A protocol anomaly attack object detects unknown or sophisticated
attacks that violate protocol specifications (RFCs and common RFC
extensions). You cannot create new protocol anomalies, but you can
configure a new attack object that controls how your device handles
a predefined protocol anomaly when detected.
The following properties are specific to protocol anomaly attacks—attack
direction and test condition.
Establish basic connectivity. For more information,
see the Getting Started Guide for your device.
Configure network interfaces. See the JUNOS Software Interfaces and Routing Configuration Guide.
When configuring protocol anomaly-based attacks, keep the following
in mind:
The service or application binding is a mandatory field
for protocol anomaly attacks. Besides the supported applications,
services also include IP, TCP, UDP, ICMP, and RPC.
The attack direction and test condition properties are
mandatory fields for configuring anomaly attack definitions.
The configuration instructions in this topic describe how to
create a signature-based attack object. In this example, you create
a protocol anomaly attack named anomaly1 and assign it the
following properties:
Time binding—Specify the scope as peer and
count as 2 to detect anomalies between source and destination
IP addresses of the sessions for the specified number of times.
Severity (info)—Specify to provide information
about any attack that matches the conditions.
Attack direction (any)—Specify to detect
the attack in both directions—client-to-server and server-to-client
traffic.
Service (TCP)—Specify to match attacks
using the TCP service.
Test condition (OPTIONS_UNSUPPORTED)—Specify
to match certain predefined test conditions. In this example, the
condition is to match if the attack includes unsupported options.
Shellcode (sparc)—Set the flag to detect
shellcode for Sparc platforms.
Once you have configured the protocol anomaly-based attack object,
you specify the attack as match criteria in an IDP policy rule. For
more information, see Defining Rules for an IPS Rulebase.
You can use either J-Web or the CLI configuration editor to
create a custom attack object.
Specify a name for the attack. The following statement
specifies anomaly1 as the name of the attack.
user@host# set security idp custom-attack
anomaly1
Specify common properties for the attack.
The following statements specify an info severity level and
a time binding with a scope type peer and count 2.
user@host# set security idp custom-attack
anomaly1 severity info
Specify the attack type and test condition.
The following statement specifies the attack type anomaly and test condition UNSUPPORTED_OPTIONS.
user@host# set security idp custom-attack
anomaly1 attack-type anomaly test UNSUPPORTED_OPTIONS
Specify other properties for the anomaly
attack. The following statement specifies the service TCP and attack
direction any, and sets the shellcode flag to sparc and specifies .
user@host# set security idp custom-attack
sa attack-type anomaly service TCP
user@host# set security idp custom-attack
sa attack-type anomaly direction any
user@host# set security idp custom-attack
sa attack-type anomaly shellcode sparc
If you are finished configuring the router,
commit the configuration.
From configuration mode in the CLI, enter the show security idp command to verify the configuration. For more
information, see the JUNOS Software CLI Reference.
