TechLibrary

Navigation

Table of Contents

Guide That Contains This Content

[+] Expand All

[-] Collapse All

Example: Configuring IDP Protocol Anomaly-Based Attacks

This example shows how to create a protocol anomaly-based attack object.

Requirements

Before you begin, configure network interfaces. See the Junos OS Interfaces Configuration Guide for Security Devices

Overview

In this example, you create a protocol anomaly attack called anomaly1 and assign it the following properties:

Time binding—Specifies the scope as peer and count as 2 to detect anomalies between source and destination IP addresses of the sessions for the specified number of times.
Severity (info)—Provides information about any attack that matches the conditions.
Attack direction (any)—Detects the attack in both directions—client-to-server and server-to-client traffic.
Service (TCP)—Matches attacks using the TCP service.
Test condition (OPTIONS_UNSUPPORTED)—Matches certain predefined test conditions. In this example, the condition is to match if the attack includes unsupported options.
Shellcode (sparc)—Sets the flag to detect shellcode for Sparc platforms.

Once you have configured the protocol anomaly-based attack object, you specify the attack as match criteria in an IDP policy rule. See Example: Defining Rules for an IDP IPS Rulebase.

Configuration

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, and then copy and paste the commands into the CLI at the [edit] hierarchy level.

set security idp custom-attack anomaly1 severity info set security idp custom-attack anomaly1 time-binding scope peer count 2 set security idp custom-attack anomaly1 attack-type anomaly test OPTIONS_UNSUPPORTED set security idp custom-attack sa set security idp custom-attack sa attack-type anomaly service TCP set security idp custom-attack sa attack-type anomaly direction any set security idp custom-attack sa attack-type anomaly shellcode sparc

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the Junos OS CLI User Guide .

To create a protocol anomaly-based attack object:

Specify a name for the attack.
[edit]user@host# edit security idp custom-attack anomaly1
Specify common properties for the attack.
[edit security idp custom-attack anomaly1]user@host# set severity infouser@host# set time-binding scope peer count 2
Specify the attack type and test condition.
[edit security idp custom-attack anomaly1]user@host# set attack-type anomaly test OPTIONS_UNSUPPORTED
Specify other properties for the anomaly attack.
[edit security idp custom-attack anomaly1]user@host# set attack-type anomaly service TCPuser@host# set attack-type anomaly direction any user@host# attack-type anomaly shellcode sparc

Results

From configuration mode, confirm your configuration by entering the show security idp command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

[edit]user@host# show security idpcustom-attack anomaly1 {severity info;time-binding {count 2;scope peer;}attack-type {anomaly {test OPTIONS_UNSUPPORTED;service TCP;direction any;shellcode sparc;}}}

If you are done configuring the device, enter commit from configuration mode.

Verification

To confirm that the configuration is working properly, perform this task:

Verifying the Configuration

Verifying the Configuration

Purpose

Verify that the protocol anomaly-based attack object was created.

Action

From operational mode, enter the show security idp status command.