Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

About the IPS Signatures Page

You are here: Security Services > IPS > Signatures.

The intrusion prevention system (IPS) compares traffic against signatures of known threats and blocks traffic when a threat is detected. Network intrusions are attacks on, or other misuses of, network resources. To detect such activity, IPS uses signatures. A signature specifies the types of network intrusions that the device should detect and report. Whenever a traffic pattern matches a signature, IPS triggers the alarm and blocks the traffic from reaching its destination. One of the key components of IPS is the signature database. It contains definitions of different objects that is used in defining IPS policy rules, such as attack objects, application signature objects, and service objects.

You can group the attack objects to keep IPS policies organized and manageable. An attack object group can contain one or more types of attack objects. Junos OS supports the following three types of attack groups:

  • IPS signature—Contains objects present in the signature database.

  • Dynamic group—Contains attack objects that meets the specified matching criteria. During a signature update, dynamic group membership is automatically updated based on the matching criteria for that group. For example, you can dynamically group the attacks that are related to a specific application using dynamic attack group filters.

  • Static group—Contains a list of attacks that are specified in the attack definition.

Tasks You Can Perform

You can perform the following tasks from this page:

  • Associate IPS signatures to IPS policies. To do this, click IPS Policies link available below the IPS Signatures page title to directly navigate to the IPS Policies page. Then, click Add rules to assign the IPS signature to a specific policy. For more information, see Add Rules to an IPS Policy.

  • View the list of IPS signature predefined attacks or attack groups. To do this, click the PREDEFINED tab and select Predefined Attacks or Predefined Attack Group from the View by list.
  • View the details of a predefined IPS signature. To do this, select an existing IPS signature on the PREDEFINED tab and follow the available options:

    • Click More and select Detailed View.

    • Right-click on the selected IPS signature and select Detailed View.

    • Hover over to the left of the selected IPS signature name and click the Detailed View icon.

  • View the custom signatures of custom attacks, static groups, or dynamic groups. To do this, click the CUSTOM tab and select Custom Attacks, Static Groups, or Dynamic Groups from the View by list.
  • Import snort rules to convert them as custom attacks. See Import Snort Rules.

  • Create IPS signature custom attacks. See Create a Custom IPS Signature.

  • Create IPS signature static groups. See Create IPS Signature Static Groups.

  • Create IPS signature dynamic groups. See Create IPS Signature Dynamic Group.

  • View the details of an IPS signature for custom attacks, static groups, and dynamic groups. To do this, select an existing IPS signature, static group, or dynamic group on the CUSTOM tab and follow the available options:

    • Click More and select Detailed View.

    • Right-click on the selected IPS signature and select Detailed View.

    • Hover over to the left of the selected IPS signature and click Detailed View.

  • Clone an IPS signature. See Clone an IPS Signature.

  • Edit an IPS signature. See Edit an IPS Signature.

  • Delete an IPS signature. See Delete an IPS Signature.

  • Show or hide columns in the Predefined table. To do this, click the Show Hide Columns icon in the top right corner of the Predefined table. Then, select the options you want to view or clear the options you want to hide on the page.

  • Advanced search for predefined or custom IPS signatures. To do this, use the search text box present above the table grid. The search includes the logical operators as part of the filter string. In the search text box, when you hover over the icon, it displays an example filter condition. When you start entering the search string, the icon indicates whether the filter string is valid or not.

    For an advanced search:

    1. Enter the search string in the text box.

      Based on your input, a list of items from the filter context menu appears.

    2. Select a value from the list and then select a valid operator based on which you want to perform the advanced search operation.

      Note:

      Press spacebar to add an AND operator or OR operator to the search string. Predefined signatures support only the AND operator. Press backspace at any time when typing a search criteria to delete only one character.

    3. Press Enter to display the search results in the grid.

Field Descriptions

Table 1 and Table 2 describes the fields on the IPS Signatures page.

Table 1: Fields on the PREDEFINED Tab

Field

Description

Name

Displays the name of the predefined IPS signature.

Category

Displays the category of the attack object.

Severity

Displays the severity level of the attack that the signature will report.

Attack Type

Displays if the type of attack object is signature, anomaly, or chain.

Note:

This field is applicable only for predefined attacks.

Type Attack

Displays if the attack type is static or dynamic group.

Note:

This field is applicable only for predefined attack groups.

Recommended

Indicates whether the attack objects are recommended by Juniper (True) or not (False).

Recommended Action

Displays the action or actions taken when the monitored traffic matches the attack objects specified in the IPS rules.

False Positive

Displays the frequency or frequencies with which the attack produces a false positive on your network.

Performance

Displays the IPS signature performance impact filter or filters.

Direction

Displays the traffic direction or traffic directions for which the attack is detected. For example, client to server.

Service

Displays the protocol, service, or list of both protocol and services that the attack uses to enter your network.

Table 2: Fields on the Custom Tab

Field

Description

View by: Custom Attacks

Name

Displays the name of the custom attack IPS signature.

Severity

Displays the severity level of the attack that the signature will report.

Attack Type

Displays if the type of attack object is signature, anomaly, or chain.

Recommended Action

Displays the action taken when the monitored traffic matches the attack objects specified in the IPS rules.

View by: Static Groups

Name

Displays the name of the static group IPS signature.

Group Members

Displays the IPS signatures or IPS signature dynamic groups that are part of the IPS static group.

View by: Dynamic Groups

Name

Displays the name of the dynamic group IPS signature.

Attack Prefix

Displays the value or values for attack name prefix match.

Severity

Displays the severity level or severity levels of the attack that the signature will report.

Attack Type

Displays if the type of attack object is signature, anomaly, or chain.

Category

Displays the category or categories of the attack object.

Direction

Displays the traffic direction or traffic directions for which the attack is detected. For example, client to server.

Attack Excluded

Displays the excluded attack or attacks that are part of the database updates.

File Type

Displays the attack file type or file types that are used as a dynamic group filter.

False Positive

Displays the frequency or frequencies with which the attack produces a false positive on your network.

Recommended

Indicates whether the attack objects are recommended by Juniper (True) or not (False).

Service

Displays the protocol, service, or list of protocols and services that the attack uses to enter your network.

Vendor

Displays the vendor or product that the attack belongs to.

Vulnerability Type

Displays the attack vulnerability type or vulnerability types that are used as a dynamic group filter.

Performance

Performance impact filter or filters used for the dynamic group.

CVSS Score

Displays the Common Vulnerability Scoring System (CVSS) score or scores that is used as a dynamic group filter.

Age of attack

Displays the age of the attack (in years) that is used as a dynamic group filter.