Example: Defining Rules for an IDP IPS Rulebase

This example shows how to define rules for an IDP IPS rulebase.

Requirements

Before you begin:

Configure network interfaces. See the Junos OS Interfaces Configuration Guide for Security Devices.
Create security zones. See Example: Creating Security Zones.
Enable IDP in security policies. See Example: Enabling IDP in a Security Policy.

Overview

Each rule is composed of match conditions, objects, actions, and notifications. When you define an IDP rule, you must specify the type of network traffic you want IDP to monitor for attacks by using the following characteristics—source zone, destination zone, source IP address, destination IP address, and the Application Layer protocol supported by the destination IP address. The rules are defined in rulebases, and rulebases are associated with policies.

This example describes how to create a policy called base-policy, specify a rulebase for this policy, and then add a rule R1 to this rulebase. In this example, rule R1:

Specifies the match condition to include any traffic from a previously configured zone called trust to another previously configured zone called untrust. The match condition also includes a predefined attack group Critical - TELNET. The application setting in the match condition is default and matches any application configured in the attack object.
Specifies an action to drop connection for any traffic that matches the criteria for rule R1,
Enables attack logging and specifies that an alert flag is added to the attack log.
Specifies a severity level as critical.

After defining the rule, you specify base-policy as the active policy on the device.

Configuration

CLI Quick Configuration

To quickly define rules for an IDP IPS rulebase, copy the following commands and paste them into the CLI.

[edit]set security idp idp-policy base-policyset security idp idp-policy base-policy rulebase-ips set security idp idp-policy base-policy rulebase-ips rule R1set security idp idp-policy base-policy rulebase-ips rule R1 match from-zone trust to-zone untrust source-address any destination-address any application default set security idp idp-policy base-policy rulebase-ips rule R1 match attacks predefined-attack-groups "Critical-TELNET" set security idp idp-policy base-policy rulebase-ips rule R1 then action drop-connection set security idp idp-policy base-policy rulebase-ips rule R1 then notification log-attacks alert set security idp idp-policy base-policy rulebase-ips rule R1 then severity critical set security idp active-policy base-policy

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode.

To define rules for an IDP IPS rulebase:

Create a policy by assigning a meaningful name to it.
[edit]user@host# set security idp idp-policy base-policy
Associate a rulebase with the policy.
[edit security idp idp-policy base-policy]user@host# set rulebase-ips
Add rules to the rulebase.
[edit security idp idp-policy base-policy rulebase-ips]user@host# set rule R1
Define the match criteria for the rule.
[edit security idp idp-policy base-policy rulebase-ips rule R1]user@host# set match from-zone trust to-zone untrust source-address any destination-address any application default
Define an attack as match criteria.
[edit security idp idp-policy base-policy rulebase-ips rule R1]user@host# set match attacks predefined-attack-groups "Critical-TELNET"
Specify an action for the rule.
[edit security idp idp-policy base-policy rulebase-ips rule R1]user@host# set then action drop-connection
Specify notification and logging options for the rule.
[edit security idp idp-policy base-policy rulebase-ips rule R1]user@host# set then notification log-attacks alert
Set the severity level for the rule.
[edit security idp idp-policy base-policy rulebase-ips rule R1]user@host# then severity critical
Activate the policy.
[edit]user@host# set security idp active-policy base-policy

Results

From configuration mode, confirm your configuration by entering the show security idp command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

user@host# show security idpidp-policy base-policy {rulebase-ips {rule R1 {match {from-zone trust;source-address any;to-zone untrust;destination-address any;application default;attacks {predefined-attack-groups Critical-TELNET;}}then {action {drop-connection;}notification {log-attacks {alert;}}severity critical;}}}}active-policy base-policy;

If you are done configuring the device, enter commit from configuration mode.

Verification

To confirm that the configuration is working properly, perform this task:

Verifying the Configuration

Verifying the Configuration

Purpose

Verify if the rules for the IDP IPS rulebase configuration are correct

Action

From operational mode, enter the show security idp command.