• Download Software
• Research a Problem 
• Case Management 
• Contract & Product Management 
• Technical Documentation
  • Advanced Search
  • Documentation Archive
  • Documentation Bug Report
  • Enterprise MIBs
  • File Format Help
  • Glossary
  • Portable Libraries
• End-of-Life Products
• Contact Support
• Guidelines and Policies
• Security Resources

Configuring General Properties for Attack Objects

Creating a custom attack object is a two-part process:

1. Configure general attack object properties.

2. Complete specific attack object properties using one of the following workflows:

   • Creating a Signature Attack Object
   • Creating a Protocol Anomaly Attack Object
   • Creating a Compound Attack Object

To configure general properties for an attack object:

1. In the Object Manager, select Attack Objects > IDP Objects.
2. Click the Custom Attacks tab.
3. Click the + icon to display the Custom Attack dialog box.
4. Configure attack object settings on the General tab as described in Table 1.

   Table 1: Custom Attack Dialog Box: General Tab Settings

   Setting	Description
   Name	Specifies the name to be displayed in the UI. Tip: You might want to include the protocol the attack uses as part of the attack name.
   Description	Specifies details about the attack. Entering a description is optional when creating a new attack object, but it can help you remember important information about the attack. View the attack descriptions for predefined attacks for examples.
   Severity	Specifies a severity rating: Info, Warning, Minor, Major, or Critical. Critical attacks are the most dangerous—typically these attacks attempt to crash your server or gain control of your network. Informational attacks are the least dangerous and typically are used by network administrators to discover holes in their own security system.
   Category	Specifies a predefined category or defines a new category.
   Keywords	Specifies keywords—unique identifiers that can be used to search and sort log records.
   Recommended	Specifies that this attack object is among your highest risk set of attack objects. Later, when you add this attack object to dynamic groups, you can specify whether only recommended attack objects will be included.
   Attack Versions	Skip this for now.
   Detection Performance	Select High, Medium, Low, or Not Defined.

5. Configure additional attack details on the Extended tab as described in Table 2.

   Table 2: Custom Attack Dialog Box: Extended Tab Settings

   Setting	Description
   Primary URL Secondary URL Tertiary URL	Enter up to three URLs (primary, secondary, tertiary) for external references you used when researching the attack.
   CVE	Enter the Common Vulnerabilities and Exposures (CVE) ID the attack object addresses. CVE is a standardized list of vulnerabilities and other information security exposures. The CVE number is an alphanumeric code, such as CVE-2209
   Bugtraq	Enter the BugTraq ID number the attack object addresses. BugTraq is a moderated mailing list that discusses and announces computer security vulnerabilities. The BugTraq ID number is a three-digit code, such as 831 or 120.
   Impact	Enter details about the impact of a successful attack, including information on system crashes and access granted to the attacker.
   Description	Enter additional details.
   Tech Info	Enter details on the vulnerability, the commands used to execute the attack, which files are attacked, registry edits, and other low-level information.
   Patches	List any patches available from the product vendor, as well as information on how to prevent the attack.

6. Return to the General tab.
7. Under Attack Versions, click the + icon to display the New Attack wizard.
8. On the Target Platform and Type page, select a device platform (IDP 4.0, for example) and attack type.

   Table 3 summarizes attack types and provides references to the next steps required to implement the technical configuration of the attack objects for each type.

   Table 3: Attack Object Types

   Type	Description
   Signature	Uses a stateful attack signature (a pattern that always exists within a specific section of the attack) to detect known attacks. Stateful signature attack objects also include the protocol or service used to perpetrate the attack and the context in which the attack occurs. If you know the exact attack signature, the protocol, and the attack context used for a known attack, select this option.
   Protocol Anomaly	Detects unknown or sophisticated attacks that violate protocol specifications (RFCs and common RFC extensions). You cannot create new protocol anomalies, but you can configure a new attack object that controls how the security device handles a predefined protocol anomaly when detected. If you do not know that exact attack signature, but you do know the protocol anomaly that detects the attack, select this option.
   Compound Attack	Detects attacks that use multiple methods to exploit a vulnerability. This object combines multiple signatures and/or protocol anomalies into a single attack object, forcing traffic to match all combined signatures and/or anomalies within the compound attack object before traffic is identified as an attack. By combining and even specifying the order in which signatures or anomalies must match, you can be very specific about the events that need to take place before the IDP engine identifies traffic as an attack. If you need to detect an attack that uses several benign activities to attack your network, or if you want to enforce a specific sequence of events to occur before the attack is considered malicious, select this option.

9. Complete the specific attack object properties using one of the following workflows:

   • Creating a Signature Attack Object
   • Creating a Protocol Anomaly Attack Object
   • Creating a Compound Attack Object

Creating a Signature Attack Object

To configure a signature attack object:

1. Configure general attack object properties. See Configuring General Properties for Attack Objects.

   On the Target Platform and Type page, select Signature and click Next.

2. On the Custom Attack – General Properties page, configure the settings described in Table 4.

   Table 4: Custom Attack – General Properties

   Property	Description
   Info
   False Positives	Select the frequency that the attack object produces a false positive on your network: Unknown, Rarely, Occasionally, Frequently.
   Service Binding
   Protocol Type	Any–If you are unsure of the correct service, select Any to match the signature in all services. Because some attacks use multiple services to attack your network, you might want to select the Any service binding to detect the attack regardless of which service the attack selects for a connection. Note: You must select a service binding other than Any if you want to select a context for the attack.
   	IP–If you are not sure of the correct service, but know the IP protocol type, select IP protocol type for the service binding. Specify the protocol type number. If you select this option, you should also specify an attack pattern and IP header values later in the wizard. However, if you use a context binding of first packet, you must leave the attack pattern empty. For a list of protocol type numbers, see the IDP Custom Attack Objects Reference and Examples Guide.
   	TCP, UDP, or ICMP–Attacks that do not use a specific service might use a specific protocol to attack your network. Some TCP and UDP attacks use standard ports to enter your network and establish a connection. For TCP and UDP protocol types, specify the port ranges.
   	RPC–The remote procedure call (RPC) protocol is used by distributed processing applications to handle interaction between processes remotely. When a client makes a remote procedure call to an RPC server, the server replies with a remote program; each remote program uses a different program number. To detect attacks that use RPC, configure the service binding as RPC and specify the RPC program ID.
   	Service–Most attacks use a specific service to attack your network. If you select Service, the wizard displays a second selection box where you select a predefined or custom service. Your selection here populates the context selection boxes in the next wizard page. For a list of supported services, see the IDP Custom Attack Objects Reference and Examples Guide.
   Time Binding	Enable–Time attributes control how the attack object identifies attacks that repeat for a certain number of times.
   	Scope–Select the scope within which the count occurs: Source– Detects attacks from the source IP address for the specified number of times, regardless of the destination IP address. Destination–Detects attacks to the destination IP address for the specified number of times, regardless of the source IP address. Peer–Detects attacks between source and destination IP addresses of the sessions for the specified number of times.
   	Count/Min–Enter the number of times per minute that the attack object must detect an attack within the specified scope before the device considers the attack object to match the attack.

   Click Next.

3. On the Custom Attack – Attack Patterns page, configure the settings described in Table 5.

   Table 5: Custom Attack – Attack Patterns

   Setting	Description
   Pattern	\0 <octal_number>	For a direct binary match.
   	\X<hexadecimal-number>\X	For a direct binary match.
   	\[<character-set>\]	For case insensitive matches.
   	.	To match any symbol.
   	*	To match 0 or more symbols.
   	+	To match 1 or more symbols.
   	?	To match 0 or 1 symbols.
   	()	Grouping of expressions.
   	|	Alternation. Typically used with ().
   	[<start>-<end>]	Character range.
   	[^<start>-<end>]	Negation of character range.
   Negate	Select this option to negate the attack pattern.
   Context	Select the context used by the attack to enter your network. The Context selection list is populated by the service binding values you set in the previous wizard page. In the first box, select that service; in the second box, select the appropriate service contexts. If you know the service, but are unsure of the specific service context, select Other and then select one of the following general contexts: Packet–Detects the pattern at the packet level. When you select this option, you should also specify the Service Binding (in the General tab) and define the service header options (in the Header Match tab). Although not required, specifying these additional parameters helps to improve the accuracy of the attack object. First Packet–Inspects only the first packet of a stream. When the flow direction for the Attack Object is set to any, the IDP engine checks the first packet of both the server-to-client (STC) and client-to-server (CTS) flows. If you know that the attack signature appears in the first packet of a session, choosing first packet instead of packet reduces the amount of traffic the security device needs to monitor, which improves performance. Stream Select–Reassembles packets and extracts the data to search for a pattern match. However, the IDP engine does not recognize packet boundaries for stream contexts, so data for multiple packets is combined. Select this option only when no other context option contains the attack. Stream 256–Reassembles packets and searches for a pattern match within the first 256 bytes of a traffic stream. When the flow direction is set to any, DI checks the first 256 bytes of both the STC and CTS flows. If you know that the attack signature will appear in the first 256 bytes of a session, choosing stream 256 instead of stream reduces the amount of traffic that the security device must monitor and cache, improving performance. Line–Detects a pattern match within a specific line within your network traffic.
   Direction	Select the direction in which to detect the attack: Client to Server–Detects the attack only in client-to-server traffic. Server to Client–Detects the attack only in server-to-client traffic. Any–Detects the attack in either direction.
   Flow	Select the flow in which to detect the attack: Control–Detects the attack in the initial connection that is established persistently to issue commands, requests, and the like. Auxiliary–Detects the attack in the response connection established intermittently to transfer requested data. Both–Detects the attack in the initial and response connections. Tip: Using a single flow (instead of Both) improves performance and increases detection accuracy.

   Click Next.

4. On IP tab on the Custom Attack – IP Settings and Header Matches page, specify signature settings as described in Table 6.

   Note: The IP tab specifies the contents of the IP header in a malicious packet. You cannot specify IP header contents if you selected a line, stream, stream 256, or a service context in the Attack Patterns tab.

   Tip: If you are unsure of the IP flags and IP fields for the malicious packet, leave all fields blank. If no values are set, the IDP engine attempts to match the signature for all IP header contents.

   Table 6: Custom Attack: IP Settings and Header Matches

   Setting	Description
   Type of Service	Enter the service type. Common service types are: 0000 Default 0001 Minimize Cost 0002 Maximize Reliability 0003 Maximize Throughput 0004 Minimize Delay 0005 Maximize Security
   Packet Length	Enter the number of bytes in the packet, including all header fields and the data payload.
   ID	Enter the unique value used by the destination system to reassemble a fragmented packet.
   Time-to-live	Enter the time-to-live (TTL) value of the packet. This value represents the number of routers the packet can pass through. Each router that processes the packet decrements the TTL by 1; when the TTL reaches 0, the packet is discarded.
   Protocol	Enter the protocol used in the attack.
   Source	Specify the IP address of the attacking device.
   Destination	Specify the IP address of the attack target.
   RB	Reserved bit. Instructs the IDP engine to look for a pattern match whether or not the IP flag is set (none), only if the flag is set (set), or only if the flag is not set (unset).
   MF	More fragments. Instructs the IDP engine to look for a pattern match whether or not the IP flag is set (none), only if the flag is set (set), or only if the flag is not set (unset).
   DF	Don’t fragment. Instructs the IDP engine to look for a pattern match whether or not the IP flag is set (none), only if the flag is set (set), or only if the flag is not set (unset).

5. Click the Protocols tab, and select configure TCP, UDP, or ICMP header match properties, as described in Table 7.

   Table 7: TCP, UDP, and ICMP Header Match Properties

   Protocol	Option	Description
   TCP	Source Port	The port number on the attacking device.
   	Destination Port	The port number of the attack target.
   	Sequence Number	The sequence number of the packet. This number identifies the location of the data in relation to the entire data sequence.
   	ACK Number	The ACK number of the packet. This number identifies the next sequence number; the ACK flag must be set to activate this field.
   	Header Length	The number of bytes in the TCP header.
   	Window Size	The number of bytes in the TCP window size.
   	Data Length	The number of bytes in the data payload. For SYN, ACK, and FIN packets, this field should be empty.
   	Urgent Pointer	The data in the packet is urgent; the URG flag must be set to activate this field.
   	URG Bit	When set, the urgent flag indicates that the packet data is urgent.
   	ACK Bit	When set, the acknowledgment flag acknowledges receipt of a packet.
   	PSH Bit	When set, the push flag indicates that the receiver should push all data in the current sequence to the destination application (identified by the port number) without waiting for the remaining packets in the sequence.
   	RST Bit	When set, the reset flag resets the TCP connection, discarding all packets in an existing sequence.
   	FIN Bit	When set, the final flag indicates that the packet transfer is complete and the connection can be closed.
   	R1 Bit, R2 Bit	Reserved bit. Unused.
   UDP	Source Port	Enter the port number on the attacking device.
   	Destination Port	Enter the port number of the attack target.
   	Data Length	Enter the number of bytes in the data payload.
   ICMP	ICMP Type	Enter the primary code that identifies the function of the request/reply.
   	ICMP Code	Enter the secondary code that identifies the function of the request/reply within a given type.
   	Sequence Number	Enter the sequence number of the packet. This number identifies the location of the request/reply in relation to the entire sequence.
   	ICMP ID	Enter the identification number, which is a unique value used by the destination system to associate requests and replies.

6. Click Finish.

Creating a Protocol Anomaly Attack Object

To configure a protocol anomaly attack:

1. Configure general attack object properties. See Configuring General Properties for Attack Objects.

   On the Target Platform and Type page, select Protocol Anomaly and click Next.

2. On the Custom Attack – General Properties page, configure the settings described in Table 8.
3. Click Finish.

Creating a Compound Attack Object

To configure a compound attack object:

1. Configure general attack object properties. See Configuring General Properties for Attack Objects.

   On the Target Platform and Type page, select Compound Attack and click Next.

2. On the Custom Attack – General Properties page, configure the settings described in Table 9.

   Table 9: Custom Attack – General Properties

   Property	Description
   False Positives	Select the frequency that the attack object produces a false positive on your network: Unknown, Rarely, Occasionally, Frequently.
   Service Binding	Any–If you are unsure of the correct service, select Any to match the signature in all services. Because some attacks use multiple services to attack your network, you might want to select the Any service binding to detect the attack regardless of which service the attack selects for a connection. Note: You must select a service binding other than Any if you want to select a context for the attack.
   	IP–If you are not sure of the correct service, but know the IP protocol type, select IP protocol type for the service binding. Specify the protocol type number. If you select this option, you should also specify an attack pattern and IP header values later in the wizard. However, if you use a context binding of first packet, you must leave the attack pattern empty. For a list of protocol type numbers, see the IDP Custom Attack Objects Reference and Examples Guide.
   	TCP, UDP, or ICMP–Attacks that do not use a specific service might use a specific protocol to attack your network. Some TCP and UDP attacks use standard ports to enter your network and establish a connection. For TCP and UDP protocol types, specify the port ranges.
   	RPC–The remote procedure call (RPC) protocol is used by distributed processing applications to handle interaction between processes remotely. When a client makes a remote procedure call to an RPC server, the server replies with a remote program; each remote program uses a different program number. To detect attacks that use RPC, configure the service binding as RPC and specify the RPC program ID.
   	Service–Most attacks use a specific service to attack your network. If you select Service, the wizard displays a second selection box where you specify the service used for the attack. For a list of supported services, see the IDP Custom Attack Objects Reference and Examples Guide.
   Time Binding	Enable–Time attributes control how the attack object identifies attacks that repeat for a certain number of times.
   	Scope–Select the scope within which the count occurs: Source– Detects attacks from the source IP address for the specified number of times, regardless of the destination IP address. Destination–Detects attacks to the destination IP address for the specified number of times, regardless of the source IP address. Peer–Detects attacks between source and destination IP addresses of the sessions for the specified number of times.
   	Count/Min–Enter the number of times per minute that the attack object must detect an attack within the specified Scope before the device considers the attack object to match the attack.

   Click Next.

3. On the Compound Members page, specify compound attack parameters and add members as described in Table 10.

   Table 10: Compound Attack Parameters

   Setting	Description
   Scope	Select one of the following: Session–Allows multiple matches for the object within the same session. Transaction–Matches the object across multiple transactions that occur within the same session.
   Reset	Specifies the compound attack should be matched more than once within a single session or transaction. If you select this option, multiple matches can be made within a single session or transaction.
   Ordered Match	Matches each member signature or protocol anomaly in the order you specify. If you do not specify an ordered match, the compound attack object still must match all members, but the attack pattern or protocol anomalies can appear in the attack in random order.
   Boolean Expression	Type a Boolean expression using the following Boolean operators: or–if either of the member name patterns match, the expression matches. and–if both of the member name patterns mach, the expression matches. It does not matter which order the members appear in. oand–if both of the member name patterns match, and if they appear in the same order as in the Boolean expression, the expression matches. For example, the Boolean expression ((s1 oand s2) or (s1 oand s3)) and (s4 and s5) would match an attack that contains s1 followed by either s2 or s3, and that also contains s4 and s5 in any location. Note: If both the Ordered Match check box is selected and a Boolean expression is entered, the IDP engine ignores the Ordered Match check box and uses the Boolean expression.

4. Click Finish.