Example: Configuring IDP Signature-Based Attacks (CLI)

Before you begin, configure network interfaces. See the Junos OS Interfaces Configuration Guide for Security Devices.

The configuration instructions in this topic describe how to create a signature-based attack object. In this example, you create a signature attack named sig1 and assign it the following properties:

• Recommended action (drop packet)—Specify to drop a matching packet before it can reach its destination but does not close the connection.
• Time binding—Specify the scope as source and count as 10. When scope is source, all attacks from the same source are counted, and when the number of attack reaches the count (10) specified, the attack is logged. In this example, every tenth attack from the same source is logged.
• Attack context (packet)—Specify to match the attack pattern within a packet.
• Attack direction (any)—Specify to detect the attack in both directions—client-to-server and server-to-client traffic.
• Protocol (TCP)—Specify time to live (TTL) value of 128.
• Shellcode (Intel)—Set the flag to detect shellcode for Intel platforms.
• Protocol binding—Specify TCP protocol and ports 50 through 100.

Once you have configured a signature-based attack object, you specify the attack as match criteria in an IDP policy rule. For more information, see Example: Defining Rules for an IDP IPS Rulebase.

To create a signature-based attack object:

1. Specify a name for the attack. The following statement specifies sig1 as the name of the attack.
   user@host# set security idp custom-attack sig1
2. Specify common properties for the attack. The following statements specify a recommended action to drop packets and define time binding with scope as source scope and count as 10.
   user@host# set security idp custom-attack sig1 recommended-action drop-packetuser@host#set security idp custom-attack sig1 time-binding scope source count 10
3. Specify the attack type and context. The following statement specifies the attack type signature and context packet.
   user@host# set security idp custom-attack sig1 attack-type signature context packet
4. Specify the attack direction and the shellcode flag. The following statement specifies the attack direction any and sets the shellcode flag to intel.
   user@host# set security idp custom-attack sig1 attack-type signature shellcode intel
5. Set the protocol and its fields. The following statement specifies the IP protocol and the TTL value 128.
   user@host# set security idp custom-attack sig1 attack-type signature protocol ip ttl value 128 match equal
6. Specify the protocol binding and ports. The following statement specifies the TCP protocol and the port range from 50 through 100.
   user@host# set security idp custom-attack sig1 attack-type signature protocol-binding tcp minimum-port 50 maximum-port 100
7. If you are finished configuring the device, commit the configuration.
8. From configuration mode in the CLI, enter the show security idp command to verify the configuration. For more information, see the Junos OS CLI Reference.

Related Topics

• Junos OS Feature Support Reference for SRX Series and J Series Devices
• Understanding IDP Signature-Based Attacks
• Understanding Custom Attack Objects
• Understanding Predefined IDP Attack Objects and Object Groups
• Understanding IDP Protocol Decoders
• Example: Configuring IDP Protocol Anomaly-Based Attacks