IDP Protocol Decoders
Protocol decoders are used by Intrusion Detection and Prevention (IDP) to check protocol integrity and protocol contextual information by looking for anomalies and ensuring that RFC standards are met. An anomaly can be any part of a protocol, such as the header, message body, or other individual fields that deviate from RFC standards for that protocol. For example, in the case of SMTP, if SMTP MAIL TO precedes SMTP HELO, that is an anomaly in the SMTP protocol.
When protocol contextual information is available, protocol decoders check for attacks within those contexts. For example, for SMTP, if an e-mail is sent to user@company.com, user@company.com is the contextual information and SMTP MAIL TO is the context. By using protocol contextual data, rather than the entire packet, for attack detection, protocol decoders improve overall performance and accuracy.
If there is a policy configured with a rule that matches the protocol decoder check for SMTP, the rule triggers and the appropriate action is taken.
The IDP module ships with a preconfigured set of protocol decoders. These protocol decoders have default settings for various protocol-specific contextual checks they perform. You can use these defaults or you can tune them to meet your site’s specific needs. To display the list of available protocol decoders, enter the following command:
user@host # show security idp sensor-configuration detector protocol-name ?
For a more detailed view of the current set of protocol decoders and their default context values, you can view thedetector-capabilities.xml file located in the /ar/db/idpd/sec-download folder on the device. When you download a new security package, you also receive this file which lists current protocols and default decoder context values.
Example: Configure IDP Protocol Decoders
This example shows how to configure IDP protocol decoder tunables.
Requirements
Before you begin, review the IDP protocol decoders feature. See IDP Protocol Decoders.
Overview
The Junos IDP module ships with a set of preconfigured protocol decoders. These protocol decoders have default settings for various protocol-specific contextual checks that they perform. You can use the default settings or tune them to meet your site's specific needs. This example shows you how to tune the protocol decoder for FTP.
Configuration
Procedure
Step-by-Step Procedure
To configure IDP protocol decoder tunables:
View the list of protocols that have tunable parameters.
[edit] user@host# edit security idp sensor-configuration detector protocol-name FTP
Configure tunable parameters for the FTP protocol.
[edit security idp sensor-configuration-detector protocol-name FTP] user@host# set tunable-name sc_ftp_failed_logins tunable-value 4 user@host# set tunable-name sc_ftp_failed_flags tunable value 1 user@host# set tunable-name sc_ftp_line_length tunable-value 1024 user@host# set tunable-name sc_ftp_password_length tunable-value 64 user@host# set tunable-name sc_ftp_sitestring_length tunable-value 512 user@host# set tunable-name sc_ftp_username_length tunable-value 32
If you are done configuring the device, commit the configuration.
[edit] user@host# commit
Verification
To verify the configuration is working properly,
enter the show security idp status command.
Multiple IDP Detector Support
When a new security package is received, it contains attack definitions and a detector. In any given version of a security package, the attack definitions correspond to the capabilities of the included detector. When policy aging is disabled on the device (see the reset-on-policy statement for policy aging commands), only one policy is in effect at any given time. But if policy aging is enabled and there is a policy update, the existing policy is not unloaded when the new policy is loaded. Therefore, both policies can be in effect on the device. In this case, all existing sessions will continue to be inspected by existing policies and new sessions are inspected with new policies. Once all the existing sessions using the older policy have terminated or expired, the older policy is then unloaded.
When a policy is loaded, it is also associated with a detector. If the new policy being loaded has an associated detector that matches the detector already in use by the existing policy, the new detector is not loaded and both policies use a single associated detector. But if the new detector does not match the current detector, the new detector is loaded along with the new policy. In this case, each loaded policy will then use its own associated detector for attack detection.
Note that a maximum of two detectors can be loaded at any given time. If two detectors are already loaded (by two or more policies), and loading a new policy requires also loading a new detector, then at least one of the loaded detectors must be unloaded before the new detector can be loaded. Before a detector is unloaded, all policies that use the corresponding detector are unloaded as well.
You can view the current policy and corresponding detector version by entering the following command:
user@host> show security idp status
When a new IDP policy is loaded, the existing sessions are inspected using the newly loaded policy and the existing sessions not ignored for IDP processing. The IDP inspection continues for context-based attacks created by the detector after a new IDP policy is loaded, with an exception that the new policy that is loaded with the new detector.
Content Decompression
In application protocols like HTTP, the content could be compressed and then transmitted over the network. The patterns will not match the compressed content, because the signature patterns are written to match the unencoded traffic data. In this case IDP detection is evaded. To avoid IDP detection evasion on the HTTP compressed content, an IDP submodule has been added that decompresses the protocol content. The signature pattern matching is done on the decompressed content.
To display the status of all IPS counter values, enter the following command:
user@host> show security idp counters ips
Some attacks are introduced through compressed content. When the content is decompressed, it can
inflate to a very large size taking up valuable system resources resulting in DoS. This
type of attack can be recognized by the ratio of decompressed data size to compressed
data size. The content-decompress-ratio-over-limit counter identifies the number of
incidents where this ratio has been exceeded. The default ratio is considered consistent
with a typical environment. In some cases, however, this ratio might need to be adjusted
by resetting the content-decompress-ratio-over-limit value. Keep in
mind, however, that a higher ratio lessens the chance of detecting this type of attack.
The content-decompress-memory-over-limit counter identifies
the number of incidents where the amount of decompressed data exceeded
the allocated memory. The default memory allocation provides 33 KB
per session for an average number of sessions requiring decompression
at the same time. To determine if this value is consistent with your
environment, analyze values from decompression-related counters and
the total number of IDP sessions traversing the device, and estimate
the number of sessions requiring decompression at the same time. Assuming
that each of these sessions requires 33 KB of memory for decompression,
compare your estimated needs to the default value. If necessary, you
can adjust the memory allocation by resetting the content-decompression-max-memory-kb value. Note that because content decompression requires a significant
allocation of memory, system performance will be impacted by increasing
the maximum memory allocation for decompression.
Example: Configure IDP Content Decompression
This example shows how to configure IDP content decompression.
Requirements
Before you begin, review the IDP content decompression feature. See Content Decompression
Overview
The decompression feature is disabled by default. In this example, you enable the detector, configure the maximum memory to 50,000 kilobytes, and configure a maximum decompression ratio of 16:1.
Decompression reduces device performance.
Configuration
Procedure
Step-by-Step Procedure
To configure IDP content decompression:
Enable the detector.
[edit] user@host# set security idp sensor‑configuration detector protocol‑name HTTP tunable‑name sc_http_compress_inflating tunable‑value 1
To disable the detector, set the
tunable‑valueto 0.If necessary, modify the maximum memory in kilobytes.
[edit security idp] user@host# set sensor-configuration ips content-decompression-max-memory-kb 50000
If necessary, configure the maximum decompression ratio.
[edit security idp] user@host# set sensor-configuration ips content-decompression-max-ratio 16
If you are done configuring the device, commit the configuration.
[edit] user@host# commit
Verification
To verify the configuration is working properly,
enter the show security idp status ips command. The content-decompress
counters provide statistics on decompression processing.