Create IPS Signature Dynamic Groups

The signature database in Contrail Service Orchestration (CSO) contains predefined intrusion prevention system (IPS) signature dynamic groups that you can use. Users with the tenant administrator role or a custom role with appropriate IPS tasks can also create customized IPS signature dynamic groups (based on a specified filter criteria) from the Create IPS Signature Dynamic Group page.

The filter criteria that you specify are matched only to predefined or customized IPS signatures, and not to IPS static groups dynamic groups. When a new signature database is used, the dynamic group membership is automatically updated based on the filter criteria for that group.

To create a customized IPS signature dynamic group:

Select Configuration > IPS > IPS Signatures.
The IPS Signatures page appears.
Select Create > Dynamic Group.
The Create IPS Signature Static Group page appears.
Complete the configuration according to the guidelines in Table 1.
Note:
Fields marked with an asterisk (*) are mandatory.
(Optional) Click Preview Filtered Signatures to check if the signatures that match the dynamic group are consistent with the filter criteria that you specified.
The IPS Signatures page appears displaying the list of IPS signatures matching the filters. If the signatures do not match, you can tweak the filter criteria as needed. Click Close to go back to the previous page.
Click OK.
You are returned to the IPS Signatures page and a message indicating that the dynamic group was successfully created is displayed.

After you create an IPS signature dynamic group, you can use the dynamic group in an IPS or an exempt rule and reference the IPS profile (containing the rule) in a firewall policy that you can then deploy on the device.

Table 1: Create IPS Signature Dynamic Group Settings
Setting	Guideline
Name	Enter a unique name for the IPS signature dynamic group that is a string of alphanumeric characters, colons, periods, hyphens, and underscores. No spaces are allowed and the maximum length is 255 characters.
Filter Criteria	You select one or more filters to define the attributes of IPS signatures that will be added to the IPS signature dynamic group that you are creating. Filters apply to existing signatures (already downloaded in CSO) and to new signatures when they are downloaded. IPS signatures that match any of the filters that you configure are included as part of the signature group.
Severity
Info	Select the Enable check box to include IPS signatures with the severity level Info.
Warning	Select the Enable check box to include IPS signatures with the severity level Warning.
Minor	Select the Enable check box to include IPS signatures with the severity level Minor.
Major	Select the Enable check box to include IPS signatures with the severity level Major.
Critical	Select the Enable check box to include IPS signatures with the severity level Critical.
Service
Service	Specify the services that you want to use to filter for IPS signatures that should be included as part of the dynamic group. Select one or more services listed in the Available column and click the forward arrow to confirm your selection. The selected services are displayed in the Selected column.
Category
Category	Specify the categories that you want to use to filter for IPS signatures that should be included as part of the dynamic group. Select one or more categories listed in the Available column and click the forward arrow to confirm your selection. The selected categories are displayed in the Selected column.
Recommended
Recommended	This filter is based on attack objects recommended by Juniper Networks. Select one of the following: None—Don’t use this filter. Yes—Add predefined attacks recommended by Juniper Networks to the dynamic group. No—Add predefined attacks that are not recommended by Juniper Networks to the dynamic group.
Direction	You use this filter to add IPS signatures to the dynamic group based on the traffic direction of the attacks. If you specify more than one traffic direction (Any, Client-to-Server, and Server-to-Client), you must select a value in the Expression field.
Any	Select one of the following: None (default): Do not use this filter. Yes: Include IPS signatures that track traffic from client to server or server to client. No: Do not include IPS signatures that track traffic from client to server or server to client.
Client-to-Server	Select one of the following: None (default): Do not use this filter. Yes: Include IPS signatures that track traffic from client to server. No: Do not include IPS signatures that track traffic from client to server.
Server-to-Client	Select one of the following:. None (default): Do not use this filter Yes: Include IPS signatures that track traffic from server to client. No: Do not include IPS signatures that track traffic from server to client.
Expression	If you specified more than one direction filter, you must specify how the signatures should be matched: OR—Include signatures that match any of the specified traffic directions. AND—Include signatures that match all of the specified traffic directions.
Performance Impact
Unknown	Select the Enable check box to include IPS signatures with the performance impact Unknown.
Low	Select the Enable check box to include IPS signatures with the performance impact Low.
Medium	Select the Enable check box to include IPS signatures with the performance impact Medium.
High	Select the Enable check box to include IPS signatures with the performance impact High.
False Positives
Unknown	Select the Enable check box to include IPS signatures with the match assurance Unknown.
Low	Select the Enable check box to include IPS signatures with the match assurance Low.
Medium	Select the Enable check box to include IPS signatures with the match assurance Medium.
High	Select the Enable check box to include IPS signatures with the match assurance High.
Age of Attack
Age of Attack	Enter the age of the attack (in years) to be used as a filter criteria to include IPS signatures as part of the dynamic group. Range: 1 through 100.
Expression	Select whether the IPS signatures should be filtered based on whether the age of attack in the signature is greater than (default) or less than the value that you specified.
CVSS Score
CVSS Score	Specify the Common Vulnerability Scoring System (CVSS) to be used as a filter criteria to include IPS signatures as part of the dynamic group. Range: Decimal number between 0 and 10.
Expression	Select whether the IPS signatures should be filtered based on whether the CVSS score of the attack is greater than (default) or less than the value that you specified.
Other Filters
Excluded	Select one of the following:. None (default): Do not use this filter Yes: Include excluded attack objects as part of the dynamic group. No: Do not include excluded attack objects as part of the dynamic group.
File Type	Select the file type of the attack to be used as a filter criteria; for example, flash.
Vulnerability Type	Select the vulnerability type of the attack to be used as a filter criteria; for example, overflow.
Object Type	Specify this filter to group attack objects by type (anomaly or signature).
Signature	Select the Enable check box to add signatures based on stateful signature attack objects specified in the signature. A stateful attack signature is a pattern that always exists within a specific section of the attack. Stateful signature attack objects also include the protocol or service used to perpetrate the attack and the context in which the attack occurs.
Protocol Anomaly	Select the Enable check box to add signatures of attacks that violate protocol specifications (RFCs and common RFC extensions).
Vendor Description
Product Type	Specify this filter to include signatures belonging to the selected product type.
Vendor Name	Specify this filter to include signatures belonging to the selected vendor.
Title	Specify this filter to include signatures belonging to the selected product name. The product names are populated only when you select a product type and a vendor.

Create IPS Signature Dynamic Groups

Related Documentation