Although you cannot create application signatures, you can configure
sensor settings to limit the number of sessions running application
identification and also limit memory usage for application identification.
Memory limit for a session—You can configure the
maximum amount of memory bytes that can be used to save packets for
application identification for one TCP or UDP session. You can also
configure a limit for global memory usage for application identification.
Application identification is disabled for a session after the system
reaches the specified memory limit for the session. However, IDP continues
to match patterns. Matched application is saved to cache so that the
next session can use it. This prevents the system from attackers trying
to bypass application identification by purposefully sending large
client-to-server packets.
Number of sessions—You can configure the maximum
number of sessions that can run application identification at the
same time. Application identification is disabled after the system
reaches the specified number of sessions. You limit the number of
sessions so that you can prevent a denial-of-service (DOS) attack,
when too many connection requests overwhelm and exhaust all the allocated
resources on the system.
In the configuration instructions for this example, you configure
the limit so that only 600 sessions can run application identification
at the same time. You also configure 5000 memory bytes as
the maximum amount of memory that can be used for saving packets for
application identification for one TCP session.
You can use either J-Web or the CLI configuration editor to
configure memory and session limits for application identification.
To configure memory and session limits for application identification:
Specify the session limit for application identification.
In the following statement you set the maximum number of sessions
that can run application identification at the same time as 600:
user@host# set security idp sensor-configuration
application-identification max-sessions 600
Specify the memory limit for application
identification. In the following statement you configure a maximum
of 5000 memory bytes to save packets for application identification:
user@host# set security idp sensor-configuration
application-identification max-tcp-session-packet-memory 5000
If you are finished configuring the router,
commit the configuration.
From configuration mode in the CLI, enter the show security idp command to verify the configuration. For more
information, see the JUNOS Software CLI Reference.
