[ Contents] [ Prev] [ Next] [ Index] [ Report an Error]

Defining Rules for an IPS Rulebase

Each rule is composed of match conditions, objects, actions, and notifications. When you define an IDP rule, you must specify the type of network traffic you want IDP to monitor for attacks by using the following characteristics—source zone, destination zone, source IP address, destination IP address, and the Application Layer protocol supported by the destination IP address. The rules are defined in rulebases, and rulebases are associated with policies.

Before You Begin
For background information, read: IDP Policies Overview Understanding IDP Policy Rulebases Understanding IDP Policy Rules Establish basic connectivity. For more information, see the Getting Started Guide for your device. Configure network interfaces. See the JUNOS Software Interfaces and Routing Configuration Guide. Create security zones. See Creating Security Zones. Enable IDP in security policies. See Enabling IDP in a Security Policy.

Before You Begin

For background information, read:
Establish basic connectivity. For more information, see the Getting Started Guide for your device.
Configure network interfaces. See the JUNOS Software Interfaces and Routing Configuration Guide.
Create security zones. See Creating Security Zones.
Enable IDP in security policies. See Enabling IDP in a Security Policy.

The configuration instructions in this topic describe how to create a policy called base-policy, specify a rulebase for this policy, and then add a rule R1 to this rulebase. In this example, rule R1:

Specifies the match condition to include any traffic from a previously configured zone called trust to another previously configured zone called untrust. The match condition also includes a predefined attack group Critical - TELNET. The application setting in the match condition is default and matches any application configured in the attack object.
Specifies an action to drop connection for any traffic that matches the criteria for rule R1,
Enables attack logging and specifies that an alert flag is added to the attack log.
Specifies a severity level as critical.

After defining the rule, you specify base-policy as the active policy on the device.

You can use either J-Web or the CLI configuration editor to configure an application set.

This topic contains:

J-Web Configuration

To define rules for an IPS rulebase:

Create a policy by assigning a meaningful name to it. The following tasks specify base-policy as the policy name:
1. Select Configure>CLI Tools>Point and Click CLI.
2. Next to Security, click Configure or Edit.
3. Next to Idp, click Configure.
4. Next to Idp policy, click Add new entry.
5. In the Policy name box, type base-policy.
Associate a rulebase with the policy and add rules to the rulebase. The following tasks associate an IPS rulebase with base-policy and add rule R1 to the rulebase.
1. Next to Rulebase ips, click Configure.
2. Next to Rule, click Add new entry.
3. In the Name box, type R1.
Define the match criteria for the rule. The following tasks specify that traffic from trust zone to untrust zone as match criteria for rule R1. The default application setting matches any application configured in the attack object.
1. Next to Match, click Configure.
2. From the From zone list, select Enter specific value and type trust in the Zone box.
3. From the To zone list, select Enter specific value and type untrust in the Zone box.
4. From the Source list, select Source address.
5. Next to Source address, click Add new entry.
6. From the Value list, select Any and click OK.
7. From the Destination list, select Destination address.
8. Next to Destination address, click Add new entry.
9. From the Value list, select Any and click OK.
10. Next to Application, click Add new entry.
11. From the Value list, select default and click OK.
Define an attack as match criteria. The following tasks specify predefined attack group Critical - TELNET as match criteria for rule R1.
1. On the Rule R1 page, next to Match, click Configure.
2. Next to Attacks, click Configure.
3. Next to Predefined attack groups, click Add new entry.
4. In the Value box, type “Critical - TELNET” and click OK.
Specify an action for the rule. The following tasks specify that the connection be dropped for any traffic that matches the criteria defined for rule R1:
1. On the Rule R1 page, next to Then, click Configure.
2. Next to Action, click Configure.
3. From the Action list, select Drop connection and click OK.
Specify notification and logging options for the rule. The following tasks enable logging for this attack and specify that an alert flag be added to the attack log:
1. On the Rule R1 page, next to Then, click Configure.
2. Next to Notification, select the check box and click Configure.
3. Next to Log attacks, select the check box and click Configure.
4. Next to Alert, select the check box and click OK.
Set the severity level for the rule. The following tasks set a critical severity level for rule R1:
1. On the Rule R1 page, next to Then, select Configure or Edit.
2. From the Severity list, select critical and click OK.
Activate the policy. The following tasks specify base-policy as the active policy:
1. On the Idp page, in the Active-policy box, type base-policy.
2. Click OK.
If you are finished configuring the device, commit the configuration.

CLI Configuration

To define rules for an IPS rulebase:

Create a policy by assigning a meaningful name to it. The following statement specifies base-policy as the policy name:
user@host# set security idp idp-policy base-policy
Associate a rulebase with the policy. The following statement associates an IPS rulebase with base-policy:
user@host# set security idp idp-policy base-policy rulebase-ips
Add rules to the rulebase. The following statement adds a rule R1 to the rulebase:
user@host# set security idp idp-policy base-policy rulebase-ips rule R1
Define the match criteria for the rule. The following statement specifies that traffic from trust zone to untrust zone as match criteria for rule R1. The default application setting matches any application configured in the attack object.
user@host# set security idp idp-policy base-policy rulebase-ips rule R1 match from-zone trust to-zone untrust source-address any destination-address any application default
Define an attack as match criteria. The following statement specifies predefined attack group Critical - TELNET as match criteria for rule R1:
user@host# set security idp idp-policy base-policy rulebase-ips rule R1 match attacks predefined-attack-group “Critical - TELNET”
Specify an action for the rule. The following statement specifies that the connection be dropped for any traffic that matches the criteria defined for rule R1:
user@host# set security idp idp-policy base-policy rulebase-ips rule R1 then action drop-connection
Specify notification and logging options for the rule. The following statement enables logging for this attack and specifies that an alert flag be added to the attack log:
user@host# set security idp idp-policy base-policy rulebase-ips rule R1 then notification log-attacks alert
Set the severity level for the rule. The following statement sets a critical severity level for rule R1:
user@host# set security idp idp-policy base-policy rulebase-ips rule R1 then severity critical
Activate the policy. The following statement specifies base-policy as the active policy:
user@host# set security idp active-policy base-policy
If you are finished configuring the router, commit the configuration.
From configuration mode in the CLI, enter the show security idp command to verify the configuration. For more information, see the JUNOS Software CLI Reference.

Defining Rules for an IPS Rulebase

J-Web Configuration

CLI Configuration

Related Topics