Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Navigation
Guide That Contains This Content
[+] Expand All
[-] Collapse All

    Specifying Rule Session Action (NSM Procedure)

    Actions are responses to sessions that match the source/destination condition and attack object pattern. Actions are what protect your network from attacks.

    If a packet triggers multiple rule actions, the IDP engine takes the most severe action. For example, if a rule with a DiffServ marking action and a rule with a drop action both match, the IDP engine takes the drop action.

    Table 1 describes the actions you can set for IDP rulebase rules.

    To modify action settings:

    1. In the NSM navigation tree, select Policy Manager > Security Policies.
    2. Select the security policy you want to edit.
    3. In the security policy pane, click the IDP tab to display the IDP rulebase table.
    4. Modify action settings by right-clicking the table cell and selecting your setting.
    5. Click OK to save your changes.

    Table 1: IDP Rulebase Actions

    Action

    Function

    Recommended

    Takes the action recommended in the predefined attack object. The recommended action is related to severity. Table 2 lists the recommended actions by severity.

    None

    Inspects the session but takes no action against the connection.

    Ignore

    Ignores the match and does not inspect the remainder of the connection.

    Drop Packet

    Drops a matching packet before it can reach its destination but does not close the connection. Use this action to drop packets for attacks in traffic prone to spoofing, such as UDP traffic. Dropping a connection for such traffic could result in a denial of service (DoS) condition that prevents you from receiving traffic from a legitimate source address.

    Note: In sniffer mode, the IDP Series device is not in the path of network traffic. Therefore, this action has no effect in sniffer mode.

    Drop Connection

    Drops the connection without sending an RST packet to the sender, preventing the traffic from reaching its destination. Use this action to drop connections for traffic not prone to spoofing.

    Note: In sniffer mode, the IDP Series device is not in the path of network traffic. Therefore, this action has no effect in sniffer mode.

    Close Client

    Closes the connection to the client but not to the server.

    In sniffer mode, the IDP Series device is not in the path of network traffic. However, if you use ACM to configure a sniffer mode reset interface, the device can send an RST packet to both the client and server but does not close the connection.

    Note: In VLAN tagged MPLS traffic, the Close Client action drops the connection instead of closing it.

    Close Server

    Closes the connection to the server but not to the client.

    Note: In sniffer mode, the IDP Series device is not in the path of network traffic. However, if you use ACM to configure a sniffer mode reset interface, the device can send an RST packet to both the client and server but does not close the connection.

    Close Client and Server

    Closes the connection and sends an RST packet to both the client and the server.

    Note: In sniffer mode, the IDP Series device is not in the path of network traffic. However, if you use ACM to configure a sniffer mode reset interface, the device can send an RST packet to both the client and server but does not close the connection.

    Diffserv Marking

    Assigns the indicated service-differentiation value to the packet, and then passes it on normally. Set the service-differentiation value in the dialog box that appears when you select this action in the rulebase.

    Note: In sniffer mode, the IDP Series device is not in the path of network traffic. Therefore, this action has no effect in sniffer mode.

    Table 2 describes the logic applied to the value Recommended, a setting coded in predefined attack objects provided by Juniper Networks Security Center.

    Severity

    Description

    Recommended Action

    Critical

    Attacks attempt to evade an intrusion prevention system, crash a machine, or gain system-level privileges.

    Drop Packet, Drop Connection

    Major

    Attacks attempt to crash a service, perform a denial of service, install or use a Trojan, or gain user-level access to a host.

    Drop Packet, Drop Connection

    Minor

    Attacks attempt to obtain critical information through directory traversal or information leaks.

    None

    Warning

    Attacks attempt to obtain noncritical information or scan the network. They can also be obsolete attacks.

    None

    Info

    Attacks are normal, harmless traffic containing URLs, DNS lookup failures, and SNMP public community strings. You can use informational attack objects to obtain information about your network.

    None

    Note: Our severity rating is not based on CVSS (Common Vulnerability Scoring System). We do include data from Bugtraq (Symantec) and CVE (Common Vulnerabilities and Exposures).


    Published: 2011-02-08