Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

IDP Signature Database Overview

 

Signature-based IDP monitors packets in the Network and compares with pre-configured and pre-determined attack patterns known as signatures.

For more information, see the following topics:

Understanding the IDP Signature Database

The signature database is one of the major components of Intrusion Detection and Prevention (IDP). It contains definitions of different objects—such as attack objects, application signatures objects, and service objects—that are used in defining IDP policy rules. As a response to new vulnerabilities, Juniper Networks periodically provides a file containing attack database updates on the Juniper website. You can download this file to protect your network from new threats.

Note

IDP feature is enabled by default, no license is required. Custom attacks and custom attack groups in IDP policies can also be configured and installed even when a valid license and signature database are not installed on the device.

The IDP signature database is stored on the IDP enabled device and contains definitions of predefined attack objects and groups. These attack objects and groups are designed to detect known attack patterns and protocol anomalies within the network traffic. You can configure attack objects and groups as match conditions in IDP policy rules.

Note

You must install the IDP signature-database-update license key on your device for downloading and installing daily signature database updates provided by Juniper Networks. The IDP signature license key does not provide grace period support. For license details, see Junos OS Feature License Keys.

Starting in Junos OS Release 18.3R1, you can download IDP security package through an explicit proxy server. To download the IDP security package that hosts on an external server, you need to configure a proxy profile and use the proxy host and port details that are configured in the proxy profile. This feature allows you to use a deployed Web proxy server on your device for access and authentication for HTTP(S) outbound sessions for your overall security solution.

You can perform the following tasks to manage the IDP signature database:

  1. Update the signature database—Download the attack database updates available on the Juniper Networks website. New attacks are discovered daily, so it is important to keep your signature database up to date.

  2. Verify the signature database version—Each signature database has a different version number with the latest database having the highest number. You can use the CLI to display the signature database version number.

  3. Update the protocol detector engine—You can download the protocol detector engine updates along with downloading the signature database. The IDP protocol detector contains Application Layer protocol decoders. The detector is coupled with the IDP policy and is updated together. It is always needed at policy update time, even if there is no change in the detector.

  4. Schedule signature database updates—You can configure the IDP-enabled device to automatically update the signature database after a set interval.

Updating the IDP Signature Database Overview

Juniper Networks regularly updates the predefined attack database and makes it available on the Juniper Networks website. This database includes attack object groups that you can use in Intrusion Detection and Prevention (IDP) policies to match traffic against known attacks. Although you cannot create, edit, or delete predefined attack objects, you can use the CLI to update the list of attack objects that you can use in IDP policies.

To update the signature database, you download a security package from the Juniper Networks website or through an explicit Web proxy server. The security package consists of the following IDP components:

By default, when you download the security package, you download the following components into a Staging folder in your device: the latest version of the complete attack object groups table, application objects table, and the updates to the IDP Detector Engine. Because the attack objects table is typically of a large size, by default the system downloads only updates to the attack objects table. However, you can download the complete attack objects table by using the full-update configuration option.

After downloading the security package, you must install the package to update the security database with the newly downloaded updates from the Staging folder in your device.

After installing a security package, when you commit the configuration, all policies are checked for their syntax (not only the active policy). This checking is the same as a commit check. If an attack configured in any of the existing policies is removed from the new signature database that you download, the commit check fails.

When you update the IDP signature database, attacks configured in policies are not updated automatically. For example, suppose you configure a policy to include an attack FTP:USER:ROOT that is available in the signature database version 1200 on your system. Then, you download signature database version 1201, which no longer includes the attack FTP:USER:ROOT. Because an attack configured in your policy is missing from the newly downloaded database, the commit check in the CLI fails. To successfully commit your configuration, you must remove the attack (FTP:USER:ROOT) from your policy configuration.

Caution

IDP signature updates might fail if a new IDP policy load fails for any reason. When a new IDP policy load fails, the last known good IDP policy is loaded. Once the issue with the new policy load is resolved, and the new valid policy is active, signature updates will work properly.

Downloading the Junos OS IDP Signature Package through an Explicit Proxy Server Overview

Starting in Junos OS Release 18.3R1, you can download IDP security package through an explicit proxy server. To download the IDP security package that hosts on an external server, you need to configure a proxy profile and use the proxy host and port details that are configured in the proxy profile. This feature allows you to use a deployed Web proxy server on your device for access and authentication for HTTP(S) outbound sessions.

You need to configure the proxy profile option of security package download to connect to the external server through a specified proxy server. The proxy profile is configured under [edit services proxy] hierarchy.

You can configure more than one proxy profile under [edit services proxy] hierarchy. IDP can utilize only one proxy profile. Multiple proxy profiles are not supported for use under IDP simultaneously. When a proxy profile is configured under [security idp security-package] hierarchy, the idpd process connects to the proxy host instead of the signature pack download server. The proxy host then communicates with the download server and provides the response back to the idpd process. The idpd process is notified every time there is a change made at the [edit services proxy] hierarchy.

You can disable the proxy server for downloading IDP signature package when not required.

To disable the proxy server for IDP signature download use the delete security idp security-package proxy-profile proxy-profile

The IDP Web proxy support is dependent on the proxy profile configured at the system level. To use the web proxy server for downloading, you must configure a proxy profile with host and port details of the proxy server, and apply the proxy profile in the [security idp security-package] hierarchy.

Example: Updating the Signature Database Automatically

This example shows how to download signature database updates automatically.

Requirements

Before you begin, configure network interfaces.

Overview

Juniper Networks regularly updates the predefined attack database and makes it available as a security package on the Juniper Networks website. This database includes attack objects and attack object groups that you can use in IDP policies to match traffic against known attacks. You can configure your device to automatically download the signature database updates at specified intervals.

In this example, you download the security package with the complete table of attack objects and attack object groups every 48 hours, starting at 11:59 p.m. on December 10. You also enable an automatic download and update of the security package.

Configuration

Step-by-Step Procedure

To download and update the predefined attack objects:

  1. Specify the URL for the security package.
    Note

    By default it will take URL as https://services.netscreen.com/cgi-bin/index.cgi.

  2. Specify the time and interval value for the download.
  3. Enable the automatic download and update of the security package.
  4. If you are done configuring the device, commit the configuration.

Verification

To confirm that the configuration is working properly, perform this task:

Verifying the IDP Signature Database Manually

Purpose

Display the IDP signature database manually.

Action

From operational mode, enter the show security idp command.

Updating the IDP Signature Database Manually Overview

Juniper Networks regularly updates the predefined attack database and makes it available on the Juniper Networks website. This database includes attack object groups that you can use in Intrusion Detection and Prevention (IDP) policies to match traffic against known attacks. Although you cannot create, edit, or delete predefined attack objects, you can use the CLI to update the list of attack objects that you can use in IDP policies. After downloading the security package, you must install the package to update the security database with the newly downloaded updates from the Staging folder in your device.

Example: Updating the IDP Signature Database Manually

This example shows how to update the IDP signature database manually.

Requirements

Before you begin, configure network interfaces.

Overview

Juniper Networks regularly updates the predefined attack database and makes it available as a security package on the Juniper Networks website. This database includes attack object and attack object groups that you can use in IDP policies to match traffic against known attacks.

In this example, you download the security package with the complete table of attack objects and attack object groups. Once the installation is completed, the attack objects and attack object groups are available in the CLI under the predefined-attack-groups and predefined-attacks configuration statements at the [edit security idp idp-policy] hierarchy level. You create a policy and specify the new policy as the active policy. You also download only the updates that Juniper Networks has recently uploaded and then update the attack database, the running policy, and the detector with these new updates.

Configuration

CLI Quick Configuration

CLI quick configuration is not available for this example because manual intervention is required during the configuration.

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the CLI User Guide.

To manually download and update the signature database:

  1. Specify the URL for the security package.
    Note

    By default it will take URL as https://services.netscreen.com/cgi-bin/index.cgi.

  2. Commit the configuration.
  3. Switch to operational mode.
  4. Download the security package.
    Note

    You can perform an offline signature package download on your device. You can download the signature package and copy the package to any common location in the device and download the package offline using the request security idp security-package offline-download command.

    The signature package installation remains the same and will be a full-update always.

  5. Check the security package download status.
  6. Update the attack database using the install command.
  7. Check the attack database update status with the following command (the command output displays information about the downloaded and installed versions of the attack database versions):
  8. Switch to configuration mode.
  9. Create an IDP policy.
  10. Associate attack objects or attack object groups with the policy.
  11. Set action.
  12. Activate the policy.
  13. Commit the configuration.
  14. After a week, download only the updates that Juniper Networks has recently uploaded.
  15. Check the security package download status.
  16. Update the attack database, the active policy, and the detector with the new changes.
  17. Check the attack database, the active policy and the detector using install status.
    Note

    It is possible that an attack might be removed from the new version of an attack database. If this attack is used in an existing policy on your device, the installation of the new database will fail. An installation status message identifies the attack that is no longer valid. To update the database successfully, remove all references to the deleted attack from your existing policies and groups, and rerun the install command.

Results

From configuration mode, confirm your configuration by entering the show security idp command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

If you are done configuring the device, enter commit from configuration mode.

Verification

To confirm that the configuration is working properly, perform this task:

Verifying the IDP Signature Database Manually

Purpose

Display the IDP signature database manually.

Action

From operational mode, enter the show security idp command.

Example: Downloading and Installing the IDP Security Packages in Chassis Cluster Mode

This example shows how to download and install the IDP signature database to a device operating in chassis cluster mode.

Requirements

Before you begin, set the chassis cluster node ID and cluster ID. See Example: Setting the Node ID and Cluster ID for SRX Series Devices in a Chassis Cluster .

Overview

The security package for Intrusion Detection and Prevention (IDP) contains a database of predefined IDP attack objects and IDP attack object groups that you can use in IDP policies to match traffic against known and unknown attacks. Juniper Networks regularly updates the predefined attack objects and groups with newly discovered attack patterns.

To update the signature database, you must download a security package from the Juniper Networks website. After downloading the security package, you must install the package to update the security database with the newly downloaded updates from the Staging folder in your device.

Note

On all branch SRX Series devices,, if your device memory utilization is high on the control plane, loading a large IDP policy might cause the device to run out of memory. This can trigger a system reboot during the IDP security package update.

For more details, see Understanding the IDP Signature Database.

When you download the IDP security package on a device operating in chassis cluster mode, the security package is downloaded to the primary node and then synchronized to the secondary node. This synchronization helps maintain the same version of the security package on both the primary node and the secondary node.

Downloading and Installing the IDP Signature Database

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the CLI User Guide.

  1. Specify the URL for the security package.
  2. Switch to operational mode.
  3. Download the IDP security package to the primary node (downloads in the var/db/idpd/sec-download folder.

    The following message is displayed.

  4. Check the security package download status.

    On a successful download, the following message is displayed.

  5. Update the attack database using the install command.
  6. Check the attack database update status. The command output displays information about the downloaded and installed versions of the attack database.
    Note

    You must download the IDP signature package into the primary node. This way, the security package is synchronized on the secondary node. Attempts to download the signature package to the secondary node will fail.

    If you have configured a scheduled download for the security packages, the signature package files are automatically synchronized from the primary node to the backup node.

Downloading the Junos OS IDP Signature Package through an Explicit Proxy Server

This example shows how to create a proxy profile and use it for downloading the IDP signature package through an explicit proxy server.

Requirements

This example uses the following hardware and software components:

  • This configuration example is tested on SRX Series device with Junos OS Release 18.3R1 or later.

Overview

Juniper Networks regularly updates the predefined attack database and makes it available as a security package on the Juniper Networks Website. This database includes attack object and attack object groups that you can use in IDP policies to match traffic against known attacks.

Starting from Junos OS Release 18.3R1, you can download the IDP signature package using a proxy server. Proxy profile configuration is available only for HTTP connections.

In this example, the SRX Series device downloads and installs the IDP security package, with the complete table of attack objects and attack object groups that is available on an external server, utilizing the proxy profile configured.

Once the installation is complete all the downloaded and installed IDP attack objects and attack groups are available to be configured in an IDP policy or policies. These attack objects and attack object are then utilized in the security rules under the set security policies from-zone zone-name to-zone zone-name policy policy-name then permit application-services idp-policy idp-policy-name hierarchy. You create a policy and specify the new policy as the active policy. You can download only the updates that Juniper Networks has recently uploaded and then update the attack database, the running policy, and the detector with these updates.

To enable downloading the IDP signature package through an explicit proxy server:

  1. Configure a profile with host and port details of the proxy server using the set services proxy profile command.

  2. Use the set security idp security-package proxy-profile profile-name command to connect to the proxy server and download the IDP signature package.

When you download the IDP signature package, the request is sent through the proxy host to the actual server that hosts the signature package. The proxy host then sends the response back from the actual host. The IDP signature package is then received from the Juniper Networks security website https://signatures.juniper.net/cgi-bin/index.cgi.

In this example, you create a proxy profile, and refer the profile when you download the IDP signature package from the external host. Table 1 provides the details of the parameters used in this example.

Table 1: Proxy Profile Configuration Parameters

Parameter

Name

Profile Name

test_idp_proxy1

IP address of the proxy server

10.209.97.254

Port number of the proxy server

3128

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the edit hierarchy, and then enter commit from configuration mode.

Configuration

Proxy profile for the proxy server is created and then this profile is referred by the idpd process for downloading the IDP signature package through the proxy server.

  1. Specify the port number used by the proxy server.
  2. Specify the proxy profile that has to be referred for the security package download.
  3. Commit the configuration.
  4. Switch to operational mode.
  5. Download the IDP security package.
    Note

    The option to perform an offline IDP signature package download and install from the Juniper website is still available. To download and install the IDP signature package offline, run the request security idp security-package offline-download CLI command. The installation process remains the same for both download commands.

Verification

Verifying IDP Signature Download through Proxy Server

Purpose

Display the details for the IDP signature package download through a proxy server.

Action

From operational mode, enter the show security idp security-package proxy-profile command to view IDP specific proxy details.

Meaning

In the output, you can find the IDP specific proxy profile details in Proxy Profile and Proxy Address fields.

Verifying IDP Signature Download Status

Purpose

Check the IDP signature package download status.

Action

Check the security package download status.

From operational mode, enter the request security idp security-package download status command.

user@host> request security idp security-package download status

Meaning

The output displays the IDP signature package download status.

Understanding the IDP Signature Database Version

New attack objects are added to the signature database server frequently; downloading these updates and installing them on your managed devices regularly ensures that your network is effectively protected against the latest threats. As new attack objects are added to the signature database server, the version number of the database is updated with the latest database version number. Each signature database has a different version number with the latest database having the highest number.

When updating the signature database, the signature database update client connects to the Juniper Networks website and obtains the update using an HTTPS connection. This update—difference between the existing signature database and latest signature database—is calculated based on the version number that is assigned to each signature database. After you download the updates, the updated information is merged with the existing signature database and the version number is set to that of the latest signature database.

Verifying the IDP Signature Database Version

Purpose

Display the signature database version.

Action

From the operational mode in the CLI, enter show security idp security-package-version.

Sample Output

user@host> show security idp security-package-version

Meaning

The output displays the version numbers for the signature database, protocol detector, and the policy template on the IDP-enabled device. Verify the following information:

  • Attack database version—On April 16, 2008, the version of the signature database active on the device is 31.

  • Detector version—Displays the version number of the IDP protocol detector currently running on the device.

  • Policy template version—Displays the version of the policy template that is installed in the /var/db/scripts/commit directory when you run the request security idp security-package install policy-templates configuration statement in the CLI.

For a complete description of output, see the show security idp security-package-version description.