Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

IPS Signatures Overview

IPS compares traffic against signatures of known threats and blocks traffic when a threat is detected. The IPS Signatures page to monitor and prevent intrusions using the signatures. You can view, create, modify, clone, and delete IPS signatures, IPS signature static groups, and IPS signature dynamic groups. You can delete only the customized IPS signatures, static groups, and dynamic groups that are not used in the IPS or exempt rules.

To access this page, select SRX > Security Subscriptions > IPS > IPS Signature.

Field Descriptions - IPS Signatures Page

Table 1: Fields on the IPS Signatures Page

Field

Description

Name

The name of the IPS signature, IPS signature static group, or IPS signature dynamic group.

Severity

The severity level of the attack that the signature reports.

Category

The category of the attack object.

CVE

Displays the Common Vulnerabilities and Exposures (CVE) identifier or name associated with the threat.

CVSS Score

The Common Vulnerability Scoring System (CVSS) score used as a filter for the dynamic group.

Activation Date

The date when the IPS signature was activated.

Type

The type of IPS signature, which include:

  • Static Group

  • Dynamic Group

  • Signature

  • Protocol Anomaly

  • Compound Attack

Recommended

Indicates whether the attack objects are recommended by Juniper Networks (True) or not (False).

Action

The action taken when the monitored traffic matches the attack objects added in the IPS rules.

Predefined/Custom

Indicates whether the IPS signature, static group, or dynamic group was system-generated (Predefined) or created by a user (Custom).

CERT

Displays the computer emergency response team (CERT) advisory number associated with the threat.

BUG

Displays the list of bugs that are related to the signature attack.

False Positives

Displays the frequency with which the attack produces a false positive on your network.

Service

The protocol or service that the attack uses to enter your network.

Performance Impact

The performance impact of the IPS signature.

Direction

The direction of the traffic for which the attack is detected, such as client to server.

Field Descriptions - IPS Signature Details View Page

Table 2: Fields on the IPS Signature Details View Page

Field

Description

General Info

Name

The name of the IPS signature.

Description

The description of the IPS signature.

URL(s)

Displays the URLs that have the details about the signature attack.

For example, http://www.faqs.org/rfcs/rfc2865.html.

Category

The category of the attack object.

See Table 1.

Recommended

Indicates whether the attack objects are recommended by Juniper Networks (True) or not (False).

See Table 1.

Action

The action taken when the monitored traffic matches the attack objects added in the IPS rules.

See Table 1.

Keywords

The keywords associated with the IPS signature.

Severity

The severity level of the attack that the signature reports.

See Table 1.

BUGS

Displays the list of bugs that are related to the signature attack.

See Table 1.

CERT

Displays the computer emergency response team (CERT) advisory number associated with the threat.

See Table 1.

CVE

Displays the Common Vulnerabilities and Exposures (CVE) identifier or name associated with the threat.

See Table 1.

Signature Details

Binding

The protocol or service that the attack uses to enter your network.

Service

For service binding, displays the service the attack uses to enter your network.

Time Count

The number of times that IPS detects the attack in a specified time scope.

Match Assurance

The positives filter to track attack objects based on the frequency that the attack produces a false positive on your network.

Performance Impact

The performance impact filter used for the IPS signature.

Signature

Displays (in a table) the signature attack objects configured as part of the IPS signature. For each row, the following fields are displayed:

  • No—A unique identifier for the signature attack object.

  • Context—The attack context, which defines the location of the signature where IPS must look for the attack.

  • Direction—The connection direction of the attack.

  • Pattern—The signature pattern (in Juniper Network's proprietary regular expression syntax) of the attack to be detected.

  • Regex—The regular expression to match malicious or unwanted behavior over the network.

  • Negated—Indicates whether the pattern must be excluded from being matched (true) or not (false).

Field Descriptions - IPS Static Group Details Page

Table 3: Fields on the IPS Static Group Details Page

Field

Description

Name

The name of the IPS signature static group.

Description

The description of the IPS signature static group.

Group Members

Displays the IPS signatures or IPS signature dynamic groups that are part of the IPS static group.

See Table 1 for an explanation of the fields in the table.

To view the details, select a row, click More > Detail, or mouse over a row, and click the Detailed View icon. Depending on the object type, the IPS Signature Details View page or IPS Signature Dynamic Details View page opens.

See Table 2 and Table 4 for an explanation of the fields on these pages.

Field Descriptions - IPS Signature Dynamic Details View Page

Table 4: Fields on the IPS Signature Dynamic Details View Page

Field

Description

Name

The name of the IPS signature dynamic group.

Severity

The severity filters used for the dynamic group.

Service

The service filters used for the dynamic group.

Category

The category filters used for the dynamic group.

Recommended

Indicates whether predefined attack objects recommended by Juniper Networks are added to the dynamic group (true) or not (false).

Excluded

Indicates whether predefined attack objects recommended by Juniper Networks are excluded from the dynamic group (true) or not (false).

Direction

The traffic direction filters used for the dynamic group.

Performance Impact

The performance impact filter used for the dynamic group.

False Positive

The false positive filter used for the dynamic group.

Age of Attack

The age of the attack in years used as a filter for the dynamic group.

CVSS Score

The Common Vulnerability Scoring System (CVSS) score used as a filter for the dynamic group.

File Type

The file type of the attack used as a filter for the dynamic group.

Vulnerability Type

The vulnerability type of the attack used as a filter for the dynamic group.

Object Type

The type of the object (anomaly or signature) used as a filter for the dynamic group.

Vendor Description

The vendor or product that the attack belongs to.