[Contents] [Prev] [Next] [Index] [Report an Error]

Configuring Protocol Anomaly-Based Attacks

A protocol anomaly attack object detects unknown or sophisticated attacks that violate protocol specifications (RFCs and common RFC extensions). You cannot create new protocol anomalies, but you can configure a new attack object that controls how your device handles a predefined protocol anomaly when detected.

The following properties are specific to protocol anomaly attacks—attack direction and test condition.

Before You Begin
For background information, read: IDP Policies Overview Understanding Custom Attack Objects Understanding Predefined Attack Objects and Groups Establish basic connectivity. For more information, see the Getting Started Guide for your device. Configure network interfaces. See the JUNOS Software Interfaces and Routing Configuration Guide.

When configuring protocol anomaly-based attacks, keep the following in mind:

The service or application binding is a mandatory field for protocol anomaly attacks. Besides the supported applications, services also include IP, TCP, UDP, ICMP, and RPC.
The attack direction and test condition properties are mandatory fields for configuring anomaly attack definitions.

The configuration instructions in this topic describe how to create a signature-based attack object. In this example, you create a protocol anomaly attack named anomaly1 and assign it the following properties:

Time binding—Specify the scope as peer and count as 2 to detect anomalies between source and destination IP addresses of the sessions for the specified number of times.
Severity (info)—Specify to provide information about any attack that matches the conditions.
Attack direction (any)—Specify to detect the attack in both directions—client-to-server and server-to-client traffic.
Service (TCP)—Specify to match attacks using the TCP service.
Test condition (OPTIONS_UNSUPPORTED)—Specify to match certain predefined test conditions. In this example, the condition is to match if the attack includes unsupported options.
Shellcode (sparc)—Set the flag to detect shellcode for Sparc platforms.

Once you have configured the protocol anomaly-based attack object, you specify the attack as match criteria in an IDP policy rule. For more information, see Defining Rules for an IPS Rulebase.

You can use either J-Web or the CLI configuration editor to create a custom attack object.

This topic contains:

[Contents] [Prev] [Next] [Index] [Report an Error]