Example: Defining Rules for an IDP IPS Rulebase

Requirements

Before you begin:

• Configure network interfaces. See the Junos OS Interfaces Configuration Guide for Security Devices .
• Create security zones. See Example: Creating Security Zones.
• Enable IDP in security policies. See Example: Enabling IDP in a Security Policy.

Overview

Each rule is composed of match conditions, objects, actions, and notifications. When you define an IDP rule, you must specify the type of network traffic you want IDP to monitor for attacks by using the following characteristics—source zone, destination zone, source IP address, destination IP address, and the Application Layer protocol supported by the destination IP address. The rules are defined in rulebases, and rulebases are associated with policies.

This example describes how to create a policy called base-policy, specify a rulebase for this policy, and then add rule R1 to this rulebase. In this example, rule R1:

• Specifies the match condition to include any traffic from a previously configured zone called trust to another previously configured zone called untrust. The match condition also includes a predefined attack group Critical - TELNET. The application setting in the match condition is default and matches any application configured in the attack object.
• Specifies an action to drop connection for any traffic that matches the criteria for rule R1.
• Enables attack logging and specifies that an alert flag is added to the attack log.
• Specifies a severity level as critical.

After defining the rule, you specify base-policy as the active policy on the device.

Configuration

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, and then copy and paste the commands into the CLI at the [edit] hierarchy level.

Step-by-Step Procedure

1. Create a policy by assigning a meaningful name to it.
   [edit]user@host# edit security idp idp-policy base-policy
2. Associate a rulebase with the policy.
   [edit security idp idp-policy base-policy]user@host# edit rulebase-ips
3. Add rules to the rulebase.
   [edit security idp idp-policy base-policy rulebase-ips]user@host# edit rule R1
4. Define the match criteria for the rule.
   [edit security idp idp-policy base-policy rulebase-ips rule R1]user@host# set match from-zone trust to-zone untrust source-address any destination-address any application default
5. Define an attack as match criteria.
   [edit security idp idp-policy base-policy rulebase-ips rule R1]user@host# set match attacks predefined-attack-groups "TELNET-Critical"
6. Specify an action for the rule.
   [edit security idp idp-policy base-policy rulebase-ips rule R1]user@host# set then action drop-connection
7. Specify notification and logging options for the rule.
   [edit security idp idp-policy base-policy rulebase-ips rule R1]user@host# set then notification log-attacks alert
8. Set the severity level for the rule.
   [edit security idp idp-policy base-policy rulebase-ips rule R1]user@host# set then severity critical
9. Activate the policy.
   [edit]user@host# set security idp active-policy base-policy

Results

From configuration mode, confirm your configuration by entering the show security idp command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

If you are done configuring the device, enter commit from configuration mode.

Verification

To confirm that the configuration is working properly, perform this task:

• Verifying the Configuration

Verifying the Configuration

Purpose

Verify that the rules for the IDP IPS rulebase configuration are correct.

Action

From operational mode, enter the show security idp status command.