Create IPS Signatures

The signature database in Contrail Service Orchestration (CSO) contains predefined intrusion prevention system (IPS) signatures that you can use. From the Create IPS Signature page, users with the tenant administrator role or a custom role with appropriate IPS tasks can also create customized IPS signatures to block newer attacks or unknown attacks.

Procedure

To create a customized IPS signature:

  1. Select Configuration > IPS > IPS Signatures.

    The IPS Signatures page appears.

  2. Select Create > IPS Signature.

    The Create IPS Signature page appears.

  3. Complete the configuration according to the guidelines in Table 219.

    Note Fields marked with an asterisk (*) are mandatory.

  4. Click OK.

    You are returned to the IPS Signatures page and a message indicating that the signature is created is displayed.

After you create an IPS signature, you can use the signature in an IPS or an exempt rule and reference the IPS profile (containing the rule) in a firewall policy that you can then deploy on the device.

Table 219: Create IPS Signature Settings

 

Setting

Guideline

Name

Enter a unique name for the IPS signature that is a string of alphanumeric characters and some special characters (colon, hyphen, period, and underscore). No spaces are allowed and the maximum length is 255 characters.

Description

Enter a description for the IPS signature; the maximum length is 1024 characters.

Category

Enter a predefined category or a new category. The category can contain alphanumeric characters and special characters (hyphen and underscore) and must begin with an alphanumeric character. No spaces are allowed and the maximum length is 63 characters.

You use categories to group attack objects and then within each category, you can assign severity levels to the attack objects.

Action

Select the action to take when the monitored traffic matches the attack objects specified in the IPS rule:

  • None—No action is taken. Use this action to only generate logs for some traffic.

  • Close Client & Server—Closes the connection and sends a TCP reset (RST) packet to both the client and the server.

  • Close Client—Closes the connection and sends an RST packet to the client, but not to the server.

  • Close Server—Closes the connection and sends an RST packet to the server, but not to the client.

  • Ignore—Stops scanning traffic for the rest of the connection if an attack match is found. IPS disables the rulebase for the specific connection.

  • Drop—Drops all packets associated with the connection, preventing traffic for the connection from reaching its destination. Use this action to drop connections for traffic that is not prone to spoofing.

  • Drop Packet—Drops a matching packet before it can reach its destination but does not close the connection. Use this action to drop packets for attacks in traffic that is prone to spoofing, such as UDP traffic. Dropping a connection for such traffic could result in a denial of service that prevents you from receiving traffic from a legitimate source-IP address.

Keywords

Enter unique identifiers that can be used to search and sort signatures. Keywords should relate to the attack and the attack object. For example, Amanda Amindexd Remote Overflow.

Severity

Select a severity level for the attack that the signature will report:

  • Critical—Contains attack objects matching exploits that attempt to evade detection, cause a network device to crash, or gain system-level privileges.

  • Major—Contains attack objects matching exploits that attempt to disrupt a service, gain user-level access to a network device, or activate a Trojan horse previously loaded on a device.

  • Minor—Contains attack objects matching exploits that detect reconnaissance efforts attempting to access vital information through directory traversal or information leaks.

  • Warning—Contains attack objects matching exploits that attempt to obtain noncritical information or scan a network with a scanning tool.

  • Info—Contains attack objects matching normal, harmless traffic containing URLs, DNS lookup failures, SNMP public community strings, and peer-to-peer (P2P) parameters. You can use informational attack objects to obtain information about your network.

Signature Details

 

Binding

Select the protocol or service that the attack uses to enter your network:

  • IP—Match the attack for a specified protocol type number, which you must specify in the Protocol field.

  • IPv6—Match the attack for a specified protocol type number (for the header following the IPv6 header), which you must specify in the Next Header field

  • ICMP—Match the attack for ICMP packets.

  • IPv6—Match the attack for ICMPv6 packets.

  • TCP—Match the attack for specified TCP ports or port ranges, which you must specify in the Port Range(s) field.

  • UDP—Match the attack for specified UDP ports or port ranges.

  • RPC—Match the attack for a specified remote procedure call (RPC) program number, which you must specify in the Program Number field.

  • Service—Match the attack for a specified service, which you must choose from the Service field.

Protocol

For IP binding, specify the transport layer protocol number that you want matched to the attack.

Range: 1 through 139 excluding 1, 6, and 17.

Next Header

For IPv6 binding, specify the transport layer protocol number for the next header following the IPv6 header with which to match the attack.

Range: 1 through 139 excluding 6, 17, and 58.

Port Range(s)

For TCP or UDP binding, specify a port number or a port range (min-port-no-max-port-no format) that you want matched to the attack.

Program Number

For RPC binding, specify the RPC program number (ID) that you want matched to the attack.

Service

For service binding, select the service that you want matched to the attack.

Time Count

Specify the number of times that IPS detects the attack within the specified time scope before triggering an event.

Time Scope

Specify the scope within which the counting of the attack occurs:

  • Source IP—Detect attacks from the source IP address for the specified time count regardless of the destination IP address.

  • Dest IP—Detect attacks from the destination IP address for the specified time count regardless of the source IP address.

  • Peer—Detect attacks between source and destination IP addresses of the sessions for the specified time count.

Match Assurance

Specify a false positives filter to track attack objects based on the frequency that the attack produces a false positive on your network:

  • High—Provides information on the frequently tracked false positive occurrences.

  • Medium—Provides information on the occasionally tracked false positive occurrences.

  • Low—Provides information on the rarely tracked false positive occurrences.

Performance Impact

Specify this filter to select only the appropriate attacks based on performance impact; for example to filter out slow-performing attack objects:

  • High—Add high performance impact attack objects that are vulnerable to an attack. The performance impact of signatures is high7 to high9, where the application identification is slow.

  • Medium—Add medium performance impact attack objects that are vulnerable to an attack. The performance impact of signatures is medium4 to medium6, where the application identification is normal.

  • Low—Add low performance impact attack objects that are vulnerable to an attack. The performance impact of signatures is low1 to low3, where the application identification is faster.

  • Unknown—Add attack objects whose performance impact is unknown.

Add Signature

You can specify one or more signature attack objects that use a stateful attack signature (a pattern that always exists within a specific section of the attack) to detect known attacks.

Note: For a customized IPS signature, you must specify at least one signature attack object or anomaly.

  • To add a signature attack object:

    Procedure

    1. Click the add (+) icon.

      The Add Signature page appears.

    2. Complete the configuration according to the guidelines in Table 220.
    3. Click OK.

      You are returned to the previous page and the signature attack object is displayed in the table.

  • To modify a signature attack object that you added:

    Procedure

    1. Select an attack object and click the edit (pencil) icon.

      The Edit Signature page appears, displaying the same fields that appear when you add a signature attack object.

    2. Modify the fields as needed. See Table 220.
    3. Click OK.

      Your modifications are saved and you are returned to the previous page.

  • To delete a signature attack object that you added:

    Procedure

    1. Select an attack object and click the delete (trash can) icon.

      A popup appears asking you to confirm the delete operation.

    2. Click Yes.

      The signature attack object is deleted and you are returned to the previous page.

Add Anomaly

Note:

  • The Add Anomaly field is displayed only if you specify a service binding.

  • For a customized IPS signature, you must specify at least one signature attack object or anomaly.

Protocol anomaly attack objects detect abnormal or ambiguous messages within a connection according to the set of rules for the particular protocol being used.

You can add, modify, or delete anomaly attack objects:

  • To add an anomaly:

    Procedure

    1. Click the add (+) icon.

      The Add Anomaly page appears.

    2. Complete the configuration according to the guidelines in Table 221.
    3. Click OK.

      You are returned to the previous page and the anomaly is displayed in the table.

  • To modify an anomaly that you added:

    Procedure

    1. Select an anomaly and click the edit (pencil) icon.

      The Edit Anomaly page appears, displaying the same fields that appear when you add an anomaly.

    2. Modify the fields as needed. See Table 221.
    3. Click OK.

      Your modifications are saved and you are returned to the previous page.

  • To delete an anomaly that you added:

    Procedure

    1. Select an anomaly and click the delete (trash can) icon.

      A popup appears asking you to confirm the delete operation.

    2. Click Yes.

      The signature anomaly is deleted and you are returned to the previous page.

Table 220: Add Signature Settings

 

Setting

Guideline

Signature No.

Displays the system-generated signature number; you cannot modify this field.

Context

Select the attack context, which defines the location of the signature where IPS should look for the attack in a specific Application Layer protocol.

Direction

Select the connection direction of the attack:

  • Any—Detect the attack for traffic in either direction.

  • Client to-Server—Detect the attack only in client-to-server traffic.

  • Server to Client—Detect the attack only in server to client traffic.

Pattern

Enter the signature pattern (in Juniper Networks proprietary regular expression syntax) of the attack you want to detect.

An attack pattern can be a segment of code, a URL, or a value in a packet header and the signature pattern is the syntactical expression that represents that attack pattern.

For example, use \[<character-set>\] for case-insensitive matches.

Regex

Enter a regular expression to define rules to match malicious or unwanted behavior over the network. For example: For the syntax \[hello\], the expected pattern is hello, which is case sensitive. The example matches can be: hElLo, HEllO, and heLLO.

Negated

Select this check box to exclude the specified pattern from being matched. When you negate a pattern, the attack is considered matched if the pattern defined in the attack does not match the specified pattern.

Table 221: Add Anomaly Settings

 

Setting

Guideline

Anomaly No.

Displays the system-generated anomaly number; you cannot modify this field.

Anomaly

Select the protocol (service) whose anomaly is being defined in the attack.

Direction

Select the connection direction of the attack:

  • Any—Detect the attack for traffic in either direction.

  • Client to-Server—Detect the attack only in client-to-server traffic.

  • Server to Client—Detect the attack only in server to client traffic.