Defining Rules for an Exempt Rulebase

The exempt rulebase works in conjunction with the IPS rulebase. Before you can create exempt rules, you must first create rules in the IPS rulebase. If traffic matches a rule in the IPS rulebase, IDP attempts to match the traffic against the exempt rulebase before performing the specified action or creating a log record for the event. If IDP detects traffic that matches the source/destination pair and the attack objects specified in the exempt rulebase, it automatically exempts that traffic from attack detection.

Configure an exempt rulebase in the following conditions:

• When an IDP rule uses an attack object group that contains one or more attack objects that produce false positives or irrelevant log records.
• When you want to exclude a specific source, destination, or source/destination pair from matching an IDP rule. This prevents IDP from generating unnecessary alarms.

When you create an exempt rule, you must specify the following:

• Source and destination for traffic you want to exempt. You can set the source or destination to Any to exempt network traffic originating from any source or sent to any destination. You can also set source-except or destination-except to specify all the sources or destinations except the specified source or destination addresses.
• The attacks you want IDP to exempt for the specified source/destination addresses. You must include at least one attack object in an exempt rule.

  In this configuration example, you consistently find that your IDP policy generates false positives for the attack FTP:USER:ROOT on your internal network. You configure the rule to exempt attack detection for this attack when the source IP is from your internal network.

You can use either J-Web or the CLI configuration editor to configure an application set.

This topic contains:

• J-Web Configuration
• CLI Configuration
• Related Topics

J-Web Configuration

To define rules for an exempt rulebase:

1. Specify the IPS rulebase for which you want to define and exempt rulebase. The following statement specifies policy P1 as the IPS rulebase:
   1. Select Configuration>View and Edit>Edit Configuration. The Configuration page appears.
   2. Next to Security, click Configure or Edit.
   3. Next to Idp, click Configure .
   4. Next to Idp policy, click Add new entry.
   5. In the Policy name box, type P1.
2. Associate the exempt rulebase with the policy and add a rule to the rulebase. The following tasks associate the exempt rulebase with policy P1 and adds rule R1 to the rulebase:
   1. Next to Rulebase exempt, click Configure.
   2. Next to Rule, click Add new entry.
   3. In the Name box, type R1.
3. Specify the attacks that you want to exempt from attack detection. The following configuration statement specifies that any traffic in your company's internal network is exempt from the FTP:USER:ROOT attack:
   1. Next to Match, click Configure.
   2. From the From zone list, select Enter specific value and type trust in the Zone box.
   3. From the To zone list, select any.
   4. From the Source list, select Source address.
   5. Next to Source address, select Add new entry.
   6. From the Value list, select Enter specific value.
   7. In the Address box, type FTP:USER:ROOT.
4. Activate the policy. The following tasks specify P1 as the active policy:
   1. On the Idp page, in the Active-policy box, type P1.
   2. Click OK.
5. If you are finished configuring the device, commit the configuration.

CLI Configuration

To define rules for an exempt rulebase:

1. Specify the IPS rulebase for which you want to define and exempt rulebase. The following statement specifies policy P1 as the IPS rulebase:

   user@host# set security idp idp-policy P1

2. Associate the exempt rulebase with the policy and add a rule to the rulebase. The following statement associates the exempt rulebase with policy P1 and adds rule R1 to the rulebase:

   user@host# set security idp idp-policy P1 rulebase-exempt rule R1

3. Specify the attacks that you want to exempt from attack detection. The following configuration statement specifies that any traffic in your company's internal network is exempt from the FTP:USER:ROOT attack:

   user@host# set security idp idp-policy P1 rulebase-exempt R1 match from-zone trust to-zone any source-address internal-devices destination-address any attacks predefined-attacks “FTP:USER:ROOT”

4. Activate the policy. The following statement specifies policy P1 as the active policy on the device:

   user@host# set security idp active-policy P1

5. If you are finished configuring the router, commit the configuration.
6. From configuration mode in the CLI, enter the show security idp command to verify the configuration. For more information, see the JUNOS Software CLI Reference.

Related Topics

• Using Predefined Policy Templates
• Inserting a Rule in the Rulebase
• Deactivating and Reactivating Rules in a Rulebase