 |
Note: Make sure to configure the IPS rulebase before configuring the exempt rulebase. |
IDP policies are collections of rules and rulebases. A rulebase is an ordered set of rules that use a specific detection method to identify and prevent attacks.
Before You Begin |
|---|
For background information, read: |
Rules are instructions that provide context to detection mechanisms by specifying which part of the network traffic the IDP system should look in to find attacks. When a rule is matched, it means that an attack has been detected in the network traffic, triggering the action for that rule. The IDP system performs the specified action and protects your network from that attack.
Each rulebase can have multiple rules—you determine the sequence in which rules are applied to network traffic by placing them in the desired order. Each rulebase in the IDP system uses specific detection methods to identify and prevent attacks. JUNOS Software supports two types of rulebases—intrusion prevention system (IPS) rulebase and exempt rulebase.
This topic covers:
The application-level DDoS rulebase defines parameters used to protects servers, such as DNS or HTTP, from application-level distributed denial-of-service (AppDDoS) attacks. You can set up custom application metrics based on normal server activity requests to determine when clients should be considered an attack client. The AppDDoS rulebase is then used to defines the source match condition for traffic that should be monitored, then takes the defined action: close server, drop connection, drop packet, or no action. It can also perform an IP action: ip-block, ip-close, ip-notify, or timeout. Table 73 summarizes the options that you can configure in the AppDDoS rulebase rules.
Table 73: AppDDoS Rulebase Components
The IPS rulebase protects your network from attacks by using attack objects to detect known and unknown attacks. It detects attacks based on stateful signature and protocol anomalies. Table 74 summarizes the options that you can configure in the IPS-rulebase rules.
Table 74: IPS Rulebase Components
Term |
Definition |
|---|---|
Match condition |
Specify the type of network traffic you want the device to monitor for attacks. For more information about match conditions, see Understanding IDP Rule Match Conditions. |
Attack objects/groups |
Specify the attacks you want the device to match in the monitored network traffic. Each attack is defined as an attack object, which represents a known pattern of attack. For more information about attack objects, see Understanding IDP Rule Objects. |
Terminal flag |
Specify a terminal rule. The device stops matching rules for a session when a terminal rule is matched. For more information about terminal rules, see Understanding IDP Terminal Rules. |
Action |
Specify the action you want the system to take when the monitored traffic matches the attack objects specified in the rules. If an attack triggers multiple rule actions, then the most severe action among those rules is executed. For more information about actions, see Understanding IDP Rule Actions. |
IP Action |
Enables you to protect the network from future intrusions while permitting legitimate traffic. You can configure one of the following IP action options in the IPS rulebase—notify, drop, or close. For more information about IP actions, see Understanding IDP Rule IP Actions. |
Notification |
Defines how information is to be logged when action is performed. You can choose to log an attack, create log records with the attack information, and send information to the log server. For more information, see Understanding IDP Rule Notifications. |
The exempt rulebase works in conjunction with the IPS rulebase to prevent unnecessary alarms from being generated. You configure rules in this rulebase to exclude known false positives or to exclude a specific source, destination, or source/destination pair from matching an IPS rule. If traffic matches a rule in the IPS rulebase, the system attempts to match the traffic against the exempt rulebase before performing the action specified. Carefully written rules in an exempt rulebase can significantly reduce the number of false positives generated by an IPS rulebase.
|
Note: Make sure to configure the IPS rulebase before configuring the exempt rulebase. |
Table 75 summarizes the options that you can configure in the exempt-rulebase rules.
Table 75: Exempt Rulebase Options