Creating a Signature Attack Object (NSM Procedure)

1. In the Object Manager, select Attack Objects > IDP Objects.
2. Click the Custom Attacks tab.
3. Click the + icon to display the Custom Attack dialog box.
4. Configure attack object settings. Table 1 provides guidelines for completing the settings.

   Table 1: Custom Attack Dialog Box: General Tab Settings

   Setting	Description
   Name	The name displayed in the UI. Tip: Include the protocol the attack uses as part of the attack name.
   Description	(Optional) Information about the attack. Although a description is optional when you create a new attack object, it can help you remember important information about the attack. For examples, view the attack descriptions for predefined attacks.
   Severity	Info, Warning, Minor, Major, or Critical. Critical attacks are attempts to crash your server or gain control of your network. Informational attacks are the least dangerous and typically are used by network administrators to discover holes in their own security system.
   Category	A predefined or new category.
   Keywords	Unique identifiers that can be used to search and sort log records.
   Recommended	Indicates that this attack object is among your highest-risk set of attack objects. Later, when you add this attack object to dynamic groups, you can specify whether to include only recommended attack objects.
   Attack Versions	Skip this for now.
   Detection Performance	Select High, Medium, Low, or Not Defined.

5. Configure additional attack details on the Extended tab. Table 2 provides guidelines for completing the settings.

   Table 2: Custom Attack Dialog Box: Extended Tab Settings

   Setting	Description
   Primary URL Secondary URL Tertiary URL	Up to three URLs (primary, secondary, tertiary) to external references you used to research the attack.
   CVE	The Common Vulnerabilities and Exposures (CVE) ID that the attack object addresses. CVE is a standardized list of vulnerabilities and other information security exposures. The CVE number is an alphanumeric code, such as CVE-2209.
   BugTraq	The BugTraq ID number that the attack object addresses. BugTraq is a moderated mailing list that discusses and announces computer security vulnerabilities. The BugTraq ID number is a three-digit code, such as 831 or 120.
   Impact	Information about the impact of a successful attack, including information about system crashes and access granted to the attacker.
   Description	Additional information.
   Tech Info	Information about the vulnerability, the commands used to execute the attack, which files are attacked, registry edits, and other low-level information.
   Patches	Any patches available from the product vendor, as well as information about how to prevent the attack.

6. Click the General tab.
7. Under Attack Versions, click the + icon to display the New Attack wizard.
8. On the Target Platform and Type page, select a device platform and attack type. Table 3 describes the attack types.

   Table 3: Attack Object Types

   Type	Description
   Signature	Uses a stateful attack signature (a pattern that always exists within a specific section of the attack) to detect known attacks. Stateful signature attack objects also include the protocol or service used to perpetrate the attack and the context in which the attack occurs. If you know the exact attack signature, the protocol, and the attack context used for a known attack, select this option.
   Compound Attack	Detects attacks that use multiple methods to exploit a vulnerability. This object combines multiple signatures or protocol anomalies into a single attack object, forcing traffic to match all combined signatures or anomalies within the compound attack object before traffic is identified as an attack. By combining and even specifying the order in which signatures or anomalies must match, you can be very specific about the events that must place before the IDP engine identifies traffic as an attack. If you need to detect an attack that uses several benign activities to attack your network, or if you want to enforce a specific sequence of events to occur before the attack is considered malicious, select this option.

9. Select Signature and click Next.
10. On the Custom Attack – General Properties page, configure constraints and other settings. Table 4 provides guidelines for completing the settings.

    Table 4: Custom Attack – General Properties

    Property	Description
    Info
    False Positives	Select the frequency that the attack object produces a false positive on your network: Unknown, Rarely, Occasionally, Frequently. Typically, you do not initially know the frequency of false positives. You can update this setting as your observations change.
    Service Binding

    Protocol Type	Service–If you were able to determine the service through your research, select Service. Later in the wizard, you can specify a service context.
    	IP–If you are not sure of the service but you know IP details, select IP and specify a protocol type number.
    	TCP, UDP, or ICMP–If you do not know the service context but you know protocol details, select the protocol. For TCP and UDP protocol types, specify the port ranges.
    	RPC–If you are detecting threats over remote procedure call (RPC) protocol, select this option and specify the program ID. RPC is used by distributed processing applications to handle interaction between processes remotely. When a client makes a remote procedure call to an RPC server, the server replies with a remote program. Each remote program uses a different program number.
    	IPv6 or ICMPv6–Do not select these options. IDP Series devices do not support inspection of IPv6.
    	Any–If you are unsure of the correct service, select Any to match the signature in all services. Matching any service essentially turns off service binding and has a significant performance impact. Specify Any when you know that attacks are using multiple services to attack your network. Note: You must select a service binding other than Any if you want to select a context for the attack.
    Time Binding
    Enable	Time binding attributes track how many times a signature is repeated. By configuring the scope and count of an attack, you can detect a sequence of the same attacks over a period of time (one minute) across sessions. This method is useful for detecting brute force attacks that attempt to guess authentication credentials or overwhelm system capacity to handle data.
    Scope	Select the scope within which the count occurs: Source–Detects the signature in traffic from the source IP address for the specified number of times, regardless of the destination IP address. Destination–Detects the signature in traffic from the destination IP address for the specified number of times, regardless of the source IP address. Peer–Detects the signature in traffic between source and destination IP addresses of the sessions for the specified number of times.
    Count/Min	Enter the number of times per minute that the signature must be detected within the specified scope before the device identifies the traffic as a match. The minute timer starts when the signature first matches the event. If the signature matches the same event for the specific count or higher within the next 60 seconds, the traffic is a match. The system increments the count each time it detects the signature, either regardless of port (application identification) or according to your port binding settings. For example, when the system detects the signature on TCP/80 and then on TCP/8080, the count is 2.
    Constraints
    Within Bytes Constraint	Use this constraint to require that the pattern be found within a byte range: Lower limit–Specify the beginning of the range. Upper limit–Specify the end of the range. Start point–Your selection must be consistent with your pattern context setting. For example, if you configured one of the service contexts, select Context. If you configured one of the packet contexts, select Packet. If you configured one of the stream contexts, select Stream. In NSM, it is possible to select a start point that is inconsistent with the pattern context setting. For example, the NSM object editor allows you to configure a pattern context http-variable and then set a within bytes start point that is start-of-packet. However, the within bytes match logic will be resolved to the start point you should have selected: context. Inspection for this object terminates when the range limit is reached. Example: If you know a threat can be identified either completely within the first 20 bytes of the http-variable context or not identified at all, you set the context to http-variable and use the within-bytes constraint to terminate inspection after bytes 1-20 of the generated http-variable context are processed. You can set multiple constraints. The constraints are evaluated as a Boolean OR. Example: You configure two start-of-stream constraints with byte ranges of 20-40 and 80-100. The constraint rules out matches unless found within either byte range.
    Within Packets Constraint	Use this constraint to require that the pattern be found completely within a packet range: Lower limit–Specify the beginning of the range. Upper limit–Specify the end of the range. Inspection (for this object) terminates when the range limit is reached. Example: If you know a threat can be identified either in the first 2 packets or not identified at all, you set a stream context and use the within packets constraint to terminate inspection after 2 packets.
    Context Check	Use this constraint to require the matching context be of a specified byte length to be a hit: Constraint–Select length. Comparison operator–Select =, !, >, or <. Operand–Select a byte length. Example: You can use the context check constraint as a tuning device to limit processing for harmless traffic. For example, if you know that a certain class of attack, like a buffer overflow attack, always has an unusually large byte length in a given context, you can use this constraint to ignore contexts of normal length. If you set the FTP username context length requirement to be > 18, you would only see signature hits if the FTP username context is longer than 18 bytes. You can specify multiple constraints. For example, if you add a < 25 constraint to the previous example, you would only see hits if the username context is between 18 and 25 bytes.

    Click Next.

11. On the Custom Attack – Attack Pattern page, configure pattern settings. Table 5 provides guidelines for completing the settings.

    Table 5: Custom Attack – Attack Pattern

    Setting	Description
    Pattern	A DFA expression. The following rows summarize DFA syntax conventions. For detailed information, consult a standard source on programming with regular expressions.
    	\B.0.1..00\B	Bit-level matching for binary protocols. The length of the bitmask must be in multiples of 8. The first \B denotes the start of the bitmask. The last \B denotes the end of the bitmask. The decimal (.) indicates the bit can be either 0 or 1. A 0 or 1 indicates the bit at that position must be 0, or must be 1.
    	\0 <octal_number>	For a direct binary match.
    	\X<hexadecimal-number>\X	For a direct binary match.
    	\[<character-set>\]	For case-insensitive matches.
    	.	To match any symbol.
    	*	To match 0 or more symbols.
    	+	To match 1 or more symbols.
    	?	To match 0 or 1 symbol.
    	()	Grouping of expressions.
    	|	Alternation. Typically used with (). Example: The following expression matches dog or cat: (dog | cat).
    	[]	Character class. Any explicit value within the bracket at the position matches. Example: [Dd]ay matches Day and day.
    	[<start>-<end>]	Character range. Any value within the range (denoted with a hyphen). You can mix character class and a hexadecimal range. Example: [AaBbCcDdEeFf0-9].
    	[^<start>-<end>]	Negation of character range. Example: [^Dd]ay matches Hay and ray, but not Day or day. Note: To negate an entire signature pattern, select the Negate option under the pattern text box.
    	\u<string>\u	Unicode insensitive matches.
    	\s	Whitespace.
    	\	Use a backslash to escape special characters so that they are matched and not processed as regular expression operators.
    		Character	Escaped
    		*	\*
    		(	\(
    		)	\)
    		.	\.
    		+	\+
    		\	\\
    		[	\0133
    		]	\0135
    		Note: Because the combination of the backslash and the open and close square brackets are used in the case-insensitive expression, you must use the backslash with the octal code for the bracket characters.
    Negate	Negates the attack pattern.
    Context	Binds pattern matching to a context. For known services, such as HTTP, select the service in the first box, and select the HTTP context you discovered with scio ccap, such as HTTP POST Parsed Param, in the second box. If you were unable to discover the context, select Other in the first box, and select one of the following contexts in the second box: Packet–Detects the pattern in any packet. First Packet–Inspects only the first packet of a stream. When the flow direction is set to any, the detector engine checks the first packet of both the server-to-client (STC) and client-to-server (CTS) flows. Less processing means greater performance. If you know that the pattern appears in the first packet of a session, select First Packet. First Data Packet–Inspection ends after the first packet of a stream. Select this option to detect the attack in only the first data packet of a stream. If you know that the pattern appears in the first data packet of a stream, select First Data Packet. Stream 256–Reassembles packets and searches for a pattern match within the first 256 bytes of a traffic stream. Stream 256 is often the best choice for non-UDP attacks. When the flow direction is set to any, the detector engine checks the first 256 bytes of both the STC and CTS flows. If you know that the pattern will appear in the first 256 bytes of a session, select Stream 256. Stream 8K–Like Stream 256 except reassembles packets and searches for a pattern match within the first 8192 bytes of a traffic stream. Stream 1K–Like Stream 256 except reassembles packets and searches for a pattern match within the first 1024 bytes of a traffic stream. Line–Detects a pattern within a specific line. Use this context for line-oriented applications or protocols (such as FTP). Stream–Reassembles packets and extracts the data to search for a pattern match. However, the IDP engine does not recognize packet boundaries for stream contexts, so data for multiple packets is combined. Select this option only when no other context option contains the attack. Note: If you select a line, stream, or service context, you do not configure match criteria for IP settings and protocol header fields.
    Direction	Select the direction in which to detect the pattern: Client to Server–Detects the pattern only in client-to-server traffic. Server to Client–Detects the pattern only in server-to-client traffic. Any–Detects the pattern in either direction. The session initiator is considered the client, even if that source IP is a server.
    Flow	Select the flow in which to detect the attack: Control–Detects the pattern in the initial connection that is established to issue commands, requests, and so on. Ninety-nine percent of signatures use control. Auxiliary–Detects the pattern in the response connection that is established intermittently to transfer requested data. This option supports a small number of protocols, such as PTP. Both–Detects the pattern in the initial and response connections. Tip: Using a single flow (instead of Both) improves performance and increases detection accuracy.

    Click Next to display the Custom Attack – IP Settings and Header Matches page. Table 6 provides guidelines for completing the settings.

12. If you have selected a line, stream, stream 256, or service context, do not configure match criteria for IP settings and protocol header fields. Click Finish.

    If you are using a packet context, you can refine matching by adding criteria for IP flags and packet headers, as described in the following tables.

    Tip: If you are unsure of the IP flags and IP fields you want to match, leave all fields blank. If no values are set, the IDP engine attempts to match the signature for all header contents.

    Table 6: Custom Attack – IP Settings and Header Matches Page

    Setting	Description
    IP Version	Select IPv4. IDP Series devices do not support inspection of IPv6.
    Type of Service	Service type. Common service types are: 0000 Default 0001 Minimize Cost 0002 Maximize Reliability 0003 Maximize Throughput 0004 Minimize Delay 0005 Maximize Security
    Packet Length	Number of bytes in the packet, including all header fields and the data payload.
    ID	Unique value used by the destination system to reassemble a fragmented packet.
    Time-to-live	Time-to-live (TTL) value of the packet. This value represents the number of routers the packet can pass through. Each router that processes the packet decrements the TTL by 1; when the TTL reaches 0, the packet is discarded.
    Protocol	Protocol used in the attack.
    Source	IP address of the attacking device.
    Destination	P address of the attack target.
    RB	Reserved bit. This bit is not used.
    MF	More fragments. When set (1), this option indicates that the packet contains more fragments. When unset (0), it indicates that no more fragments remain.
    DF	Don’t fragment. When set (1), this option indicates that the packet cannot be fragmented for transmission.

    Table 7 provides guidelines for completing the settings.

    Table 7: Custom Attack Object: TCP Packet Header Fields

    Setting	Description
    Source Port	Port number on the attacking device.
    Destination Port	Port number of the attack target.
    Sequence Number	Sequence number of the packet. This number identifies the location of the data in relation to the entire data sequence.
    ACK Number	ACK number of the packet. This number identifies the next sequence number; the ACK flag must be set to activate this field.
    Header Length	Number of bytes in the TCP header.
    Window Size	Number of bytes in the TCP window size.
    Data Length	Number of bytes in the data payload. For SYN, ACK, and FIN packets, this field should be empty.
    Urgent Pointer	Data in the packet is urgent; the URG flag must be set to activate this field.
    URG Bit	When set, the urgent flag indicates that the packet data is urgent.
    ACK Bit	Acknowledgment flag. When set, acknowledges receipt of a packet.
    PSH Bit	Push flag. When set, indicates that the receiver should push all data in the current sequence to the destination application (identified by the port number) without waiting for the remaining packets in the sequence.
    RST Bit	Reset flag. When set, resets the TCP connection, discarding all packets in an existing sequence.
    FIN Bit	Final flag. When set, indicates that the packet transfer is complete and the connection can be closed.
    R1 Bit, R2 Bit	Reserved bit. Unused.

    Table 8 provides guidelines for completing the settings.

    Table 8: Custom Attack Object: UDP Header Fields

    Setting	Description
    Source Port	Port number on the attacking device.
    Destination Port	Port number of the attack target.
    Data Length	Number of bytes in the data payload.

    Table 9 provides guidelines for completing the settings.

    Table 9: Custom Attack Object: ICMP Packet Header Fields

    Setting	Description
    ICMP
    ICMP Type	Primary code that identifies the function of the request or reply.
    ICMP Code	Secondary code that identifies the function of the request or reply within a given type.
    Sequence Number	Sequence number of the packet. This number identifies the location of the request/reply in relation to the entire sequence.
    ICMP ID	Identification number, which is a unique value used by the destination system to associate requests and replies.
    Data length	Number of bytes in the data payload.

    Note: ICMPv6 header fields are not applicable. IDP Series devices do not support inspection of IPv6.

13. Click Finish.