Help Center User GuideGetting StartedFAQ
 
X
User Guide
Getting Started
FAQ
Contents  

Create IPS Signature Dynamic Groups

The signature database in Contrail Service Orchestration (CSO) contains predefined intrusion prevention system (IPS) signature dynamic groups that you can use. Users with the tenant administrator role or a custom role with appropriate IPS tasks can also create customized IPS signature dynamic groups (based on a specified filter criteria) from the Create IPS Signature Dynamic Group page.

The filter criteria that you specify are matched only to predefined or customized IPS signatures, and not to IPS static groups dynamic groups. When a new signature database is used, the dynamic group membership is automatically updated based on the filter criteria for that group.

Procedure

To create a customized IPS signature dynamic group:

  1. Select Configuration > IPS > IPS Signatures.

    The IPS Signatures page appears.

  2. Select Create > Dynamic Group.

    The Create IPS Signature Static Group page appears.

  3. Complete the configuration according to the guidelines in Table 258.

    Note Fields marked with an asterisk (*) are mandatory.

  4. (Optional) Click Preview Filtered Signatures to check if the signatures that match the dynamic group are consistent with the filter criteria that you specified.

    The IPS Signatures page appears displaying the list of IPS signatures matching the filters. If the signatures do not match, you can tweak the filter criteria as needed. Click Close to go back to the previous page.

  5. Click OK.

    You are returned to the IPS Signatures page and a message indicating that the dynamic group was successfully created is displayed.

After you create an IPS signature dynamic group, you can use the dynamic group in an IPS or an exempt rule and reference the IPS profile (containing the rule) in a firewall policy that you can then deploy on the device.

Table 258: Create IPS Signature Dynamic Group Settings

Setting

Guideline

Name

Enter a unique name for the IPS signature dynamic group that is a string of alphanumeric characters, colons, periods, hyphens, and underscores. No spaces are allowed and the maximum length is 255 characters.

Filter Criteria

You select one or more filters to define the attributes of IPS signatures that will be added to the IPS signature dynamic group that you are creating. Filters apply to existing signatures (already downloaded in CSO) and to new signatures when they are downloaded.

IPS signatures that match any of the filters that you configure are included as part of the signature group.

Severity

 

Info

Select the Enable check box to include IPS signatures with the severity level Info.

Warning

Select the Enable check box to include IPS signatures with the severity level Warning.

Minor

Select the Enable check box to include IPS signatures with the severity level Minor.

Major

Select the Enable check box to include IPS signatures with the severity level Major.

Critical

Select the Enable check box to include IPS signatures with the severity level Critical.

Service

 

Service

Specify the services that you want to use to filter for IPS signatures that should be included as part of the dynamic group.

Select one or more services listed in the Available column and click the forward arrow to confirm your selection. The selected services are displayed in the Selected column.

Category

 

Category

Specify the categories that you want to use to filter for IPS signatures that should be included as part of the dynamic group.

Select one or more categories listed in the Available column and click the forward arrow to confirm your selection. The selected categories are displayed in the Selected column.

Recommended

 

Recommended

This filter is based on attack objects recommended by Juniper Networks. Select one of the following:

  • None—Don’t use this filter.

  • Yes—Add predefined attacks recommended by Juniper Networks to the dynamic group.

  • No—Add predefined attacks that are not recommended by Juniper Networks to the dynamic group.

Direction

You use this filter to add IPS signatures to the dynamic group based on the traffic direction of the attacks.

If you specify more than one traffic direction (Any, Client-to-Server, and Server-to-Client), you must select a value in the Expression field.

Any

Select one of the following:

  • None (default): Do not use this filter.

  • Yes: Include IPS signatures that track traffic from client to server or server to client.

  • No: Do not include IPS signatures that track traffic from client to server or server to client.

Client-to-Server

Select one of the following:

  • None (default): Do not use this filter.

  • Yes: Include IPS signatures that track traffic from client to server.

  • No: Do not include IPS signatures that track traffic from client to server.

Server-to-Client

Select one of the following:.

  • None (default): Do not use this filter

  • Yes: Include IPS signatures that track traffic from server to client.

  • No: Do not include IPS signatures that track traffic from server to client.

Expression

If you specified more than one direction filter, you must specify how the signatures should be matched:

  • OR—Include signatures that match any of the specified traffic directions.

  • AND—Include signatures that match all of the specified traffic directions.

Performance Impact

 

Unknown

Select the Enable check box to include IPS signatures with the performance impact Unknown.

Low

Select the Enable check box to include IPS signatures with the performance impact Low.

Medium

Select the Enable check box to include IPS signatures with the performance impact Medium.

High

Select the Enable check box to include IPS signatures with the performance impact High.

False Positives

 

Unknown

Select the Enable check box to include IPS signatures with the match assurance Unknown.

Low

Select the Enable check box to include IPS signatures with the match assurance Low.

Medium

Select the Enable check box to include IPS signatures with the match assurance Medium.

High

Select the Enable check box to include IPS signatures with the match assurance High.

Age of Attack

 

Age of Attack

Enter the age of the attack (in years) to be used as a filter criteria to include IPS signatures as part of the dynamic group.

Range: 1 through 100.

Expression

Select whether the IPS signatures should be filtered based on whether the age of attack in the signature is greater than (default) or less than the value that you specified.

CVSS Score

 

CVSS Score

Specify the Common Vulnerability Scoring System (CVSS) to be used as a filter criteria to include IPS signatures as part of the dynamic group.

Range: Decimal number between 0 and 10.

Expression

Select whether the IPS signatures should be filtered based on whether the CVSS score of the attack is greater than (default) or less than the value that you specified.

Other Filters

 

Excluded

Select one of the following:.

  • None (default): Do not use this filter

  • Yes: Include excluded attack objects as part of the dynamic group.

  • No: Do not include excluded attack objects as part of the dynamic group.

File Type

Select the file type of the attack to be used as a filter criteria; for example, flash.

Vulnerability Type

Select the vulnerability type of the attack to be used as a filter criteria; for example, overflow.

Object Type

Specify this filter to group attack objects by type (anomaly or signature).

Signature

Select the Enable check box to add signatures based on stateful signature attack objects specified in the signature.

A stateful attack signature is a pattern that always exists within a specific section of the attack. Stateful signature attack objects also include the protocol or service used to perpetrate the attack and the context in which the attack occurs.

Protocol Anomaly

Select the Enable check box to add signatures of attacks that violate protocol specifications (RFCs and common RFC extensions).

Vendor Description

 

Product Type

Specify this filter to include signatures belonging to the selected product type.

Vendor Name

Specify this filter to include signatures belonging to the selected vendor.

Title

Specify this filter to include signatures belonging to the selected product name. The product names are populated only when you select a product type and a vendor.

Related Documentation

Help us to improve. Rate this article.
Feedback Received. Thank You!

Ask questions in TechWiki

Check documentation in TechLibrary

Rating by you:      
X

Additional Comments

800 characters remaining

May we contact you if necessary?

Name:
Email:

Need product assistance? Contact Juniper Support

Submit