Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Create IPS Signature Dynamic Group

You are here: Security Services > IPS > Signatures.

Create a dynamic attack group to select its members based on the specified filters in the group. The list of attacks is updated (added or removed) automatically when a new signature database is used.

To create an IPS signatures dynamic group:

  1. Click the CUSTOM tab.
  2. Click Create > Dynamic Group on the upper-right corner of the Custom Signatures page.
    The Create Dynamic Group page appears.
  3. Complete the configuration according to the guidelines provided in Table 1.
  4. Click OK to save the changes. If you want to discard your changes, click Cancel.

    You are returned to the Custom Signatures page and the dynamic group you successfully created is displayed.

Table 1: Fields on the Create Dynamic Group Page

Field

Action

Name

Name must be a string beginning with a letter or underscore and consisting of letters, numbers, dashes and underscores; 250-character maximum.

Filter Criteria

Attack prefix

Select one or more values from the list for the attack name prefix match.

Severity

Select one or more severity values from the list to add attack objects based on the attack severity levels (critical, info, major, minor, or warning).

  • Critical—The attack is a critical one.

  • Info—Provides information of attack when it matches.

  • Major—The attack is a major one.

  • Minor—The attack is a minor one.

  • Warning—Issues a warning when attack matches.

Service

Select one or more service values from the list to add attack objects based on the attack service. For example, BGP, FTP, and HTTP.

Category

Select one or more category values from the list to add attack objects based on the category.

Recommended

Select one of the following filter:

  • None—No action is performed.

  • Yes—The recommended filter to add predefined attacks recommended by Juniper Networks to the dynamic attack group.

  • No—The non-recommended attack objects in the dynamic attack group.

Direction

Select one or more direction values from the list:

  • Any—Monitors traffic from client to server and server to client.

  • Client to Server—Monitors traffic only from client to server (most attacks occur over client to server connections).

  • Exclude Any—Allows traffic from client to server and server to client.

  • Exclude Client to Server—Allows traffic only from server to client.

  • Exclude Server to Client—Allows traffic only from client to server.

  • Server to Client—Monitors traffic only from server to client.

Expression

Select one of the following expressions from the list:

  • None—No action is performed.

  • AND—If both the directions match, the expression matches.

  • OR—If either of the directions match, the expression matches.

Performance

Select one or more performance values from the list:

  • Fast—Fast track performance level.

  • Normal—Normal track performance level.

  • Slow—Slow track performance level.

  • Unknown—By default, all compound attack objects are set to Unknown. As you fine-tune IPS to your network traffic, you can change this setting to help you track performance level.

False positives

Select one or more false positives value from the list:

  • Frequently—Frequently track false positive occurrences.

  • Occasionally—Occasionally track false positive occurrences.

  • Rarely—Rarely track false positive occurrences.

  • Unknown—By default, all compound attack objects are set to Unknown. As you fine-tune IPS to your network traffic, you can change this setting to help you track false positives.

Attack type

Select Anomaly or Signature attack type from the list. If you choose None, no action will be taken.

Attacks

Select Excluded or Not Excluded from the list to check the signatures that are part of the database updates. If you choose None, no action will be taken.

CVSS score

Select Greater than or Less than from the list to specify the Common Vulnerability Scoring System (CVSS) score of the attack.

CVSS score of the attack is a free and open industry standard for assessing the severity of computer system security vulnerabilities. CVSS attempts to assign severity scores to vulnerabilities allowing responders to prioritize responses and resources according to threats.

Greater than

Set to match the CVSS score greater than the value specified.

Range: 0 through 10

Less than

Set to match the CVSS score lesser than the value specified.

Range: 0 through 10

Age of attack

Select Greater than or Less than from the list to specify the age of the attack.

Value

Set to match when age of attack in terms of years is greater than or less than the specified value (years).

Range: 1 through 100.

File type

Select the file type from the list that the attack targets. For example, HTML and PDF.

Vulnerability type

Select the vulnerability type for IPS from the list that indicates which applications are weak and can be manipulated. The vulnerability type is reported for fixing these vulnerabilities.

Vendor

Group attacks specific to the product of a vendor.

You can add, modify, or delete a vendor.

To add a vendor to the dynamic group:

  1. Click +.

  2. Select the vendor name and product name from the list.

  3. Click the tick icon to save the vendor details.

To edit a vendor, select it and click the pencil icon.

To delete a vendor, select it and click the delete icon.

Related Documentation