Specifying IDP Rulebase Attack Objects (NSM Procedure)
Attack objects are the signatures and protocol anomalies the IDP engine looks for in traffic that matches the rule. In general, you specify attack objects related to the service and destination server set for the rule.
To add attack objects:
- In the NSM navigation tree, select Policy Manager > Security Policies.
- Select the security policy you want to edit.
- In the security policy pane, click the IDP tab to display the IDP rulebase table.
- Right-click the table cell for attacks and select Select Attacks.
In the All Attacks/Groups box, expand Attack Groups and add attack objects:
- To add attack objects recommended by Juniper Networks Security Center (J-Security Center), expand Recommended Attacks. Then browse groups and select groups or individual attack objects. Table 1 describes the hierarchy of recommended attack groups.
- To add other predefined attack objects, expand All Attacks. Then browse groups and select groups or individual attack objects. Table 1 describes the hierarchy of predefined attack groups.
- To add attack objects that belong to custom groups, expand the node for the custom group. Then browse subgroups and select groups or individual attack objects.
- To add custom attack objects that do not belong to groups, expand Attack List. Then select from custom attack objects.
- Click OK to save your changes.
Table 1: Attack Object Group Hierarchy
Group | Contents |
|---|---|
Attack Type | Contains two subgroups: anomaly and signature. Within each subgroup, attack objects are grouped by severity. |
Category | Contains subgroups based on category. Within each category, attack objects are grouped by severity. |
Operating System | Contains the following subgroups: BSD, Linux, Solaris, and Windows. Within each operating system, attack objects are grouped by services and severity. |
Severity | Contains the following subgroups: Critical, Major, Minor, Warning, Info. Within each severity, attack objects are grouped by category. Note: Our severity rating is not based on CVSS (Common Vulnerability Scoring System). We do include data from Bugtraq (Symantec) and CVE (Common Vulnerabilities and Exposures). |
Web Services | Contains subgroups based on Web services. Within services, attacked objects are grouped by severity. |
Miscellaneous | Contains attack objects that have a significant affect on IDP performance. |
Response | Contains attack objects that are relevant to server-to-client traffic. This group contains a hierarchy of subgroups that includes all of the above categories. |
