Related Documentation
- J Series
- IDP Policies Overview
- Understanding Custom Attack Objects
- Understanding Predefined IDP Attack Objects and Object Groups
- Understanding IDP Protocol Decoders
- Example: Configuring IDP Signature-Based Attacks
- Example: Configuring IDP Protocol Anomaly-Based Attacks
- SRX Series
- IDP Policies Overview
- Understanding Custom Attack Objects
- Understanding Predefined IDP Attack Objects and Object Groups
- Understanding IDP Protocol Decoders
- Example: Configuring IDP Signature-Based Attacks
- Example: Configuring IDP Protocol Anomaly-Based Attacks
- Additional Information
- Junos OS Feature Support Reference for SRX Series and J Series Devices
Understanding IDP Signature-Based Attacks
To configure a custom attack object, you specify a unique name for it and then specify additional information, which can make it easier for you to locate and maintain the attack object.
Certain properties in the attack object definitions are common to all types of attacks, such as attack name, severity level, service or application binding, time binding, and protocol or port binding. Some fields are specific to an attack type and are available only for that specific attack definition.
Signature attack objects use a stateful attack signature (a pattern that always exists within a specific section of the attack) to detect known attacks. They also include the protocol or service used to perpetrate the attack and the context in which the attack occurs. The following properties are specific to signature attacks, and you can configure them when configuring signature attack—attack context, attack direction, attack pattern, and protocol-specific parameters (TCP, UDP, ICMP, or IP header fields).
When configuring signature-based attacks, keep the following in mind:
- Attack context and direction are mandatory fields for the signature attack definition.
- Pattern negation is supported for packet, line, and application-based contexts only and not for stream and normalized stream contexts.
- When configuring the protocol-specific parameters, you can specify fields for only one of the following protocols—IP, TCP, UDP, or ICMP.
- When configuring a protocol binding, you can specify only
one of the following—IP, ICMP, TCP, UDP, RPC or applications.
- IP—Protocol number is a mandatory field.
- TCP and UDP—You can specify either a single port (minimum-port) or a port range (minimum-port and maximum-port). If you do not specify a port, the default value is taken (0-65535).
- RPC—Program number is a mandatory field.
Related Documentation
- J Series
- IDP Policies Overview
- Understanding Custom Attack Objects
- Understanding Predefined IDP Attack Objects and Object Groups
- Understanding IDP Protocol Decoders
- Example: Configuring IDP Signature-Based Attacks
- Example: Configuring IDP Protocol Anomaly-Based Attacks
- SRX Series
- IDP Policies Overview
- Understanding Custom Attack Objects
- Understanding Predefined IDP Attack Objects and Object Groups
- Understanding IDP Protocol Decoders
- Example: Configuring IDP Signature-Based Attacks
- Example: Configuring IDP Protocol Anomaly-Based Attacks
- Additional Information
- Junos OS Feature Support Reference for SRX Series and J Series Devices
