Related Documentation
- J Series
- Understanding IDP Signature-Based Attacks
- Understanding Custom Attack Objects
- Understanding Predefined IDP Attack Objects and Object Groups
- Understanding IDP Protocol Decoders
- Example: Configuring IDP Protocol Anomaly-Based Attacks
- SRX Series
- Understanding IDP Signature-Based Attacks
- Understanding Custom Attack Objects
- Understanding Predefined IDP Attack Objects and Object Groups
- Understanding IDP Protocol Decoders
- Example: Configuring IDP Protocol Anomaly-Based Attacks
- Additional Information
- Junos OS CLI Reference

- Junos OS Feature Support Reference for SRX Series and J Series Devices

Example: Configuring IDP Signature-Based Attacks
This example shows how to create a signature-based attack object.
Requirements
Before you begin, configure network interfaces.
See the Junos OS Interfaces Configuration Guide for Security Devices
.
Overview
In this example, you create a signature attack called sig1 and assign it the following properties:
- Recommended action (drop packet)—Drops a matching packet before it can reach its destination but does not close the connection.
- Time binding—Specifies the scope as source and the count as 10. When scope is source, all attacks from the same source are counted, and when the number of attacks reaches the specified count (10), the attack is logged. In this example, every tenth attack from the same source is logged.
- Attack context (packet)—Matches the attack pattern within a packet.
- Attack direction (any)—Detects the attack in both directions—client-to-server and server-to-client traffic.
- Protocol (TCP)—Specifies the TTL value of 128.
- Shellcode (Intel)—Sets the flag to detect shellcode for Intel platforms.
- Protocol binding—Specifies the TCP protocol and ports 50 through 100.
Once you have configured a signature-based attack object, you specify the attack as match criteria in an IDP policy rule. See Example: Defining Rules for an IDP IPS Rulebase.
Configuration
CLI Quick Configuration
To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, and then copy and paste the commands into the CLI at the [edit] hierarchy level.
Step-by-Step Procedure
The following example requires you to navigate various
levels in the configuration hierarchy. For instructions on how to
do that, see Using the CLI Editor in Configuration Mode in the Junos OS CLI User Guide
.
To create a signature-based attack object:
- Specify a name for the attack. [edit]user@host# edit security idp custom-attack sig1
- Specify common properties for the attack. [edit security idp custom-attack sig1]user@host# set severity majoruser@host# set recommended-action drop-packetuser@host# set time-binding scope source count 10
- Specify the attack type and context.[edit security idp custom-attack sig1]user@host# set attack-type signature context packet
- Specify the attack direction and the shellcode flag.[edit security idp custom-attack sig1]user@host# set attack-type signature shellcode intel
- Set the protocol and its fields. [edit security idp custom-attack sig1]user@host# set attack-type signature protocol ip ttl value 128 match equal
- Specify the protocol binding and ports. [edit security idp custom-attack sig1]user@host# set attack-type signature protocol-binding tcp minimum-port 50 maximum-port 100
- Specify the direction. [edit security idp custom-attack sig1]user@host# set attack-type signature direction any
Results
From configuration mode, confirm your configuration by entering the show security idp command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.
If you are done configuring the device, enter commit from configuration mode.
Verification
Confirm that the configuration is working properly.
Verifying the Configuration
Purpose
Verify that the signature-based attack object was created.
Action
From operational mode, enter the show security idp status command.
Related Documentation
- J Series
- Understanding IDP Signature-Based Attacks
- Understanding Custom Attack Objects
- Understanding Predefined IDP Attack Objects and Object Groups
- Understanding IDP Protocol Decoders
- Example: Configuring IDP Protocol Anomaly-Based Attacks
- SRX Series
- Understanding IDP Signature-Based Attacks
- Understanding Custom Attack Objects
- Understanding Predefined IDP Attack Objects and Object Groups
- Understanding IDP Protocol Decoders
- Example: Configuring IDP Protocol Anomaly-Based Attacks
- Additional Information
- Junos OS CLI Reference

- Junos OS Feature Support Reference for SRX Series and J Series Devices


