Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

TechLibrary
Navigation
Table of Contents
Guide That Contains This Content
[+] Expand All
[-] Collapse All

    Example: Configuring IDP Signature-Based Attacks

    This example shows how to create a signature-based attack object.

    Requirements

    Before you begin, configure network interfaces. See the Junos OS Interfaces Configuration Guide for Security Devices PDF Document.

    Overview

    In this example, you create a signature attack called sig1 and assign it the following properties:

    • Recommended action (drop packet)—Drops a matching packet before it can reach its destination but does not close the connection.
    • Time binding—Specifies the scope as source and the count as 10. When scope is source, all attacks from the same source are counted, and when the number of attacks reaches the specified count (10), the attack is logged. In this example, every tenth attack from the same source is logged.
    • Attack context (packet)—Matches the attack pattern within a packet.
    • Attack direction (any)—Detects the attack in both directions—client-to-server and server-to-client traffic.
    • Protocol (TCP)—Specifies the TTL value of 128.
    • Shellcode (Intel)—Sets the flag to detect shellcode for Intel platforms.
    • Protocol binding—Specifies the TCP protocol and ports 50 through 100.

    Once you have configured a signature-based attack object, you specify the attack as match criteria in an IDP policy rule. See Example: Defining Rules for an IDP IPS Rulebase.

    Configuration

    CLI Quick Configuration

    To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, and then copy and paste the commands into the CLI at the [edit] hierarchy level.

    set security idp custom-attack sig1 severity major set security idp custom-attack sig1 recommended-action drop-packet set security idp custom-attack sig1 time-binding scope source count 10 set security idp custom-attack sig1 attack-type signature context packet set security idp custom-attack sig1 attack-type signature shellcode intel set security idp custom-attack sig1 attack-type signature protocol ip ttl value 128 match equal set security idp custom-attack sig1 attack-type signature protocol-binding tcp minimum-port 50 maximum-port 100 set security idp custom-attack sig1 attack-type signature direction any

    Step-by-Step Procedure

    The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the Junos OS CLI User Guide PDF Document.

    To create a signature-based attack object:

    1. Specify a name for the attack.
      [edit]user@host# edit security idp custom-attack sig1
    2. Specify common properties for the attack.
      [edit security idp custom-attack sig1]user@host# set severity majoruser@host# set recommended-action drop-packetuser@host# set time-binding scope source count 10
    3. Specify the attack type and context.
      [edit security idp custom-attack sig1]user@host# set attack-type signature context packet
    4. Specify the attack direction and the shellcode flag.
      [edit security idp custom-attack sig1]user@host# set attack-type signature shellcode intel
    5. Set the protocol and its fields.
      [edit security idp custom-attack sig1]user@host# set attack-type signature protocol ip ttl value 128 match equal
    6. Specify the protocol binding and ports.
      [edit security idp custom-attack sig1]user@host# set attack-type signature protocol-binding tcp minimum-port 50 maximum-port 100
    7. Specify the direction.
      [edit security idp custom-attack sig1]user@host# set attack-type signature direction any

    Results

    From configuration mode, confirm your configuration by entering the show security idp command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

    [edit]user@host# show security idpcustom-attack sig1 {recommended-action drop-packet;severity major;time-binding {count 10;scope source;}attack-type {signature {protocol-binding {tcp {minimum-port 50 maximum-port 100;}}context packet;direction any;shellcode intel;protocol {ip {ttl {match equal;value 128;}}}}}}

    If you are done configuring the device, enter commit from configuration mode.

    Verification

    Confirm that the configuration is working properly.

    Verifying the Configuration

    Purpose

    Verify that the signature-based attack object was created.

    Action

    From operational mode, enter the show security idp status command.

     

    Related Documentation

     

    Published: 2012-06-29

    Previous Page Next Page