Help Center User GuideGetting StartedFAQRelease Notes
User Guide
Getting Started
Release Notes

Understanding IPS Signatures

The intrusion prevention system (IPS) compares traffic against signatures of known threats and blocks traffic when a threat is detected. Network intrusions are attacks on, or other misuses of, network resources. To detect such activity, IPS uses signatures. A signature specifies the types of network intrusions that you want the device to detect and report. Whenever a matching traffic pattern to a signature is found, IPS triggers the alarm and blocks the traffic from reaching its destination. The signature database is one of the major components of IPS. It contains definitions of different objects, such as attack objects, application signature objects, and service objects, which are used in defining IPS policy rules.

To keep IPS policies organized and manageable, attack objects can be grouped. An attack object group can contain one or more types of attack objects. Junos OS supports the following three types of attack groups:

Signature attack objects use a stateful attack signature (a pattern that always exists within a specific section of the attack) to detect known attacks. They also include:

Signatures can produce false positives, because certain normal network activity can be construed as malicious. For example, some network applications or operating systems send out numerous ICMP messages, which a signature-based detection system might interpret as an attempt by an attacker to map out a network segment. You can minimize false positives by editing your signature parameters (to fine-tune your signatures).

You can create, filter, modify, or delete IPS signatures on the IPS Policy Signatures page in Security Director. You can download and install the signature database to security devices. You can automate the download and install process by scheduling the download and install tasks and configuring these tasks to recur at specific time intervals. This ensures that your signature database is current.

Related Documentation

Ask questions in TechWiki

Check documentation in TechLibrary

Rating by you:      

Additional Comments

800 characters remaining

May we contact you if necessary?


Need product assistance? Contact Juniper Support