Creating IPS Signature Dynamic Groups

Use the IPS Signature Dynamic Group page to configure attack objects based on a certain matching criteria. Dynamic group members can be either predefined or custom attack objects. During a signature update, the dynamic group membership is automatically updated based on the matching criteria for that group. For example, you can dynamically group the attacks related to a specific application using the dynamic attack group filters.

Note A dynamic group cannot contain another group (predefined, static, or dynamic). However, you can include a dynamic group as a member of a static group.

You use dynamic groups so that an attack database update automatically populates the group with relevant members. This eliminates the need to review each new signature to determine if you need to use it in your existing security policy.

Before You Begin

Procedure

To configure an IPS signature dynamic group:

  1. Select Configure > IPS Policy > Signatures.
  2. Click Create.
  3. Select Dynamic Group.
  4. Complete the configuration according to the guidelines provided in the Table 215.
  5. Click OK.

A new IPS signature dynamic group with the predefined configurations is created. You can use this signature in IPS policies.

Table 215: IPS Signature Dynamic Group Settings

 

Settings

Guidelines

Name

Enter a unique string of alphanumeric characters, colons, periods, dashes, and underscores. No spaces are allowed and the maximum length is 63 characters.

Severity

Specify a severity filter to add attack objects based on attack severity levels.

Select an option:

  • Info—Provides information about activity on the network, such as applications that are running, potential vulnerable software, and best practice violations. Generally, information attacks are not malicious activity.

  • Major—Provides information of attacks that try to gain user level access to a system to crash a particular service or application.

  • Critical—Provides information of attacks that try to gain root level access to a system to crash the entire system.

  • Minor—Provides information of attacks that try to perform information leakage techniques, including those that exploit vulnerabilities to reveal information about the target.

  • Warning—Issues a warning when attack matches. Warning attacks are attacks that are suspicious in nature, such as scans and other reconnaissance attempts.

Service

Select one or more available services to include in a dynamic group.

Category

Select one or more available categories to include in a dynamic group.

Recommended

Specify this filter to add recommended Juniper Networks predefined attack objects to the dynamic group, or specify non-recommended attack objects to the dynamic attack group.

Specify an option:

  • Yes—Adds predefined attacks recommended by Juniper Networks to the dynamic group.

  • No—Specifies non-recommended attack objects in the dynamic attack group.

Direction

Specify this filter to add predefined attacks to the dynamic group based on the direction specified in the attacks.

Select an option:

  • Any—Monitors traffic from client-to-server or server-to-client.

  • CTS—Monitors traffic from client-to-server only. Most attacks occur over client-to-server connections.

  • STC—Monitors traffic from server-to-client only.

  • Expression—Matches the expression with member name patterns using Boolean operators. A member name is the name of an attack member in an IPS attack:

    • AND—If both member name patterns match, the expression matches.

    • OR—If either of the member name patterns match, the expression matches.

      For SRX Series devices, expression and order cannot be configured together. Only one of them can be specified. For example: m01 AND m02, where m01, m02 are the attack members.

Performance Impact

Specify this filter to filter out slow-performing attack objects. You can use this filter to only select the appropriate attacks based on performance impacts.

Select an option:

  • High—Add a high performance impact attack object that is vulnerable to an attack. The performance impact of signatures is high7 to high9, where the application identification is slow.

  • Medium—Add a medium performance impact attack object that is vulnerable to an attack. The performance impact of signatures is medium4 to medium6, where the application identification is normal.

  • Low—Add a low performance impact attack object that is vulnerable to an attack. The performance impact of signatures is low1 to low3, where the application identification is faster.

  • Unknown—Set all attack objects to unknown by default. As you fine-tune IPS to your network traffic, you can change this setting to help you track performance impact. The performance impact of signatures is 0 = unknown, where the application identification is also unknown.

False Positives

Specify this filter to track attack objects based on the frequency that the attack produces a false positive on your network.

Select an option:

  • High—Add a high performance impact attack object that is vulnerable to an attack. The performance impact of signatures is high7 to high9, where the application identification is slow.

  • Medium—Add a medium performance impact attack object that is vulnerable to an attack. The performance impact of signatures is medium4 to medium6, where the application identification is normal.

  • Low—Add a low performance impact attack object that is vulnerable to an attack. The performance impact of signatures is low1 to low3, where the application identification is faster.

  • Unknown—Set all attack objects to unknown by default. As you fine-tune IPS to your network traffic, you can change this setting to help you track performance impact. The performance impact of signatures is 0 = unknown, where the application identification is also unknown.

Object Type

Specify this filter to group attack objects by type (anomaly or signature).

Select an option:

  • Protocol Anomaly—Detects unknown or sophisticated attacks that violate protocol specifications (RFCs and common RFC extensions). You cannot create new protocol anomalies, but you can configure a new attack object that controls how your device handles a predefined protocol anomaly when detected.

  • Signature—Detects known attacks using stateful attack signatures. A stateful attack signature is a pattern that always exists within a specific section of the attack. Stateful signature attack objects also include the protocol or service used to perpetrate the attack and the context in which the attack occurs.

Vendor Description

Specify this filter to add attack objects based on the application that is vulnerable to the attack.

  • Product Type—Specify this filter to include signatures belonging to the selected product type.

    Note: Starting in Junos OS Release 18.2 onward, only the product type value All is supported. Therefore, all vendor names are displayed in the drop-down.

    For Junos OS Release 18.1 and earlier, you can select a value for the product type and corresponding vendor name is displayed in the drop-down.

  • Vendor Name—Select the name of the vendor for the dynamic signature. For example: Juniper Networks.

  • Title/Product Name—Specify this filter to include signatures belonging to the selected product name. The product names are populated only when you select a product type and a vendor.

CVSS-Score

Specify the Common Vulnerability Scoring System (CVSS) to be used as a filter criteria to include IPS signatures as part of the dynamic group.

  • Less-than—Select the Enable check box if the CVSS score of the attack must be less than the value you specified.

    Select the CVSS score as a filter criterion to include IPS signatures as a part of the dynamic group. The range is 0 through 10.

  • Greater-than—Select the Enable check box if the CVSS score of the attack must be greater than the value you specified.

    Select the CVSS score as a filter criterion to include IPS signatures as a part of the dynamic group. The range is 0 through 10.

Note: CVSS-Score is supported on devices running Junos OS Release 18.2 onward. If you try to publish IPS policy on devices running Junos OS Release 18.1 or earlier, then publish will fail.

The CVSS is an open framework, which is used to rate the severity and risk of computer system security.

Scores range from 0 to 10, with 10 being the most severe. The CVSS assessment measures three areas of concern:

  • Base Metrics for qualities intrinsic to a vulnerability

  • Temporal Metrics for characteristics that evolve over the lifetime of vulnerability

  • Environmental Metrics for vulnerabilities that depend on a particular implementation or environment

A numerical score is generated for each of these metric groups.

Age of attack

  • Select the Enable check box if the age of attack (in years) in the signature must be less than the value you specified.

    Select the age of the attack as a filter criterion to include IPS signatures as a part of the dynamic group. The range is 1 through 100.

  • Select the Enable check box if the age of attack (in years) in the signature must be greater than the value you specified.

    Select the age of the attack as a filter criterion to include IPS signatures as part of the dynamic group. The range is 1 through 100.

Note: Age of attack is supported on devices running Junos OS Release 18.2 onward. If you try to publish IPS policy on devices running Junos OS Release 18.1 or earlier, then publish will fail.

File Type

Select the file type of the attack as a filter criterion; for example, PDF.

Note: File Type is supported on devices running Junos OS Release 18.2 onward. If you try to publish IPS policy on devices running Junos OS Release 18.1 or earlier, then publish will fail.

Vulnerability Type

Select the vulnerability type of the attack as a filter criterion; for example, overflow.

Note: Vulnerability Type is supported on devices running Junos OS Release 18.2 onward. If you try to publish IPS policy on devices running Junos OS Release 18.1 or earlier, then publish will fail.

Vulnerabilities are the intersection of three elements: a system susceptibility or flaw, attacker access to the flaw, and attacker capability to exploit the flaw. Using vulnerability type, you can perform vulnerability scanning. Vulnerability scanning is an inspection of the potential points of exploit on a network to identify security issues. A vulnerability scan detects and classifies system weaknesses in a networks and predicts the effectiveness of countermeasures.