IDP Signature-Based Attacks
To configure a custom attack object, you specify a unique name for it and then specify additional information, which can make it easier for you to locate and maintain the attack object.
Certain properties in the attack object definitions are common to all types of attacks, such as attack name, severity level, service or application binding, time binding, and protocol or port binding. Some fields are specific to an attack type and are available only for that specific attack definition.
Signature attack objects use a stateful attack signature (a pattern that always exists within a specific section of the attack) to detect known attacks. They also include the protocol or service used to perpetrate the attack and the context in which the attack occurs. The following properties are specific to signature attacks, and you can configure them when configuring signature attack—attack context, attack direction, attack pattern, and protocol-specific parameters (TCP, UDP, ICMP, or IP header fields).
When configuring signature-based attacks, keep the following in mind:
Attack context and direction are mandatory fields for the signature attack definition.
Pattern negation is supported for packet, line, and application-based contexts only and not for stream and normalized stream contexts.
When configuring the protocol-specific parameters, you can specify fields for only one of the following protocols—IP, TCP, UDP, or ICMP.
When configuring a protocol binding, you can specify only one of the following—IP, ICMP, TCP, UDP, RPC or applications.
IP—Protocol number is a mandatory field.
TCP and UDP—You can specify either a single port (
minimum-port) or a port range (minimum-portandmaximum-port). If you do not specify a port, the default value is taken (0-65535).RPC—Program number is a mandatory field.
You can configure signature-based attacks by using Hyperscan extended parameters. By setting optimal values for the Hyperscan extended parameters, you can enhance the attack pattern matching process significantly.
To configure the extended parameters, include the optional-parameters option at the [edit security idp custom-attack attack-name attack-type signature] hierarchy level.
You can configure the following parameters under the optional-parameters option:
min-offsetmax-offsetmin-length
Hyperscan API
Hyperscan is a software regular expression matching engine designed to deliver high performance and flexibility. When a signature with a pattern is configured as part of an IDP policy, the pattern is identified as a regular expression. On the Routing Engine, Hyperscan takes this regular expression as an input and compiles it to form a database which is pushed to the Packet Forwarding Engine. When a packet enters the Packet Forwarding Engine, the data in the packet is inspected to determine if it is matching the regular expression using the database.
If an IDP policy is configured with a set of signatures, deterministic finite automaton (DFA) groups are formed. Patterns of all the signatures in the DFA groups are passed to Hyperscan to form a single database, which can be used to check all the attacks in the packet at a time. Since a single database is used instead of a separate database for each attack, the pattern matching process is efficient.
When a signature is configured with the extended parameters, Hyperscan API forms the database by taking the configured parameters into consideration. The pattern matching process occurs on the Packet Forwarding Engine with this new database. These parameters allow the set of matches produced by a pattern to be constrained at compile time rather than relying on the application to process unwanted matches at runtime.
Example: Configure IDP Signature-Based Attacks
This example shows how to create a signature-based attack object.
Requirements
Before you begin, configure network interfaces.
Overview
In this example, you create a signature attack called sig1 and assign the following properties to it.
Recommended action (drop packet)—Drops a matching packet before it can reach its destination but does not close the connection.
Time binding—Specifies the scope as
sourceand the count as10. When scope issource, all attacks from the same source are counted, and when the number of attacks reaches the specified count (10), the attack is logged. In this example, every tenth attack from the same source is logged.Attack context (packet)—Matches the attack pattern within a packet.
Attack direction (any)—Detects the attack in both directions—client-to-server and server-to-client traffic.
Protocol (TCP)—Specifies the TTL value of 128.
Shellcode (Intel)—Sets the flag to detect shellcode for Intel platforms.
Protocol binding—Specifies the TCP protocol and ports 50 through 100.
Once you have configured a signature-based attack object, you specify the attack as match criteria in an IDP policy rule. See Example: Defining Rules for an IDP IPS RuleBase.
Configuration
Procedure
CLI Quick Configuration
To quickly configure this example, copy the
following commands, paste them into a text file, remove any line breaks,
change any details necessary to match your network configuration,
and then copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration
mode.
set security idp custom-attack sig1 severity major set security idp custom-attack sig1 recommended-action drop-packet set security idp custom-attack sig1 time-binding scope source count 10 set security idp custom-attack sig1 attack-type signature context packet set security idp custom-attack sig1 attack-type signature shellcode intel set security idp custom-attack sig1 attack-type signature protocol ip ttl value 128 match equal set security idp custom-attack sig1 attack-type signature protocol-binding tcp minimum-port 50 maximum-port 100 set security idp custom-attack sig1 attack-type signature direction any
Step-by-Step Procedure
The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the CLI User Guide.
To create a signature-based attack object:
Specify a name for the attack.
[edit] user@host# edit security idp custom-attack sig1
Specify common properties for the attack.
[edit security idp custom-attack sig1] user@host# set severity major user@host# set recommended-action drop-packet user@host# set time-binding scope source count 10
Specify the attack type and context.
[edit security idp custom-attack sig1] user@host# set attack-type signature context packet
Specify the attack direction and the shellcode flag.
[edit security idp custom-attack sig1] user@host# set attack-type signature shellcode intel
Set the protocol and its fields.
[edit security idp custom-attack sig1] user@host# set attack-type signature protocol ip ttl value 128 match equal
Specify the protocol binding and ports.
[edit security idp custom-attack sig1] user@host# set attack-type signature protocol-binding tcp minimum-port 50 maximum-port 100
Specify the direction.
[edit security idp custom-attack sig1] user@host# set attack-type signature direction any
Results
From configuration mode, confirm your configuration
by entering the show security idp command. If the output
does not display the intended configuration, repeat the configuration
instructions in this example to correct it.
[edit]
user@host# show security idp
custom-attack sig1 {
recommended-action drop-packet;
severity major;
time-binding {
count 10;
scope source;
}
attack-type {
signature {
protocol-binding {
tcp {
minimum-port 50 maximum-port 100;
}
}
context packet;
direction any;
shellcode intel;
protocol {
ip {
ttl {
match equal;
value 128;
}
}
}
}
}
}
If you are done configuring the device, enter commit from configuration mode.