Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Create an IPS Signature Dynamic Group

The signature database in Juniper Security Director Cloud contains predefined intrusion prevention system (IPS) signature dynamic groups.

You can create customized IPS signature dynamic groups based on a specific filter criteria from the Create IPS Signature Dynamic Group page. You must have the tenant administrator role or a custom role with the appropriate IPS tasks to create customized IPS signature dynamic groups.

The specified filter criteria are matched only to predefined or customized IPS signatures, and not to IPS static groups and dynamic groups. When a new signature database is used, the dynamic group membership is automatically updated based on the filter criteria for the group.

To create a customized IPS signature dynamic group:

  1. Select SRX > Security Subscriptions > IPS > IPS Signatures.

    The IPS Signatures page opens.

  2. Select Create > Dynamic Group.

    The Create IPS Signature Dynamic Group page opens.

  3. Complete the configuration according to the guidelines in Table 1.
  4. (Optional) Click Preview Filtered Signatures to check whether the signatures that match the dynamic group are consistent with the specified filter criteria.

    The IPS Signatures page opens displaying the list of IPS signatures matching the filters.

    If the signatures do not match, you can tweak the filter criteria. Click Close to go back to the previous page.

  5. Click OK.

    The IPS Signatures page opens with a message indicating that the dynamic group was successfully created.

    You can use the new IPS signature dynamic group in an IPS rule or an exempt rule. You can then reference the IPS profile containing the rule in a firewall policy, which you can deploy on the device.

    Table 1: Create IPS Signature Dynamic Group Settings

    Setting

    Guideline

    Name

    Enter a unique name for the IPS signature dynamic group that is a string of maximum 255 characters without spaces.

    The string can contain alphanumeric characters and special characters, such as colons, hyphens, periods, and underscores.

    Filter Criteria

    Select one or more filters to define the attributes of IPS signatures that will be added to the new IPS signature dynamic group.

    Filters apply to existing signatures (already downloaded in the application) and to new signatures when the signatures are downloaded.

    IPS signatures that match any of the configured filters are included as part of the signature group.

    Severity

    Info

    Enable this option to include IPS signatures with the Info severity level.

    Warning

    Enable this option to include IPS signatures with the Warning severity level.

    Minor

    Enable this option to include IPS signatures with the Minor severity level.

    Major

    Enable this option to include IPS signatures with the Major severity level.

    Critical

    Enable this option to include IPS signatures with the Critical severity level.

    Service

    Service

    Select the services to filter IPS signatures that must be included as part of the dynamic group.

    Select one or more services listed in the Available column, and click the forward arrow to confirm your selection. The selected services are displayed in the Selected column.

    Category

    Category

    Select the categories to filter IPS signatures that must be included as part of the dynamic group.

    Select one or more categories listed in the Available column, and click the forward arrow to confirm your selection. The selected categories are displayed in the Selected column.

    Recommended

    Recommended

    This filter is based on attack objects that are recommended by Juniper Networks. Select one of the following:

    • None—Do not use this filter.

    • Yes—Add predefined attacks recommended by Juniper Networks to the dynamic group.

    • No—Add predefined attacks that are not recommended by Juniper Networks to the dynamic group.

    Direction

    Add IPS signatures to the dynamic group based on the traffic direction of the attacks.

    If you select more than one traffic direction (Any, Client-to-Server, and Server-to-Client), you must select a value in the Expression field.

    Any

    Select one of the following:

    • None (default): Do not use this filter.

    • Yes: Include IPS signatures that track traffic from client to server or server to client.

    • No: Do not include IPS signatures that track traffic from client to server or server to client.

    Client-to-Server

    Select one of the following:

    • None (default): Do not use this filter.

    • Yes: Include IPS signatures that track traffic from client to server.

    • No: Do not include IPS signatures that track traffic from client to server.

    Server-to-Client

    Select one of the following:.

    • None (default): Do not use this filter.

    • Yes: Include IPS signatures that track traffic from server to client.

    • No: Do not include IPS signatures that track traffic from server to client.

    Expression

    If you select more than one traffic directional filter, you must select how the signatures must be matched:

    • None (default): Do not use this filter.

    • OR—Include signatures that match any of the specified traffic directions.

    • AND—Include signatures that match all of the specified traffic directions.

    Performance Impact

    Unknown

    Enable this option to include the IPS signatures with the Unknown performance impact.

    Slow

    Enable this option to include the IPS signatures with the Slow performance impact.

    Normal

    Enable this option to include the IPS signatures with the Normal performance impact.

    Fast

    Enable this option to include the IPS signatures with the Fast performance impact.

    False Positives

    Unknown

    Enable this option to include the IPS signatures with the Unknown match assurance.

    Low

    Enable this option to include the IPS signatures with the Low match assurance.

    Medium

    Enable this option to include the IPS signatures with the Medium match assurance.

    High

    Enable this option to include the IPS signatures with the High match assurance.

    Age of Attack

    The age of the attack in years to be used as a filter criteria to include IPS signatures as part of the dynamic group.

    Greater Than

    Enter the age of attack in years to include the IPS signatures with the age of attack greater than the specified value as part of the dynamic group.

    The range is from 1 to 100 years.

    Less Than

    Enter the age of attack in years to include the IPS signatures with the age of attack less than the specified value as part of the dynamic group.

    The range is from 1 to 100 years.

    CVSS Score

    The Common Vulnerability Scoring System (CVSS) to be used as a filter criteria to include IPS signatures as part of the dynamic group.

    Greater Than

    Enter the CVSS score to include the IPS signatures with the score greater than the specified value as part of the dynamic group.

    The range is a decimal number between 0 and 10.

    Less Than

    Enter the CVSS score to include the IPS signatures with the score less than the specified value as part of the dynamic group.

    The range is a decimal number between 0 and 10.

    Other Filters

    Excluded

    Select one of the following:.

    • None (default): Do not use this filter.

    • Yes: Include excluded attack objects as part of the dynamic group.

    • No: Do not include excluded attack objects as part of the dynamic group.

    File Type

    Select the file type of the attack to be used as a filter criteria.

    For example, flash.

    Vulnerability Type

    Select the vulnerability type of the attack to be used as a filter criteria.

    For example, overflow.

    Type

    Use this filter to group attack objects by type (anomaly or signature).

    Signature

    Enable this option to add signatures based on stateful signature attack objects specified in the signature.

    A stateful attack signature is a pattern that always exists within a specific section of the attack. Stateful signature attack objects also include the protocol or service used to perpetrate the attack and the context in which the attack occurs.

    Protocol Anomaly

    Enable this option to add signatures of attacks that violate protocol specifications (RFCs and common RFC extensions).

    Vendor Description

    		  

    Product Type

    Select this filter to include signatures belonging to the selected product type.

    Vendor Name

    Select this filter to include signatures belonging to the selected vendor.

    Title

    Select this filter to include signatures belonging to the selected product name.

    The product names are populated only when you select a product type and a vendor.