Modifying IDP Rulebase Rules (NSM Procedure)

This procedure assumes you have used the New Policy wizard to create a basic policy that you can modify.

The primary IDP security policy rulebase is the IDP rulebase. The IDP rulebase enables the IDP process engine to inspect matching traffic for signs of an attack.

For background on and examples of IDP rulebase rules, see the IDP Concepts & Examples Guide.

To modify IDP rulebase rules:

In the NSM navigation tree, select Configure > Policy Manager > Security Policies.
Select the security policy you want to edit.
In the security policy pane, select IDP tab to display the IDP rulebase table.
To add, delete, copy, or reorder rules, right-click the table cell for the rule number and make your selection.

To modify the property of a rule, right-click the table cell for the property and make your selection. Table 20 lists the rule properties you can modify and provides references documentation for these properties.

Table 20: IDP Rulebase Rule Properties

Property	Reference
ID	Identification number of the IDP rules that you add.
Match	You can select the zone from which the source sends traffic to the destination zone.
Look For	You can select the attacks that you want add IDP to match in the monitored traffic.
Action	Specifies the action you want IDP to perform against the current connection.
IP Action	Specifies the action you want IDP to perform against future connections that use the same IP address.
Notification	You can choose none, or enable logging and select the logging options that are appropriate for your network.
VLAN Tag	Specifies the VLAN tags you want to match in applying the rule.
Severity	You can use the default severity settings of the selected attack objects, or you can choose a specific severity for your rule.
Install On	Specifies the selected source and destination zone that are available on the security device.
Optional Fields	Specifies the optional fields that you can configure in the rule.
Comments	Describes any additional comments about the rule.

Following are the updates that you can perform on an IDP rulebase rule:

Specifying Rule Match Conditions

To specify rule match conditions, right-click the table cell and select your setting.

Table 21 describes match condition columns for IDP rulebase rules.

Table 21: IDP Rulebase Match Condition Settings

Column	Description
From zone / To zone	Not applicable for standalone IDP devices.
Source	Select Address–Display the Select Address dialog box where you can select address objects for traffic sources.
	Any–Matches any source of traffic. To guard against incoming attacks, you typically specify Any.
	Negate–Matches any except those specified. To use address negation: Add the address object. Right-click the address object and select Negate.
User Role	Select User Role–Displays the Select User Role dialog box where you can select or configure user role matches. If a value for User Role matches, the Source parameter is not consulted. User role-based rules are evaluated before IP source rules. If a user role matches, and if the other match criteria are met, the rule is applied and IP address-based rules are not consulted. Note: Matching based on user role depends on integration with Juniper Networks Infranet Controllers.
Destination	Select Address–Display the Select Address dialog box where you can select address objects for destination servers.
	Any–Matches any destination address.
	Negate–Specifies any except those specified. To use address negation: Add the address object. Right-click the address object and select Negate.
Service	Default–Matches the service(s) specified in the rule attack object(s). If you have enabled the Application Identification (AI) feature, the IDP process engine identifies services even if they are running on nonstandard ports. If you have not enabled AI and specify Default, the IDP process engine assumes that standard ports are used for the service. Note: If you do not enable AI and your service uses nonstandard ports, you must create a custom service objects.
	Any–Matches any service.
	Select Service–Display the Select Service dialog box where you can select predefined or custom service objects.
Terminate	Enable or Disable–Marks the rule a terminal rule (or clears the mark). If a session matches a terminal rule, the IDP process engine does not load any subsequent rules. It takes action, if any, according to the terminal rule.

Specifying IDP Rulebase Attack Objects

To add attack objects:

Right-click the table cell for attacks and select Select Attacks.
In the All Attacks/Groups box, expand Attack Groups.
To add attack objects recommended by Juniper Networks Security Center (J-Security Center), expand Recommended Attacks, browse groups, and select groups or individual attack objects.
To add other predefined attack objects, expand All Attacks, browse groups, and select groups or individual attack objects.
To add attack objects that belong to custom groups, expand the node for the custom group, browse subgroups, and select groups or individual attack objects.
To add custom attack objects that do not belong to groups, expand Attack List and select from custom attack objects.
Click OK.

Table 22 describes the attack object group hierarchy for recommended and predefined attack objects provided by J-Security Center.

Table 22: Attack Object Group Hierarchy

Group	Contents
Attack Type	Contains two subgroups: anomaly and signature. Within each subgroup, attack objects are grouped by severity.
Category	Contains subgroups based on category. Within each category, attack objects are grouped by severity.
Operating System	Contains the following subgroups: BSD, Linux, Solaris, and Windows. Within each operating system, attack objects are grouped by services and severity.
Severity	Contains the following subgroups: Critical, Major, Minor, Warning, Info. Within each severity, attack objects are grouped by category. Note: Our severity rating is not based on CVSS (Common Vulnerability Scoring System). We do include data from Bugtraq (Symantec) and CVE (Common Vulnerabilities and Exposures).
Web Services	Contains subgroups based on Web services. Within services, attacked objects are grouped by severity.
Miscellaneous	Contains attack objects that have a significant affect on IDP performance.

Specifying Rule Session Action

Actions are responses to sessions that match the source/destination condition and attack object pattern. Actions protects your network from attacks.

If a packet triggers multiple rule actions, the IDP device takes the most severe action. For example, if the rules dictate that a packet will receive a DiffServ marking and be dropped, and then the packet will be dropped.

To specify a rule action, right-click the table cell and select your setting.

Table 23 describes the actions you can set for IDP rulebase rules.

Table 23: IDP Rulebase Actions

Action	Description
Recommended	Predefined attack objects include a recommended action. The recommended action is related to severity. Table 24 lists the recommended actions by severity.
None	IDP inspects for attacks but takes no action against the connection if an attack is found.
Ignore	IDP does not inspect for attacks and ignores the connection.
Diffserv Marking	IDP assigns the indicated service-differentiation value to the packet, and then passes it on normally. Set the service-differentiation value in the dialog box that appears when you select this action in the rulebase. Note: The marking has no effect in sniffer mode.
Drop Packet	IDP drops a matching packet before it can reach its destination but does not close the connection. Use this action to drop packets for attacks in traffic that is prone to spoofing, such as UDP traffic. Dropping a connection for such traffic could result in a DoS that prevents you from receiving traffic from a legitimate source address.
Drop Connection	IDP drops the connection without sending an RST packet to the sender, preventing the traffic from reaching its destination. Use this action to drop connections for traffic that is not prone to spoofing.
Close Client and Server	IDP closes the connection and sends an RST packet to both the client and the server. If IDP is in sniffer mode, IDP sends an RST packet to both the client and server but does not close the connection.
Close Client	IDP closes the connection to the client but not to the server.
Close Server	IDP closes the connection to the server but not to the client.

Table 24 describes the logic applied to the value Recommended, a setting coded in predefined attack objects provided by Juniper Networks Security Center.

Severity	Description	Recommended Action
Critical	Attacks attempt to evade an IPS, crash a machine, or gain system-level privileges.	Drop Packet, Drop Connection
Major	Attacks attempt to crash a service, perform a denial of service, install or use a Trojan, or gain user-level access to a host.	Drop Packet, Drop Connection
Minor	Attacks attempt to obtain critical information through directory traversal or information leaks.	None
Warning	Attacks attempt to obtain noncritical information or scan the network. They can also be obsolete attacks (but probably harmless) traffic.	None
Info	Attacks are normal, harmless traffic containing URLs, DNS lookup failures, and SNMP public community strings. You can use informational attack objects to obtain information about your network.	None

Note: Our severity rating is not based on CVSS (Common Vulnerability Scoring System). We do include data from Bugtraq (Symantec) and CVE (Common Vulnerabilities and Exposures).

Specifying Rule IP Action

If the IDP device matches an attack, it can take action not only against the current session but also against future network traffic that uses the same IP address. Such actions are called IP actions. By default, the specified IP action is permanent (timeout = 0). If you prefer, you can set a timeout.

To specify an IP action, right-click the table cell and configure options.

Table 25 describes IDP rulebase IP actions.

Table 25: IDP Rulebase IP Actions

IP Action	Description
IP Block	IDP blocks the matching connection and future connections that match combinations of the following properties you specify: Source IP address Source subnet Protocol Destination IP Address Destination Subnet Destination Port From Zone
IP Close	IDP closes the matching connection and future connections that match combinations of the following properties you specify: Source IP address Source subnet Protocol Destination IP Address Destination Subnet Destination Port From Zone
IP Notify	IDP does not take any action against future traffic but logs the event or sends an alert.

Specifying Rule Notification Options

Notification options determine how events that match the rule are logged.

To specify notification options, right-click the table cell and configure options.

Table 26 describes IDP rulebase notification options.

Table 26: IDP Rulebase Notification Options

Option	Description
Event logs and alerts	You can enable the following delivery and handling options for logs: Send to NSM Log Viewer Send to NSM Log Viewer and flag as an alert Send to an e-mail address list Send to syslog Send to SNMP trap Save in XML format Save in CVS format Process with a script
Packet captures	Viewing the packets used in an attack on your network can help you determine the extent of the attempted attack, its purpose, whether or not the attack was successful, and any possible damage to your network. If multiple rules with packet capture enabled match the same attack, IDP captures the maximum specified number of packets. For example, you configure rule 1 to capture 10 packets before and after the attack, and you configure rule 2 to capture 5 packets before and after the attack. If both rules match the same attack, IDP attempts to capture 10 packets before and after the attack. You can capture up to 256 packets before the event and 256 packets after the event. Note: If necessary, you can improve performance by logging only the packets received after the attack.

Option

Description

Event logs and alerts

You can enable the following delivery and handling options for logs:

Send to NSM Log Viewer
Send to NSM Log Viewer and flag as an alert
Send to an e-mail address list
Send to syslog
Send to SNMP trap
Save in XML format
Save in CVS format
Process with a script

Packet captures

Viewing the packets used in an attack on your network can help you determine the extent of the attempted attack, its purpose, whether or not the attack was successful, and any possible damage to your network.

If multiple rules with packet capture enabled match the same attack, IDP captures the maximum specified number of packets. For example, you configure rule 1 to capture 10 packets before and after the attack, and you configure rule 2 to capture 5 packets before and after the attack. If both rules match the same attack, IDP attempts to capture 10 packets before and after the attack.

You can capture up to 256 packets before the event and 256 packets after the event.

Note: If necessary, you can improve performance by logging only the packets received after the attack.

Specifying Rule VLAN Matches

If you deploy an IDP device in a virtual local area network (VLAN), you can specify VLAN tags for traffic in IDP rulebase rules.

Normally, rules match source, destination, and service. If your rule specifies a VLAN tag, then the rule must also match the VLAN tag.

To specify that rules match a VLAN tag, right-click the table cell and configure your setting.

Table 27 describes VLAN tag settings.

Table 27: IDP Rulebase VLAN Tag Settings

Option	Description
None	Matches only traffic that has no VLAN tag.
Any	Matches traffic with any or no VLAN tag (default).
Select VLAN Tags	Displays the Select VLAN Tags dialog box where you can set a single VLAN tag or a range of VLAN tags.
Delete VLAN Tags	Displays a dialog box that prompts you to confirm you want to delete the VLAN tag match setting.

Specifying Rule Targets

By default, IDP security policy rules can be applied to any IDP device. If you desire, you can specify that the rule applies to only specified IDP devices.

To specify that the rule only applies to specified devices, right-click the table cell and select Select Target to display the Select Targeted Devices dialog box, where you can select the specify devices on which the rule is to be applied.

Specifying Rule Severity

Severity is a rating of the danger posed by the threat the rule is designed to prevent.

To specify a rule severity, right-click the table cell and select a severity.

Table 28 describes rule severity settings.

Table 28: IDP Rulebase Severity

Severity	Description
Default	Select Default to inherit severity from that specified in the attack object.
Critical	Attacks that attempt to evade an IPS, crash a machine, or gain system-level privileges. We recommend that you drop the packets or drop the connection for such attacks.
Major	Attacks that attempt to crash a service, perform a denial of service, install or use a Trojan, or gain user-level access to a host. We recommend that you drop the packets or drop the connection for such attacks.
Minor	Attacks that attempt to obtain critical information through directory traversal or information leaks. We recommend that you log such attacks.
Warning	Attacks that attempt to obtain noncritical information or scan the network. They can also be obsolete attacks (but probably harmless) traffic. We recommend that you log such attacks.
Info	Attacks that are normal, harmless traffic containing URLs, DNS lookup failures, and SNMP public community strings. You can use informational attack objects to obtain information about your network. We recommend that you log such attacks.

Note: Our severity rating is not based on CVSS (Common Vulnerability Scoring System). We do include data from Bugtraq (Symantec) and CVE (Common Vulnerabilities and Exposures).

Specifying Rule Optional Fields

Optional fields are user-defined name-value pairs you can configure if you want to be able to sort rules based on these fields. Optional fields do not affect the functionality of the security policy rule.

To specify optional fields, right-click the table cell and select Edit Options to display the Select Policy Custom Options dialog box, where you can configure name-value pairs.

Specifying Rule Comments

Comments are notations about the rule. Comments do not affect the functionality of the security policy rule.

To specify comments, right-click the table cell and select Edit Comments to display the Edit Comments dialog box, where you can enter a comment up to 1024 characters in length.