Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

IDP Protocol Anomaly-Based Attacks

A protocol anomaly attack object detects unknown or sophisticated attacks that violate protocol specifications (RFCs and common RFC extensions). You cannot create new protocol anomalies, but you can configure a new attack object that controls how your device handles a predefined protocol anomaly when detected.

The following properties are specific to protocol anomaly attacks:

  • Attack direction

  • Test condition

When configuring protocol anomaly-based attacks, keep the following in mind:

  • The service or application binding is a mandatory field for protocol anomaly attacks. Besides the supported applications, services also include IP, TCP, UDP, ICMP, and RPC.

  • The attack direction and test condition properties are mandatory fields for configuring anomaly attack definitions.

Example: Configure IDP Protocol Anomaly-Based Attacks

This example shows how to create a protocol anomaly-based attack object.

Requirements

Before you begin, configure network interfaces.

Overview

In this example, you create a protocol anomaly attack called anomaly1 and assign it the following properties:

  • Time binding—Specifies the scope as peer and count as 2 to detect anomalies between source and destination IP addresses of the sessions for the specified number of times.

  • Severity (info)—Provides information about any attack that matches the conditions.

  • Attack direction (any)—Detects the attack in both directions—client-to-server and server-to-client traffic.

  • Service (TCP)—Matches attacks using the TCP service.

  • Test condition (OPTIONS_UNSUPPORTED)—Matches certain predefined test conditions. In this example, the condition is to match if the attack includes unsupported options.

  • Shellcode (sparc)—Sets the flag to detect shellcode for Sparc platforms.

Once you have configured the protocol anomaly-based attack object, you specify the attack as match criteria in an IDP policy rule. See Example: Defining Rules for an IDP IPS RuleBase.

Configuration

Procedure

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, and then copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the CLI User Guide.

To create a protocol anomaly-based attack object:

  1. Specify a name for the attack.

  2. Specify common properties for the attack.

  3. Specify the attack type and test condition.

  4. Specify other properties for the anomaly attack.

Results

From configuration mode, confirm your configuration by entering the show security idp command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

If you are done configuring the device, enter commit from configuration mode.

Verification

To confirm that the configuration is working properly, perform this task:

Verify the Configuration

Purpose

Verify that the protocol anomaly-based attack object was created.

Action

From operational mode, enter the show security idp status command.