Creating IPS Signature Dynamic Groups
Before You Begin
Read the Understanding IPS Signatures topic.
Have a basic understanding of what attacks and patterns are.
Read the Creating IPS Signatures topic. See Creating IPS Signatures.
Review the IPS signatures main page for an understanding of your current data set. See IPS Policy Signatures Main Page Fields for field descriptions.
Use the IPS Signature Dynamic Group page to configure attack objects based on a certain matching criteria. Dynamic group members can be either predefined or custom attack objects. During a signature update, the dynamic group membership is automatically updated based on the matching criteria for that group. For example, you can dynamically group the attacks related to a specific application using the dynamic attack group filters.
A dynamic group cannot contain another group (predefined, static, or dynamic). However, you can include a dynamic group as a member of a static group.
You use dynamic groups so that an attack database update automatically populates the group with relevant members. This eliminates the need to review each new signature to determine if you need to use it in your existing security policy.
To configure an IPS signature dynamic group:
- Select Configure > IPS Policy > Signatures.
- Click Create.
- Select Dynamic Group.
- Complete the configuration according to the guidelines provided in the Table 1.
- Click OK.
A new IPS signature dynamic group with the predefined configurations is created. You can use this signature in IPS policies.
Settings |
Guidelines |
---|---|
Name |
Enter a unique string of alphanumeric characters, colons, periods, dashes, and underscores. No spaces are allowed and the maximum length is 63 characters. |
Severity |
Specify a severity filter to add attack objects based on attack severity levels. Select an option:
|
Service |
Select one or more available services to include in a dynamic group. |
Category |
Select one or more available categories to include in a dynamic group. |
Recommended |
Specify this filter to add recommended Juniper Networks predefined attack objects to the dynamic group, or specify non-recommended attack objects to the dynamic attack group. Specify an option:
|
Direction |
Specify this filter to add predefined attacks to the dynamic group based on the direction specified in the attacks. Select an option:
|
Performance Impact |
Specify this filter to filter out slow-performing attack objects. You can use this filter to only select the appropriate attacks based on performance impacts. Select an option:
|
False Positives |
Specify this filter to track attack objects based on the frequency that the attack produces a false positive on your network. Select an option:
|
Object Type |
Specify this filter to group attack objects by type (anomaly or signature). Select an option:
|
Vendor Description |
Specify this filter to add attack objects based on the application that is vulnerable to the attack.
|
CVSS-Score |
Specify the Common Vulnerability Scoring System (CVSS) to be used as a filter criteria to include IPS signatures as part of the dynamic group.
Note:
CVSS-Score is supported on devices running Junos OS Release 18.2 onward. If you try to publish IPS policy on devices running Junos OS Release 18.1 or earlier, then publish will fail. The CVSS is an open framework, which is used to rate the severity and risk of computer system security. Scores range from 0 to 10, with 10 being the most severe. The CVSS assessment measures three areas of concern:
A numerical score is generated for each of these metric groups. |
Age of attack |
Note:
Age of attack is supported on devices running Junos OS Release 18.2 onward. If you try to publish IPS policy on devices running Junos OS Release 18.1 or earlier, then publish will fail. |
File Type |
Select the file type of the attack as a filter criterion; for example, PDF. Note:
File Type is supported on devices running Junos OS Release 18.2 onward. If you try to publish IPS policy on devices running Junos OS Release 18.1 or earlier, then publish will fail. |
Vulnerability Type |
Select the vulnerability type of the attack as a filter criterion; for example, overflow. Note:
Vulnerability Type is supported on devices running Junos OS Release 18.2 onward. If you try to publish IPS policy on devices running Junos OS Release 18.1 or earlier, then publish will fail. Vulnerabilities are the intersection of three elements: a system susceptibility or flaw, attacker access to the flaw, and attacker capability to exploit the flaw. Using vulnerability type, you can perform vulnerability scanning. Vulnerability scanning is an inspection of the potential points of exploit on a network to identify security issues. A vulnerability scan detects and classifies system weaknesses in a networks and predicts the effectiveness of countermeasures. |