Example: Configuring IDP Protocol Anomaly-Based Attacks (CLI)

Before you begin, configure network interfaces. See the Junos OS Interfaces Configuration Guide for Security Devices.

The configuration instructions in this topic describe how to create a signature-based attack object. In this example, you create a protocol anomaly attack named anomaly1 and assign it the following properties:

• Time binding—Specify the scope as peer and count as 2 to detect anomalies between source and destination IP addresses of the sessions for the specified number of times.
• Severity (info)—Specify to provide information about any attack that matches the conditions.
• Attack direction (any)—Specify to detect the attack in both directions—client-to-server and server-to-client traffic.
• Service (TCP)—Specify to match attacks using the TCP service.
• Test condition (OPTIONS_UNSUPPORTED)—Specify to match certain predefined test conditions. In this example, the condition is to match if the attack includes unsupported options.
• Shellcode (sparc)—Set the flag to detect shellcode for Sparc platforms.

Once you have configured the protocol anomaly-based attack object, you specify the attack as match criteria in an Intrusion Detection and Prevention (IDP) policy rule. For more information, see Example: Defining Rules for an IDP IPS Rulebase.

To create a protocol anomaly-based attack object:

1. Specify a name for the attack. The following statement specifies anomaly1 as the name of the attack.
   user@host# set security idp custom-attack anomaly1
2. Specify common properties for the attack. The following statements specify an info severity level and a time binding with a scope type peer and count 2.
   user@host# set security idp custom-attack anomaly1 severity info user@host#set security idp custom-attack anomaly1 time-binding scope peer count 2
3. Specify the attack type and test condition. The following statement specifies the attack type anomaly and test condition UNSUPPORTED_OPTIONS.
   user@host# set security idp custom-attack anomaly1 attack-type anomaly test UNSUPPORTED_OPTIONS
4. Specify other properties for the anomaly attack. The following statement specifies the service TCP and attack direction any, and sets the shellcode flag to sparc and specifies .
   user@host# set security idp custom-attack sa attack-type anomaly service TCPuser@host# set security idp custom-attack sa attack-type anomaly direction any user@host# set security idp custom-attack sa attack-type anomaly shellcode sparc
5. If you are finished configuring the device, commit the configuration.
6. From configuration mode in the CLI, enter the show security idp command to verify the configuration. For more information, see the Junos OS CLI Reference.

Related Topics

• Junos OS Feature Support Reference for SRX Series and J Series Devices
• Understanding IDP Protocol Anomaly-Based Attacks
• Example: Defining Rules for an IDP IPS Rulebase
• Example: Updating the IDP Signature Database Manually (CLI)
• Example: Updating the Signature Database Automatically (CLI)