Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Understanding IPS Signatures

The intrusion prevention system (IPS) compares traffic against signatures of known threats and blocks traffic when a threat is detected. Network intrusions are attacks on, or other misuses of, network resources. To detect such activity, IPS uses signatures. A signature specifies the types of network intrusions that you want the device to detect and report. Whenever a matching traffic pattern to a signature is found, IPS triggers the alarm and blocks the traffic from reaching its destination. The signature database is one of the major components of IPS. It contains definitions of different objects, such as attack objects, application signature objects, and service objects, which are used in defining IPS policy rules.

To keep IPS policies organized and manageable, attack objects can be grouped. An attack object group can contain one or more types of attack objects. Junos OS supports the following three types of attack groups:

  • IPS signature—Contains objects present in the signature database.

  • Dynamic group—Contains attack objects based on certain matching criteria. During a signature update, dynamic group membership is automatically updated based on the matching criteria for that group. For example, you can dynamically group the attacks related to a specific application using dynamic attack group filters.

  • Static group—Contains a list of attacks that are specified in the attack definition.

Signature attack objects use a stateful attack signature (a pattern that always exists within a specific section of the attack) to detect known attacks. They also include:

  • The protocol or service used to perpetrate the attack and the context in which the attack occurs.

  • The properties that are specific to signature attacks—attack context, attack direction, attack pattern, and protocol-specific parameters (TCP, UDP, ICMP, or IP header fields).

Signatures can produce false positives, because certain normal network activity can be construed as malicious. For example, some network applications or operating systems send out numerous ICMP messages, which a signature-based detection system might interpret as an attempt by an attacker to map out a network segment. You can minimize false positives by editing your signature parameters (to fine-tune your signatures).

You can create, filter, modify, or delete IPS signatures on the IPS Policy Signatures page in Security Director. You can download and install the signature database to security devices. You can automate the download and install process by scheduling the download and install tasks and configuring these tasks to recur at specific time intervals. This ensures that your signature database is current.