Example: Configuring IDP Protocol Anomaly-Based Attacks (CLI)
Before you begin, configure network interfaces. See the Junos OS Interfaces Configuration Guide for Security Devices.
The configuration instructions in this topic describe how to create a signature-based attack object. In this example, you create a protocol anomaly attack named anomaly1 and assign it the following properties:
- Time binding—Specify the scope as peer and count as 2 to detect anomalies between source and destination IP addresses of the sessions for the specified number of times.
- Severity (info)—Specify to provide information about any attack that matches the conditions.
- Attack direction (any)—Specify to detect the attack in both directions—client-to-server and server-to-client traffic.
- Service (TCP)—Specify to match attacks using the TCP service.
- Test condition (OPTIONS_UNSUPPORTED)—Specify to match certain predefined test conditions. In this example, the condition is to match if the attack includes unsupported options.
- Shellcode (sparc)—Set the flag to detect shellcode for Sparc platforms.
Once you have configured the protocol anomaly-based attack object, you specify the attack as match criteria in an Intrusion Detection and Prevention (IDP) policy rule. For more information, see Example: Defining Rules for an IDP IPS Rulebase.
To create a protocol anomaly-based attack object:
- Specify a name for the attack. The following statement
specifies anomaly1 as the name of the attack. user@host# set security idp custom-attack anomaly1
- Specify common properties for the attack.
The following statements specify an info severity level and
a time binding with a scope type peer and count 2. user@host# set security idp custom-attack anomaly1 severity info user@host#set security idp custom-attack anomaly1 time-binding scope peer count 2
- Specify the attack type and test condition.
The following statement specifies the attack type anomaly and test condition UNSUPPORTED_OPTIONS.user@host# set security idp custom-attack anomaly1 attack-type anomaly test UNSUPPORTED_OPTIONS
- Specify other properties for the anomaly
attack. The following statement specifies the service TCP and attack
direction any, and sets the shellcode flag to sparc and specifies . user@host# set security idp custom-attack sa attack-type anomaly service TCPuser@host# set security idp custom-attack sa attack-type anomaly direction any user@host# set security idp custom-attack sa attack-type anomaly shellcode sparc
- If you are finished configuring the device, commit the configuration.
- From configuration mode in the CLI, enter the show security idp command to verify the configuration. For more information, see the Junos OS CLI Reference.
Related Topics
- Junos OS Feature Support Reference for SRX Series and J Series Devices
- Understanding IDP Protocol Anomaly-Based Attacks
- Example: Defining Rules for an IDP IPS Rulebase
- Example: Updating the IDP Signature Database Manually (CLI)
- Example: Updating the Signature Database Automatically (CLI)
Hide Navigation Pane
Show Navigation Pane
Download
SHA1