Specifying Rule Session Action (NSM Procedure)
Actions are responses to sessions that match the source/destination condition and attack object pattern. Actions are what protect your network from attacks.
If a packet triggers multiple rule actions, the IDP engine takes the most severe action. For example, if a rule with a DiffServ marking action and a rule with a drop action both match, the IDP engine takes the drop action.
Table 1 describes the actions you can set for IDP rulebase rules.
To modify action settings:
- In the NSM navigation tree, select Policy Manager > Security Policies.
- Select the security policy you want to edit.
- In the security policy pane, click the IDP tab to display the IDP rulebase table.
- Modify action settings by right-clicking the table cell and selecting your setting.
- Click OK to save your changes.
Table 1: IDP Rulebase Actions
Action | Function |
|---|---|
Recommended | Takes the action recommended in the predefined attack object. The recommended action is related to severity. Table 2 lists the recommended actions by severity. |
None | Inspects the session but takes no action against the connection. |
Ignore | Ignores the match and does not inspect the remainder of the connection. |
Drop Packet | Drops a matching packet before it can reach its destination but does not close the connection. Use this action to drop packets for attacks in traffic prone to spoofing, such as UDP traffic. Dropping a connection for such traffic could result in a denial of service (DoS) condition that prevents you from receiving traffic from a legitimate source address. Note: In sniffer mode, the IDP appliance is not in the path of network traffic. Therefore, this action has no effect in sniffer mode. |
Drop Connection | Drops the connection without sending an RST packet to the sender, preventing the traffic from reaching its destination. Use this action to drop connections for traffic not prone to spoofing. Note: In sniffer mode, the IDP appliance is not in the path of network traffic. Therefore, this action has no effect in sniffer mode. |
Close Client and Server | Closes the connection and sends an RST packet to both the client and the server. Note: In sniffer mode, the IDP appliance is not in the path of network traffic. However, if you use ACM to configure a sniffer mode reset interface, the IDP device can send an RST packet to both the client and server but does not close the connection. |
Close Client | Closes the connection to the client but not to the server. In sniffer mode, the IDP appliance is not in the path of network traffic. However, if you use ACM to configure a sniffer mode reset interface, the IDP device can send an RST packet to both the client and server but does not close the connection. Note: In VLAN tagged MPLS traffic, the Close Client action drops the connection instead of closing it. |
Close Server | Closes the connection to the server but not to the client. Note: In sniffer mode, the IDP appliance is not in the path of network traffic. However, if you use ACM to configure a sniffer mode reset interface, the IDP device can send an RST packet to both the client and server but does not close the connection. |
Diffserv Marking | Assigns the indicated service-differentiation value to the packet, and then passes it on normally. Set the service-differentiation value in the dialog box that appears when you select this action in the rulebase. Note: In sniffer mode, the IDP appliance is not in the path of network traffic. Therefore, this action has no effect in sniffer mode. |
Table 2 describes the logic applied to the value Recommended, a setting coded in predefined attack objects provided by Juniper Networks Security Center.
Table 2: IDP Rulebase Actions: Recommended Actions by Severity
Severity | Description | Recommended Action |
|---|---|---|
Critical | Attacks attempt to evade an intrusion prevention system, crash a machine, or gain system-level privileges. | Drop Packet, Drop Connection |
Major | Attacks attempt to crash a service, perform a denial of service, install or use a Trojan, or gain user-level access to a host. | Drop Packet, Drop Connection |
Minor | Attacks attempt to obtain critical information through directory traversal or information leaks. | None |
Warning | Attacks attempt to obtain noncritical information or scan the network. They can also be obsolete attacks. | None |
Info | Attacks are normal, harmless traffic containing URLs, DNS lookup failures, and SNMP public community strings. You can use informational attack objects to obtain information about your network. | None |
 | Note: Our severity rating is not based on CVSS (Common Vulnerability Scoring System). We do include data from Bugtraq (Symantec) and CVE (Common Vulnerabilities and Exposures). |
