[ Contents] [ Prev] [ Next] [ Index] [ Report an Error]

Configuring Signature-Based Attacks

To configure a custom attack object, you specify a unique name for it and then specify additional information, which can make it easier for you to locate and maintain the attack object.

Certain properties in the attack object definitions are common to all types of attacks, such as attack name, severity level, service or application binding, time binding, and protocol or port binding. Some fields are specific to an attack type and are available only for that specific attack definition.

Signature attack objects use a stateful attack signature (a pattern that always exists within a specific section of the attack) to detect known attacks. They also include the protocol or service used to perpetrate the attack and the context in which the attack occurs. The following properties are specific to signature attacks, and you can configure them when configuring signature attack—attack context, attack direction, attack pattern, and protocol-specific parameters (TCP, UDP, ICMP, or IP header fields).

Before You Begin
For background information, read: IDP Policies Overview Understanding Custom Attack Objects Understanding Predefined Attack Objects and Groups Establish basic connectivity. For more information, see the Getting Started Guide for your device. Configure network interfaces. See the JUNOS Software Interfaces and Routing Configuration Guide.

When configuring signature-based attacks, keep the following in mind:

Attack context and direction are mandatory fields for the signature attack definition.
Pattern negation is supported for packet, line, and application-based contexts only and not for stream and normalized stream contexts.
When configuring the protocol-specific parameters, you can specify fields for only one of the following protocols—IP, TCP, UDP, or ICMP.
When configuring a protocol binding, you can specify only one of the following—IP, ICMP, TCP, UDP, RPC or applications.
- IP—Protocol number is a mandatory field.
- TCP and UDP—You can specify either a single port (minimum-port) or a port range (minimum-port and maximum-port). If you do not specify a port, the default value is taken (0-655325).
- RPC—Program number is a mandatory field.

The configuration instructions in this topic describe how to create a signature-based attack object. In this example, you create a signature attack named sig1 and assign it the following properties:

Recommended action (drop packet)—Specify to drop a matching packet before it can reach its destination but does not close the connection.
Time binding—Specify the scope as source and count as 10. When scope is source, all attacks from the same source are counted, and when the number of attack reaches the count (10) specified, the attack is logged. In this example, every tenth attack from the same source is logged.
Attack context (packet)—Specify to match the attack pattern within a packet.
Attack direction (any)—Specify to detect the attack in both directions—client-to-server and server-to-client traffic.
Protocol (TCP)—Specify time to live (TTL) value of 128.
Shellcode (Intel)—Set the flag to detect shellcode for Intel platforms.
Protocol binding—Specify TCP protocol and ports 50 through 100.

Once you have configured a signature-based attack object, you specify the attack as match criteria in an IDP policy rule. For more information, see Defining Rules for an IPS Rulebase.

You can use either J-Web or the CLI configuration editor to create a custom attack object.

This topic contains:

CLI Configuration

To create a signature-based attack object:

Specify a name for the attack. The following statement specifies sig1 as the name of the attack.
user@host# set security idp custom-attack sig1
Specify common properties for the attack. The following statements specify a recommended action to drop packets and define time binding with scope as source scope and count as 10.
user@host# set security idp custom-attack sig1 recommended-action drop-packet user@host#set security idp custom-attack sig1 time-binding scope source count 10
Specify the attack type and context. The following statement specifies the attack type signature and context packet.
user@host# set security idp custom-attack sig1 attack-type signature context packet
Specify the attack direction and the shellcode flag. The following statement specifies the attack direction any and sets the shellcode flag to intel.
user@host# set security idp custom-attack sig1 attack-type signature shellcode intel
Set the protocol and its fields. The following statement specifies the IP protocol and the TTL value 128.
user@host# set security idp custom-attack sig1 attack-type signature protocol ip ttl value 128 match equal
Specify the protocol binding and ports. The following statement specifies the TCP protocol and the port range from 50 through 100.
user@host# set security idp custom-attack sig1 attack-type signature protocol-binding tcp minimum-port 50 maximum-port 100
If you are finished configuring the router, commit the configuration.
From configuration mode in the CLI, enter the show security idp command to verify the configuration. For more information, see the JUNOS Software CLI Reference.

Configuring Signature-Based Attacks

CLI Configuration

Related Topics