IDP Extended Package Configuration Overview
The Junos OS Intrusion Detection and Prevention (IDP) policy enables you to selectively enforce various attack detection and prevention techniques on network traffic passing through an IDP-enabled device. It allows you to define policy rules to match a section of traffic based on a zone, network, and application, and then take active or passive preventive actions on that traffic.
An IDP policy defines how your device handles the network traffic. It allows you to enforce various attack detection and prevention techniques on traffic traversing your network.
A policy is made up of rule bases, and each rule base contains a set of rules. You define rule parameters, such as traffic match conditions, action, and logging requirements, then add the rules to rule bases. After you create an IDP policy by adding rules in one or more rule bases, you can select that policy to be the active policy on your device.
To configure the IDP extended package (IPS-EP) perform the following steps:
Enable IPS in a security policy. See Configuring IDP Policy Rules and IDP Rulebases.
Configure IDP policy rules, IDP rule bases, and IDP rule actions. See Configuring IDP Policy Rules and IDP Rulebases.
Configure IDP custom signatures. See IDP Signature-Based Attacks.
Update the IDP signature database. See Intrusion Detection and Prevention Feature Guide for Security Devices.
Configure IPS Rules using the Protocols and Header Inspection Fields:
- Configuring packet inspection against the following IPv4
fields:
Fragment Offset:
set firewall family inet filter Filter_IPv4_Frag_Offset term T1 from fragment-offset 1-2961
Header Checksum:
set security idp custom-attack Sig_IPv4_Header_Checksum attack-type signature protocol ipv4 checksum-validate match not-equal value 0xabcd
IP Options:
set security screen ids-option trust_screen ip record-route-option
- Configuring packet inspection against the following IPv6 fields:
Flow Label:
set security idp custom-attack Sig_IPv6_Flow_Label attack-type signature protocol ipv6 flow-label match equal value 0
Routing Header:
set security idp custom-attack Sig_IPv6_Routing_Header attack-type signature protocol ipv6 extension-header routing-header header-type match equal value 2
Payload Length:
set security idp custom-attack Sig_IPv6_Payload_length attack-type signature protocol ipv6 payload-length match greater-than value 300
- Configuring packet inspection against the following ICMPv4
fields:
Checksum:
set security idp custom-attack Sig_ICMP_Checksum attack-type signature protocol icmp checksum-validate match equal value 0xabcd
Identification:
set security idp custom-attack Sig_ICMP_Identification attack-type signature protocol icmp identification match equal value 0x1234
Sequence Number:
set security idp custom-attack Sig_ICMP_Seq_Num attack-type signature protocol icmp sequence-number match equal value 0x2345
- Configuring packet inspection against the following ICMPv6
fields:
Type:
set security idp custom-attack Sig_ICMPv6_Type attack-type signature protocol icmpv6 type match equal value 128
Code:
set security idp custom-attack Sig_ICMPv6_Code attack-type signature protocol icmpv6 code match equal value 10
Header Checksum:
set security idp custom-attack Sig_ICMPv6_Checksum attack-type signature protocol icmpv6 checksum-validate match equal value 0xabcd
- Configuring packet inspection against the following TCP
fields:
Offset:
set security idp custom-attack Sig_TCP_Offset attack-type signature protocol tcp header-length match equal value 8
TCP Flags:
set security idp custom-attack Sig_TCP_Flags attack-type signature protocol tcp tcp-flags psh
Checksum:
set security idp custom-attack Sig_TCP_Checksum attack-type signature protocol tcp checksum-validate match equal value 0xabcd
TCP Options:
set security idp custom-attack Sig_TCP_Options attack-type signature protocol tcp option match not-equal value 0
- Configuring packet inspection against the following UDP
fields:
Checksum:
set security idp custom-attack Sig_UDP_Checksum attack-type signature protocol udp checksum-validate match equal value 0xabcd
- Configuring the ip unknown-protocol IDS option: unknown-protocol (IDS Screen Next Gen Services).
Configure IPS Rules for String-based Packet Matching against Packet Payload Data:
-
ICMPv4 string detection:
set security idp custom-attack Sig_ICMPv4_Detection attack-type signature context packet direction any set security idp custom-attack Sig_ICMPv4_Detection attack-type signature pattern .*test_string.* set security idp custom-attack Sig_ICMPv4_Detection attack-type signature protocol-binding icmp
ICMPv6 string detection:
set security idp custom-attack Sig_ICMPv6_Detection attack-type signature context packet direction any set security idp custom-attack Sig_ICMPv6_Detection attack-type signature pattern .*test_string.* set security idp custom-attack Sig_ICMPv6_Detection attack-type signature protocol-binding icmpv6
TCP: Detection of FTP commands:
set security idp custom-attack Sig_TCP_FTP_Detection attack-type signature context ftp-command direction any set security idp custom-attack Sig_TCP_FTP_Detection attack-type signature pattern .*NLST.*
TCP: Detection of HTTP commands:
set security idp custom-attack Sig_TCP_GET_Detection attack-type signature context http-get-url direction any set security idp custom-attack Sig_TCP_GET_Detection attack-type signature pattern .*
set security idp custom-attack Sig_TCP_POST_Detection attack-type signature context http-post-url direction any set security idp custom-attack Sig_TCP_POST_Detection attack-type signature pattern .*
TCP: Detection of HTTP URLs:
set security idp custom-attack Sig_TCP_Index_Detection attack-type signature context http-get-url direction any set security idp custom-attack Sig_TCP_Index_Detection attack-type signature pattern .*index.*
TCP: Detection of SMTP states:
set security idp custom-attack Sig_TCP_SMTP_Detection attack-type signature context smtp-command-line direction any set security idp custom-attack Sig_TCP_SMTP_Detection attack-type signature pattern .*DATA.*
UDP string detection:
set security idp custom-attack Sig_UDP_Detection attack-type signature context packet direction any set security idp custom-attack Sig_UDP_Detection attack-type signature pattern .*payload_data.* set security idp custom-attack Sig_UDP_Detection attack-type signature protocol-binding udp
- Configure the throughput of an attack as
follows:
Checksum:
set firewall policer <policer-name> if-exceeding bandwidth-limit <bandwidth-limit>
For example:
set firewall policer p1 if-exceeding bandwidth-limit 121120
For more information about how to configure Security Policy Schedulers, see Scheduling Security Policies.
For more information about how to configure Firewall Filters, see Firewall Filters Overview.
For more information about how to schedule Security Policies and Configuring Policers to Control Traffic Rates, see Scheduling Security Policies and Configuring Policers to Control Traffic Rates (CLI Procedure).