Create an IPS Signature
The signature database in Juniper Security Director Cloud contains predefined intrusion prevention system (IPS) signatures.
You can create customized IPS signatures to block newer attacks or unknown attacks from the Create IPS Signature page. You must have the tenant administrator role or a customized role assigned with the appropriate IPS tasks to create customized IPS signatures.
-
When you add multiple members in the Signature and Anomaly fields, a chain-type signature is created.
-
When you add anomaly details in the Anomaly field, an anomaly-type signature is created.
To create a customized IPS signature:
-
Select SRX > Security Subscriptions >
IPS > IPS Signatures.
The IPS Signatures page opens.
-
Select Create > IPS Signature.
The Create IPS Signature page opens.
-
Complete the configuration according to the guidelines in Table 1.
Note:
Fields marked with an asterisk (*) are mandatory.
-
Click OK.
The IPS Signatures page opens with a message indicating that the signature is created.
You can use the new IPS signature in an IPS rule or an exempt rule. You can then reference the IPS profile containing the rule in a firewall policy, which you can deploy on a device.
Table 1: Create IPS Signature Settings Setting
Guideline
Name
Enter a unique name for the IPS signature that is a string of maximum 60 characters without spaces.
The string can contain alphanumeric characters and special characters, such as colons, hyphens, periods, and underscores.
Description
Enter a description of maximum 1024 characters for the IPS signature.
Category
Enter a predefined category or a new category of maximum 63 characters without spaces.
The category must begin with an alphanumeric character and can contain special characters, such as hyphens and underscores.
You can use categories to group attack objects. Within each category, you can assign severity levels to the groups of attack objects.
Action
Select the action to take when the monitored traffic matches the attack objects specified in the IPS rule:
-
None—No action is taken. Use this action to only generate logs for some traffic.
-
Close Client & Server—Closes the connection and sends a TCP reset (RST) packet to both the client and the server.
-
Close Client—Closes the connection and sends an RST packet to the client, but not to the server.
-
Close Server—Closes the connection and sends an RST packet to the server, but not to the client.
-
Ignore—Stops scanning traffic for the rest of the connection if an attack match is found. IPS disables the rulebase for the specific connection.
-
Drop—Drops all packets associated with the connection, preventing traffic for the connection from reaching its destination. Use this action to drop connections for traffic that is not prone to spoofing.
-
Drop Packet—Drops a matching packet before it can reach its destination but does not close the connection. Use this action to drop packets for attacks in traffic that is prone to spoofing, such as UDP traffic. Dropping a connection for such traffic could result in a denial of service that prevents traffic from a legitimate source IP address.
Keyword
Enter unique identifiers that can be used to search and to sort signatures.
The keywords must relate to the attack and the attack object. For example, Amanda Amindexd Remote Overflow.
Severity
Select a severity level for the attack that the signature will report:
-
Critical—Contains attack objects matching the exploits that attempt to evade detection, cause a network device to crash, or gain system-level privileges.
-
Major—Contains attack objects matching the exploits that attempt to disrupt a service, gain user-level access to a network device, or activate a Trojan horse previously loaded on a device.
-
Minor—Contains attack objects matching the exploits that detect reconnaissance efforts attempting to access vital information through directory traversal or information leaks.
-
Warning—Contains attack objects matching the exploits that attempt to obtain noncritical information or scan a network with a scanning tool.
-
Info—Contains attack objects matching normal, harmless traffic containing URLs, DNS lookup failures, SNMP public community strings, and peer-to-peer (P2P) parameters. You can use informational attack objects to get information about your network.
Signature Details
Binding
Select the protocol or service that the attack uses to enter your network:
-
IP—Matches the attack for a specified protocol type number, which you must enter in the Protocol field.
-
IPv6—Matches the attack for a specified protocol type number for the header following the IPv6 header, which you must enter in the Next Header field.
-
TCP—Matches the attack for the specified TCP ports or port ranges, which you must enter in the Port Range(s) field.
-
UDP—Matches the attack for the specified UDP ports or port ranges.
-
ICMP—Matches the attack for ICMP packets.
-
ICMPv6—Matches the attack for ICMPv6 packets.
-
RPC—Matches the attack for a specified remote procedure call (RPC) program number, which you must enter in the Program Number field.
-
Service—Matches the attack for a specified service, which you must select from the Service field.
Protocol
For IP binding, enter the transport layer protocol number to match with the attack.
The range is from 1 to 139 excluding 1, 6, and 17.
Next Header
For IPv6 binding, enter the transport layer protocol number for the next header following the IPv6 header with which to match the attack.
The range is from 1 to 139 excluding 6, 17, and 58.
Port Range(s)
For the TCP or UDP binding, enter a port number or a port range to match with the attack.
Enter the port range in the min port no.-max port no. format.
Program Number
For RPC binding, enter the RPC program number (ID) to match with the attack.
Service
For service binding, select the service to match with the attack.
Time Count
Enter the number of times an IPS detects the attack within the specified time scope before triggering an event.
Time Scope
Enter the scope within which the counting of the attack occurs:
-
Source IP—Detects attacks from the source IP address for the specified time count regardless of the destination IP address.
-
Dest IP—Detects attacks from the destination IP address for the specified time count regardless of the source IP address.
-
Peer—Detects attacks between the source and the destination IP addresses of the sessions for the specified time count.
Match Assurance
Select a false positives filter to track attack objects based on the frequency that the attack produces a false positive on your network:
-
None—No false positive filter is applied.
-
High—Provides information on the frequently-tracked false positive occurrences.
-
Medium—Provides information on the occasionally-tracked false positive occurrences.
-
Low—Provides information on the rarely-tracked false positive occurrences.
Performance Impact
Select appropriate attacks based on performance impact. For example, to filter out slow-performing attack objects:
-
None—No filter is applied.
-
Low—Add low-performance impact attack objects that are vulnerable to an attack. The performance impact of signatures is Low1 to Low3 where the application identification is faster.
-
Medium—Add medium-performance impact attack objects that are vulnerable to an attack. The performance impact of signatures is Medium4 to Medium6 where the application identification is normal.
-
High—Add high-performance impact attack objects that are vulnerable to an attack. The performance impact of signatures is High7 to High9 where the application identification is slow.
Add Signature
You can add one or more signature attack objects that use a stateful attack signature (a pattern that always exists within a specific section of the attack) to detect known attacks.
Note:For a customized IPS signature, you must add at least one signature attack object or anomaly.
-
To add a signature attack object:
-
Click the add (+) icon.
The Add Signature page opens.
-
Complete the configuration according to the guidelines in Table 2.
-
Click OK.
The previous page opens and the signature attack object is displayed in the table.
-
-
To modify a signature attack object:
-
Select an attack object and click the edit (pencil) icon.
The Edit Signature page opens.
-
Modify the fields. See Table 2.
-
Click OK.
Your modifications are saved and the previous page opens.
-
-
To delete a signature attack object:
-
Select an attack object and click the delete (trash can) icon.
A popup appears asking you to confirm the delete operation.
-
Click Yes.
The signature attack object is deleted and the previous page opens.
-
Add Anomaly
Select an option to detect abnormal or ambiguous messages within a connection according to the set of rules for the particular protocol being used.
Note:-
The Add Anomaly field is displayed only if you select Service in the Binding field.
-
For a customized IPS signature, you must add at least one signature attack object or anomaly.
You can add, modify, or delete anomaly attack objects:
-
To add an anomaly:
-
Click the add (+) icon.
The Add Anomaly page opens.
-
Complete the configuration according to the guidelines in Table 3.
-
Click OK.
The previous page opens and the anomaly is displayed in the table.
-
-
To modify an anomaly:
-
Select an anomaly, and click the edit (pencil) icon.
The Edit Anomaly page opens.
-
Modify the fields as needed. See Table 3.
-
Click OK.
Your modifications are saved and the previous page opens.
-
-
To delete an anomaly:
-
Select an anomaly and click the delete (trash can) icon.
A popup opens asking you to confirm the delete operation.
-
Click Yes.
The signature anomaly is deleted and the previous page opens.
-
Table 2: Add Signature Settings Setting
Guideline
Signature No.
Displays the system-generated signature number.
You cannot modify this field.
Context
Select the attack context, which defines the location of the signature where IPS must look for the attack in a specific Application Layer protocol.
Direction
Select the connection direction of the attack:
-
Any—Detects the attack for traffic in either direction.
-
Client to Server—Detects the attack only in the client to server traffic.
-
Server to Client—Detects the attack only in the server to client traffic.
Pattern
Enter the signature pattern (in Juniper Networks proprietary regular expression syntax) of the attack to detect.
An attack pattern can be a segment of code, a URL, or a value in a packet header and the signature pattern is the syntactical expression that represents the attack pattern.
For example, use
\[<character-set>\]
for case-insensitive matches.Regex
Enter a regular expression to define rules to match malicious or unwanted behavior over the network.
For example, for the syntax \[hello\], the expected pattern is hello, which is case sensitive. The example matches can be hElLo, HEllO, and heLLO.
Negated
Select this check box to exclude the specified pattern from being matched.
When you negate a pattern, the attack is considered matched if the pattern defined in the attack does not match the specified pattern.
Table 3: Add Anomaly Settings Setting
Guideline
Anomaly No.
Displays the system-generated anomaly number.
You cannot modify this field.
Anomaly
Select the protocol (service) whose anomaly is being defined in the attack.
Direction
Select the connection direction of the attack:
-
Any—Detects the attack for traffic in either direction.
-
Client to Server—Detects the attack only in the client to server traffic.
-
Server to Client—Detects the attack only in server to client traffic.
-