A protocol anomaly attack object detects unknown or sophisticated
attacks that violate protocol specifications (RFCs and common RFC
extensions). You cannot create new protocol anomalies, but you can
configure a new attack object that controls how your device handles
a predefined protocol anomaly when detected.
The following properties are specific to protocol anomaly attacks—attack
direction and test condition.
Establish basic connectivity. For more information,
see the Getting Started Guide for your device.
Configure network interfaces. See the JUNOS Software Interfaces and Routing Configuration Guide.
When configuring protocol anomaly-based attacks, keep the following
in mind:
The service or application binding is a mandatory field
for protocol anomaly attacks. Besides the supported applications,
services also include IP, TCP, UDP, ICMP, and RPC.
The attack direction and test condition properties are
mandatory fields for configuring anomaly attack definitions.
The configuration instructions in this topic describe how to
create a signature-based attack object. In this example, you create
a protocol anomaly attack named anomaly1 and assign it the
following properties:
Time binding—Specify the scope as peer and
count as 2 to detect anomalies between source and destination
IP addresses of the sessions for the specified number of times.
Severity (info)—Specify to provide information
about any attack that matches the conditions.
Attack direction (any)—Specify to detect
the attack in both directions—client-to-server and server-to-client
traffic.
Service (TCP)—Specify to match attacks
using the TCP service.
Test condition (OPTIONS_UNSUPPORTED)—Specify
to match certain predefined test conditions. In this example, the
condition is to match if the attack includes unsupported options.
Shellcode (sparc)—Set the flag to detect
shellcode for Sparc platforms.
Once you have configured the protocol anomaly-based attack object,
you specify the attack as match criteria in an IDP policy rule. For
more information, see Defining Rules for an IPS Rulebase.
You can use either J-Web or the CLI configuration editor to
create a custom attack object.
