Understanding IDP Signature Database for Migration
The signature database is one of the major components of the intrusion prevention system (IPS). It contains definitions of different objects, such as attack objects, application signature objects, and service objects, that are used in defining IDP policy rules.
For more information, see the following topics:
Understanding the IPS Signature Database
The signature database is one of the major components of the intrusion prevention system (IPS). It contains definitions of different objects, such as attack objects, application signature objects, and service objects, that are used in defining IDP policy rules. As a response to new vulnerabilities, Juniper Networks periodically provides a file containing attack database updates on the Juniper Networks website. You can download this file to protect your network from new threats.
IPS does not need a separate license to run as a service on the SRX Series Firewall; however, a license is required for IPS updates. Custom attacks and custom attack groups in IDP policies can also be configured and installed even when a valid license and signature database are not installed on the device.
The IPS signature database is stored on the IPS-enabled device and contains definitions of predefined attack objects and groups. These attack objects and groups are designed to detect known attack patterns and protocol anomalies within the network traffic. The IPS signature database includes more than 5000 signatures and more than 1200 protocol anomalies.
IPS updates and application signature package updates are a separately licensed subscription service. You must install the IPS signature-database-license key on your device for downloading and installing daily signature database updates from the Juniper Networks website. The IPS signature license key does not provide grace period support.
If you require both AppSecure and IPS features, you must install the application signature license in addition to the IPS signature-database-update license key.
The signature database comprises the following components:
Detector engine—The IDP detector engine is a dynamic protocol decoder that includes support for decoding more than 60 protocols and more than 500 service contexts. You can download the protocol detector engine updates along with the signature database updates.
Attack database—The attack signature database stores data definitions for attack objects and attack object groups. Attack objects comprise stateful signatures and traffic anomalies. You specify attack objects in IDP rulebase rules. New attacks are discovered daily, so it is important to keep your signature database up to date. You can download the attack database updates from the Juniper Networks website.
Application signature database—The application signature database stores data definitions for application objects. Application objects are patterns that are used to identify applications that are running on standard or nonstandard ports.
We recommend using the latest version of the signature database to ensure an up-to-date attack database.
See Also
Managing the IPS Signature Database (CLI)
This example shows how to install and schedule the signature database updates using the CLI.
- Requirements
- Overview
- Configuration
- Downloading and Installing the IPS Signature Package from an Older Junos OS Release Version to Newer Junos OS Release Version
- Verification
Requirements
Before you install the signature database updates, ensure that you have installed an IPS license key.
Overview
IPS signature database management comprises the following tasks:
Update the signature database—Download the attack database updates available on the Juniper Networks website. New attacks are discovered daily, so it is important to keep your signature database up to date.
Verify the signature database version—Each signature database has a different version number with the latest database having the highest number. You can use the CLI to display the signature database version.
Update the protocol detector engine—You can download the protocol detector engine updates along with the signature database. The IPS protocol detector contains Application Layer protocol decoders. The detector is coupled with the IDP policy and is updated together. It is always needed at policy update time, even if there is no change in the detector.
Schedule signature database updates—You can configure the IPS-enabled device to automatically update the signature database after a set interval.
Configuration
- Downloading and Installing the IPS Signature Package
- Verifying the Signature Database Version
- Scheduling the Signature Database Updates
Downloading and Installing the IPS Signature Package
Step-by-Step Procedure
New attacks are discovered daily, so it is important to keep your signature database up to date. In this example, you download and then install the latest signature package from the signature database server:
Download the attack database updates available on the Juniper Networks website:
user@host>request security idp security-package download
By default, when you download the security package, you download the following components into a Staging folder in your device: the latest version of the complete attack object groups table, the application objects table, and the updates to the IPS Detector Engine. Because the attack objects table is typically very large, by default the system only downloads updates to the attack objects table. However, you can download the complete attack objects table by using the
full-updateconfiguration option.Check the security package download status:
user@host>request security idp security-package download status
On a successful download, the following message is displayed:
Done;Successfully downloaded from (https://signatures.juniper.net/cgi-bin/index.cgi). Version info:1884(Thu Mar 17 12:06:35 2011, Detector=11.4.140110223)
After downloading the security package, you must install the package to update the security database with the newly downloaded updates from the Staging folder in your device. Install the security package:
user@host>request security idp security-package install
Check the status of the install:
user@host>request security idp security-package install status
On a successful install, the following message is displayed:
Done;Attack DB update: successful - [UpdateNumber=1884,ExportDate=Thu Mar 17 12:06:35 2011,Detector=11.4.140110223] Updating control-plane with new detector: successful Updating data-plane with new attack or detector: successful
Verifying the Signature Database Version
Step-by-Step Procedure
Each signature database has a different version number with the latest database having the highest number.
Use the CLI to verify the signature database version installed:
user@host>show security idp security-package version
The following sample output shows the version number for the signature package:
user@host> show security idp security-package-version Attack database version:1883(Wed Mar 16 12:10:26 2011) Detector version :12.6.140121210 Policy template version :N/A
Scheduling the Signature Database Updates
Step-by-Step Procedure
You can configure an IPS-enabled device to automatically update the signature database after a set interval. After the initial manual setup, we recommend that you schedule the signature updates so you always have protection against new vulnerabilities.
To schedule the signature package download, from configuration mode, specify the start time and the interval for the download:
user@host>set security idp security-package automatic interval interval start-time <YYYY-MM-DD.HH:MM:SS>
For example, to set a schedule for the signature download every 72 hours, you use the following configuration:
user@host>set security idp security-package automatic interval 72 start-time
Downloading and Installing the IPS Signature Package from an Older Junos OS Release Version to Newer Junos OS Release Version
Procedure
Step-by-Step Procedure
Starting with Junos OS Release 17.3, when you upgrade from Junos OS Release 12.3X48 or 15.1X49 to Junos OS Release 17.3 or downgrade from Junos OS Release 17.3 to Junos OS Release 12.3X48 or 15.1X49, you must update the IPS signature package by downloading and installing the IPS signature package update.
We recommend that you perform the IPS signature package update because if the previous IPS signature package download before an upgrade or a downgrade comprised an incremental or decremental update, then reinstalling of the IPS signature package, without downloading the IPS signature package again, updates the IPS signature package with only the incremental attacks from the last download and does not contain any attacks from the baseline release. Therefore, to avoid any IDP commit configuration failure, update the IPS signature package.
The following procedure shows how to download and install an IPS signature package and update the package from an older Junos OS release version to a newer Junos OS release version:
Perform a full update of the security package version.
user@host>request security idp security-package download full-update
By default, when you download the security package, you download the following components into a Staging folder in your device—the latest version of the complete attack object groups table, the application objects table, and the updates to the IPS Detector Engine. Because the attack objects table is typically very large, by default the system downloads only updates to the attack objects table.
Check the security package download status.
user@host> request security idp security-package download status
On a successful download, the following message is displayed:
user@host # run request security idp security-package download status Done;Successfully downloaded from(https://signatures.juniper.net/cgi-bin/index.cgi). Version info:2762(Tue Jul 26 22:26:57 2016 UTC, Detector=12.6.130160603)
Install the security package to update the security database with the newly downloaded updates from the Staging folder in your device.
user@host> request security idp security-package install
Check the status of the install.
user@host> request security idp security-package install status
On a successful install, the following message is displayed:
user@host # run request security idp security-package install status Done;Attack DB update : successful - [UpdateNumber=2771,ExportDate=Tue Aug 23 21:57:18 2016 UTC,Detector=12.6.130160603] Updating control-plane with new detector : successful Updating data-plane with new attack or detector : successfulNote:When you upgrade from Junos OS Release 15.1X49 to Junos OS Release 17.3, the following warning message is displayed:
WARNING: A full install of the security package is required after reboot. WARNING: Please perform a full update of the security package using WARNING: "request security idp security-package download full-update" WARNING: followed by WARNING: "request security idp security-package install"
Managing the IPS Signature Database (Security Director)
This example shows how to install and schedule the signature database updates using Junos Space Security Director.
Requirements
This example uses the following hardware and software components:
SRX Series Firewall
Before you install the signature database updates, ensure that you have:
Installed an IPS license key
Overview
The IPS signature database can be updated using either the CLI or Junos Space Security Director. SRX Series Firewalls can be fully managed from the CLI; however, for large deployment scenarios that use multiple SRX Series Firewalls, it is easier to manage the security package using a management platform.
Configuration
- Downloading and Installing the IPS Signature Package
- Verifying the Signature Database Version
- Scheduling the Signature Database Updates
Downloading and Installing the IPS Signature Package
Step-by-Step Procedure
In this example, you download and then install the latest signature package from the signature database server:
Navigate to Security Director->Downloads->Signature Database.
Choose the signature package listed as the latest and select Action>Download to download the signature package to Security Director.
user@host>request security idp security-package download
By default, when you download the security package, you download the following components into a Staging folder in your device: the latest version of the complete attack object groups table, the application objects table, and the updates to the IPS Detector Engine. Because the attack objects table is typically very large, by default the system only downloads updates to the attack objects table. However, you can download the complete attack objects table by using the
full-updateconfiguration option.Check the security package download status:
user@host>request security idp security-package download status
On a successful download, the following message is displayed:
Done;Successfully downloaded from (https://signatures.juniper.net/cgi-bin/index.cgi). Version info:1884(Thu Mar 17 12:06:35 2011, Detector=11.4.140110223)
After downloading the security package, you must install the package to update the security database with the newly downloaded updates from the Staging folder in your device. Install the security package:
user@host>request security idp security-package install
Check the status of the install:
user@host>request security idp security-package install status
On a successful install, the following message is displayed:
Done;Attack DB update: successful - [UpdateNumber=1884,ExportDate=Thu Mar 17 12:06:35 2011,Detector=11.4.140110223] Updating control-plane with new detector: successful Updating data-plane with new attack or detector: successful
Verifying the Signature Database Version
Step-by-Step Procedure
Each signature database has a different version number with the latest database having the highest number.
Use the CLI to verify the signature database version installed:
user@host>show security idp security-package version
The following sample output shows the version number for the signature package:
user@host> show security idp security-package-version Attack database version:1883(Wed Mar 16 12:10:26 2011) Detector version :12.6.140121210 Policy template version :N/A
Scheduling the Signature Database Updates
Step-by-Step Procedure
You can configure IPS-enabled device to automatically update the signature database after a set interval. After the initial manual setup, we recommend that you schedule the signature updates so you always have protection against new vulnerabilities.
To schedule the signature package download, from configuration mode, specify the start time and the interval for the download:
user@host>set security idp security-package automatic interval interval start-time <YYYY-MM-DD.HH:MM:SS>
For example, to set a schedule for the signature download every 72 hours, you use the following configuration:
user@host>set security idp security-package automatic interval 72 start-time
Example: Updating the IPS Signature Database Manually
This example shows how to update the IPS signature database manually.
Requirements
Before you begin, configure network interfaces.
Overview
Juniper Networks regularly updates the predefined attack database and makes it available as a security package on the Juniper Networks website. This database includes attack object and attack object groups that you can use in IDP policies to match traffic against known attacks.
In this example, you download the security package with the
complete table of attack objects and attack object groups. Once the
installation is completed, the attack objects and attack object groups
are available in the CLI under the predefined-attack-groups and predefined-attacks configuration statements at the [edit security idp idp-policy] hierarchy level. You create
a policy and specify the new policy as the active policy. You only
download the updates that Juniper Networks has recently uploaded and
then update the attack database, the running policy, and the IPS protocol
detector with these new updates.
Configuration
Procedure
CLI Quick Configuration
CLI quick configuration is not available for this example, because manual intervention is required during the configuration.
Step-by-Step Procedure
The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the CLI User Guide.
To manually download and update the signature database:
Specify the URL for the security package.
[edit] user@host#set security idp security-package url https://signatures.juniper.net/cgi-bin/index.cgi
Note:By default it will take URL as https://signatures.juniper.net/cgi-bin/index.cgi.
Commit the configuration.
[edit] user@host# commit
Switch to operational mode.
[edit] user@host# exit
Download the security package.
user@host>request security idp security-package download full-update
Check the security package download status.
user@host>request security idp security-package download status
Update the attack database using the
installcommand.user@host>request security idp security-package install
Check the attack database update status using the following command. The command output displays information about the downloaded and installed versions of attack database versions.
user@host>request security idp security-package install status
Switch to configuration mode.
user@host>configure
Create an IDP policy.
[edit ] user@host#edit security idp idp-policy policy1
Associate attack objects or attack object groups with the policy.
[edit security idp idp-policy policy1] user@host#set rulebase-ips rule rule1 match attacks predefined-attack-groups “Response_Critical”
Set action.
[edit security idp idp-policy policy1] user@host#set rulebase-ips rule rule1 then action no-action
Activate the policy.
[edit] user@host#set security idp active-policy policy1
Commit the configuration.
[edit] user@host# commit
In the future if you want to download the signature package, download only the updates that Juniper Networks has recently uploaded.
user@host>request security idp security-package download
Check the security package download status.
user@host>request security idp security-package download status
Update the attack database, the active policy, and the detector with the new changes.
user@host>request security idp security-package install
Check the attack database, the active policy, and the detector.
user@host>request security idp security-package install status
Note:It is possible that an attack has been removed from the new version of an attack database. If this attack is used in an existing policy on your device, the installation of the new database will fail. An installation status message identifies the attack that is no longer valid. To update the database successfully, remove all references to the deleted attack from your existing policies and groups, and rerun the install command.
Results
From configuration mode, confirm your configuration
by entering the show security idp command. If the output
does not display the intended configuration, repeat the configuration
instructions in this example to correct it.
[edit]
user@host# show security idp
idp-policy policy1 {
rulebase-ips {
rule rule1 {
match {
attacks {
predefined-attack-groups Response_Critical;
}
}
then {
action {
no-action;
}
}
}
}
}
If you are done configuring the device, enter commit from configuration mode.
Example: Downloading and Installing the IPS Signature Package in Chassis Cluster Mode
This example shows how to download and install the IPS signature database to a device operating in chassis cluster mode.
Requirements
Before you begin, set the chassis cluster node ID and cluster ID. See Example: Setting the Node ID and Cluster ID for Security Devices in a Chassis Cluster .
Overview
The security package for intrusion detection and prevention (IDP) contains a database of predefined IDP attack objects and IDP attack object groups that you can use in IDP policies to match traffic against known and unknown attacks. Juniper Networks regularly updates the predefined attack objects and groups with newly discovered attack patterns.
To update the signature database, you must download a security package from the Juniper Networks website. After downloading the security package, you must install the package to update the security database with the newly downloaded updates from the Staging folder in your device.
On branch SRX Series Firewalls, if your device memory utilization is high on the control plane, loading a large IDP policy might cause the device to run out of memory. This can trigger a system reboot during the IPS security package update.
When you download the IPS security package on a device operating in chassis cluster mode, the security package is downloaded to the primary node and then synchronized to the secondary node. This synchronization helps maintain the same version of the security package on both the primary node and the secondary node.
Downloading and Installing the IPS Signature Database
Procedure
Step-by-Step Procedure
The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the CLI User Guide.
Specify the URL for the security package.
[edit] user@host# set security idp security-package url https://signatures.juniper.net/cgi-bin/index.cgi
Switch to operational mode.
[edit] user@host# exit
Download the IPS security package to the primary node (downloads in the var/db/idpd/sec-download folder).
{primary:node0}[edit] user@host> request security idp security-package downloadThe following message is displayed:
node0: -------------------------------------------------------------------------- Will be processed in async mode. Check the status using the status checking CLI
Check the security package download status.
{primary:node0}[edit] user@host> request security idp security-package download statusOn a successful download, the following message is displayed.
node0: -------------------------------------------------------------------------- Done;Successfully downloaded from (https://signatures.juniper.net/cgi-bin/index.cgi) and synchronized to backup. Version info:1871(Mon Mar 7 09:05:30 2011, Detector=11.4.140110223)
Update the attack database using the
installcommand.user@host> request security idp security-package install
Check the attack database update status. The command output displays information about the downloaded and installed versions of the attack database.
{primary:node0}[edit] user@host> request security idp security-package install statusnode0: -------------------------------------------------------------------------- Done;Attack DB update : successful - [UpdateNumber=2011,ExportDate=Mon Oct 17 15:13:06 2011,Detector=11.6.140110920] Updating control-plane with new detector : successful Updating data-plane with new attack or detector : not performed due to no existing running policy found. node1: -------------------------------------------------------------------------- Done;Attack DB update : successful - [UpdateNumber=2011,ExportDate=Mon Oct 17 15:13:06 2011,Detector=11.6.140110920] Updating control-plane with new detector : successful Updating data-plane with new attack or detector : not performed due to no existing running policy found.Note:You must download the IPS signature package to the primary node. This way, the security package is synchronized on the secondary node. Attempts to download the signature package to the secondary node will fail.
If you have configured a scheduled download for the security packages, the signature package files are automatically synchronized from the primary node to the backup node.