Create IPS Signatures
The signature database in Contrail Service Orchestration (CSO) contains predefined intrusion prevention system (IPS) signatures that you can use. From the Create IPS Signature page, users with the tenant administrator role or a custom role with appropriate IPS tasks can also create customized IPS signatures to block newer attacks or unknown attacks.
To create a customized IPS signature:
- Select Configuration > IPS > IPS Signatures.
The IPS Signatures page appears.
- Select Create > IPS Signature.
The Create IPS Signature page appears.
- Complete the configuration according to the guidelines
in Table 1.
Fields marked with an asterisk (*) are mandatory.
- Click OK.
You are returned to the IPS Signatures page and a message indicating that the signature is created is displayed.
After you create an IPS signature, you can use the signature in an IPS or an exempt rule and reference the IPS profile (containing the rule) in a firewall policy that you can then deploy on the device.
Table 1: Create IPS Signature Settings
Enter a unique name for the IPS signature that is a string of alphanumeric characters and some special characters (colon, hyphen, period, and underscore). No spaces are allowed and the maximum length is 255 characters.
Enter a description for the IPS signature; the maximum length is 1024 characters.
Enter a predefined category or a new category. The category can contain alphanumeric characters and special characters (hyphen and underscore) and must begin with an alphanumeric character. No spaces are allowed and the maximum length is 63 characters.
You use categories to group attack objects and then within each category, you can assign severity levels to the attack objects.
Select the action to take when the monitored traffic matches the attack objects specified in the IPS rule:
Enter unique identifiers that can be used to search and sort signatures. Keywords should relate to the attack and the attack object. For example, Amanda Amindexd Remote Overflow.
Select a severity level for the attack that the signature will report:
Select the protocol or service that the attack uses to enter your network:
For IP binding, specify the transport layer protocol number that you want matched to the attack.
Range: 1 through 139 excluding 1, 6, and 17.
For IPv6 binding, specify the transport layer protocol number for the next header following the IPv6 header with which to match the attack.
Range: 1 through 139 excluding 6, 17, and 58.
For TCP or UDP binding, specify a port number or a port range (min-port-no-max-port-no format) that you want matched to the attack.
For RPC binding, specify the RPC program number (ID) that you want matched to the attack.
For service binding, select the service that you want matched to the attack.
Specify the number of times that IPS detects the attack within the specified time scope before triggering an event.
Specify the scope within which the counting of the attack occurs:
Specify a false positives filter to track attack objects based on the frequency that the attack produces a false positive on your network:
Specify this filter to select only the appropriate attacks based on performance impact; for example to filter out slow-performing attack objects:
You can specify one or more signature attack objects that use a stateful attack signature (a pattern that always exists within a specific section of the attack) to detect known attacks.
Note: For a customized IPS signature, you must specify at least one signature attack object or anomaly.
Protocol anomaly attack objects detect abnormal or ambiguous messages within a connection according to the set of rules for the particular protocol being used.
You can add, modify, or delete anomaly attack objects:
Table 2: Add Signature Settings
Displays the system-generated signature number; you cannot modify this field.
Select the attack context, which defines the location of the signature where IPS should look for the attack in a specific Application Layer protocol.
Select the connection direction of the attack:
Enter the signature pattern (in Juniper Networks proprietary regular expression syntax) of the attack you want to detect.
An attack pattern can be a segment of code, a URL, or a value in a packet header and the signature pattern is the syntactical expression that represents that attack pattern.
For example, use
Enter a regular expression to define rules to match malicious or unwanted behavior over the network. For example: For the syntax \[hello\], the expected pattern is hello, which is case sensitive. The example matches can be: hElLo, HEllO, and heLLO.
Select this check box to exclude the specified pattern from being matched. When you negate a pattern, the attack is considered matched if the pattern defined in the attack does not match the specified pattern.
Table 3: Add Anomaly Settings
Displays the system-generated anomaly number; you cannot modify this field.
Select the protocol (service) whose anomaly is being defined in the attack.
Select the connection direction of the attack: