Creating IPS Signature Dynamic Groups

Use the IPS Signature Dynamic Group page to configure attack objects based on a certain matching criteria. Dynamic group members can be either predefined or custom attack objects. During a signature update, the dynamic group membership is automatically updated based on the matching criteria for that group. For example, you can dynamically group the attacks related to a specific application using the dynamic attack group filters.

Note

A dynamic group cannot contain another group (predefined, static, or dynamic). However, you can include a dynamic group as a member of a static group.

You use dynamic groups so that an attack database update automatically populates the group with relevant members. This eliminates the need to review each new signature to determine if you need to use it in your existing security policy.

Before You Begin

Read the Understanding IPS Signatures topic.
Have a basic understanding of what attacks and patterns are.
Read the Creating IPS Signatures topic. See Creating IPS Signatures.
Review the IPS signatures main page for an understanding of your current data set. See IPS Policy Signatures Main Page Fields for field descriptions.

To configure an IPS signature dynamic group:

Select Configure > IPS Policy > Signatures.
Click Create.
Select Dynamic Group.
Complete the configuration according to the guidelines provided in the Table 1.
Click OK.

A new IPS signature dynamic group with the predefined configurations is created. You can use this signature in IPS policies.

Table 1: IPS Signature Dynamic Group Settings

Settings	Guidelines
Name	Enter a unique string of alphanumeric characters, colons, periods, dashes, and underscores. No spaces are allowed and the maximum length is 63 characters.
Preview	Preview a list of available signatures based on selected dynamic group filters.
Basic
Recommended	Specify this filter to add recommended Juniper Networks predefined attack objects to the dynamic group, or specify non-recommended attack objects to the dynamic attack group. Specify an option: Yes—Adds predefined attacks recommended by Juniper Networks to the dynamic group. No—Specifies non-recommended attack objects in the dynamic attack group.
Direction	Specify this filter to add predefined attacks to the dynamic group based on the direction specified in the attacks. Select an option: Any—Monitors traffic from client-to-server or server-to-client. CTS—Monitors traffic from client-to-server only. Most attacks occur over client-to-server connections. STC—Monitors traffic from server-to-client only. Expression—Matches the expression with member name patterns using Boolean operators. A member name is the name of an attack member in an IPS attack: AND—If both member name patterns match, the expression matches. OR—If either of the member name patterns match, the expression matches. For SRX Series devices, expression and order cannot be configured together. Only one of them can be specified. For example: m01 AND m02, where m01, m02 are the attack members.
Match Assurance	Specify this filter to track attack objects based on the frequency that the attack produces a false positive on your network. Select an option: High—Add a high performance impact attack object that is vulnerable to an attack. The performance impact of signatures is high7 to high9, where the application identification is slow. Medium—Add a medium performance impact attack object that is vulnerable to an attack. The performance impact of signatures is medium4 to medium6, where the application identification is normal. Low—Add a low performance impact attack object that is vulnerable to an attack. The performance impact of signatures is low1 to low3, where the application identification is faster. Unknown—Set all attack objects to unknown by default. As you fine-tune IPS to your network traffic, you can change this setting to help you track performance impact. The performance impact of signatures is 0 = unknown, where the application identification is also unknown.
Performance Impact	Specify this filter to filter out slow-performing attack objects. You can use this filter to only select the appropriate attacks based on performance impacts. Select an option: High—Add a high performance impact attack object that is vulnerable to an attack. The performance impact of signatures is high7 to high9, where the application identification is slow. Medium—Add a medium performance impact attack object that is vulnerable to an attack. The performance impact of signatures is medium4 to medium6, where the application identification is normal. Low—Add a low performance impact attack object that is vulnerable to an attack. The performance impact of signatures is low1 to low3, where the application identification is faster. Unknown—Set all attack objects to unknown by default. As you fine-tune IPS to your network traffic, you can change this setting to help you track performance impact. The performance impact of signatures is 0 = unknown, where the application identification is also unknown.
Object Type	Specify this filter to group attack objects by type (anomaly or signature). Select an option: Protocol Anomaly—Detects unknown or sophisticated attacks that violate protocol specifications (RFCs and common RFC extensions). You cannot create new protocol anomalies, but you can configure a new attack object that controls how your device handles a predefined protocol anomaly when detected. Signature—Detects known attacks using stateful attack signatures. A stateful attack signature is a pattern that always exists within a specific section of the attack. Stateful signature attack objects also include the protocol or service used to perpetrate the attack and the context in which the attack occurs.
Vendor	Specify this filter to add attack objects based on the application that is vulnerable to the attack. Enter a name for the vendor for the dynamic signature. For example: Juniper Networks.
Advanced
Category	Select one or more available categories to include in a dynamic group.
Service	Select one or more available services to include in a dynamic group.
Severity	Specify a severity filter to add attack objects based on attack severity levels. Select an option: Info—Provides information about activity on the network, such as applications that are running, potential vulnerable software, and best practice violations. Generally, information attacks are not malicious activity. Major—Provides information of attacks that try to gain user level access to a system to crash a particular service or application. Critical—Provides information of attacks that try to gain root level access to a system to crash the entire system. Minor—Provides information of attacks that try to perform information leakage techniques, including those that exploit vulnerabilities to reveal information about the target. Warning—Issues a warning when attack matches. Warning attacks are attacks that are suspicious in nature, such as scans and other reconnaissance attempts.

Creating IPS Signature Dynamic Groups

Before You Begin

Related Documentation