOS software.

Description

Allow IDP to match the attack for specified TCP port(s).

This statement is supported on SRX-series devices.

Options

minimum-port port-number—Minimum port in the port range.

Range: 0 through 65535

maximum-portport-number—Maximum port in the port range.

Range: 0 through 65535

Usage Guidelines

For configuration instructions and examples, see the JUNOS Software Security Configuration Guide.

Required Privilege Level

security—To view this statement in the configuration.

security-control—To add this statement to the configuration.

tcp (Security Screen)

Syntax

tcp {
fin-no-ack;
land;
port-scan {
threshold number ;
}
syn-ack-ack-proxy {
threshold number ;
}
syn-fin;
syn-flood {
alarm-threshold number ;
attack-threshold number ;
destination-threshold number ;
source-threshold number ;
timeout seconds ;
}
syn-frag;
tcp-no-flag;
winnuke;
}

Hierarchy Level

[edit security screen ids-option screen-name ]

Release Information

Statement introduced in Release 8.5 of JUNOS software.

Description

Configure TCP-layer intrusion detection service (IDS) options.

This statement is supported on J-series and SRX-series devices.

Options

The remaining statements are explained separately.

Usage Guidelines

For configuration instructions and examples, see the JUNOS Software Security Configuration Guide.

Required Privilege Level

security—To view this statement in the configuration.

security-control—To add this statement to the configuration.

tcp (Signature Attack)

Syntax

tcp {
ack-number {
match (equal | greater-than | less-than | not-equal);
value acknowledgement-number ;
}
data-length {
match (equal | greater-than | less-than | not-equal);
value tcp-data-length ;
}
destination-port {
match (equal | greater-than | less-than | not-equal);
value destination-port ;
}
header-length {
match (equal | greater-than | less-than | not-equal);
value header-length ;
}
mss {
match (equal | greater-than | less-than | not-equal);
value maximum-segment-size ;
}
option {
match (equal | greater-than | less-than | not-equal);
value tcp-option ;
}
sequence-number {
match (equal | greater-than | less-than | not-equal);
value sequence-number ;
}
source-port {
match (equal | greater-than | less-than | not-equal);
value source-port ;
}
tcp-flags {
(ack | no-ack);
(fin | no-fin);
(psh | no-psh);
(r1 | no-r1);
(r2 | no-r2);
(rst | no-rst);
(syn | no-syn);
(urg | no-urg);
}
urgent-pointer {
match (equal | greater-than | less-than | not-equal);
value urgent-pointer ;
}
window-scale {
match (equal | greater-than | less-than | not-equal);
value window-scale-factor ;
}
window-size {
match (equal | greater-than | less-than | not-equal);
value window-size ;
}
}

Hierarchy Level

[edit security idp custom-attack attack-name attack-type signature protocol]

Release Information

Statement introduced in Release 9.3 of JUNOS software.

Description

Allow IDP to match the TCP header information for the signature attack.

This statement is supported on SRX-series devices.

Options

The remaining statements are explained separately.

Usage Guidelines

For configuration instructions and examples, see the JUNOS Software Security Configuration Guide.

Required Privilege Level

security—To view this statement in the configuration.

security-control—To add this statement to the configuration.

[ Contents] [ Prev] [ Next] [ Index] [ Report an Error]

[an error occurred while processing this directive]