Juniper NETWORK AND SECURITY MANAGER 2010.3 - CONFIGURING INTRUSION DETECTION AND PREVENTION GUIDE REV1 Manual page 107

Table 49: IDP Device Configuration: Run-Time Parameters (continued)
Setting
Intrusion Detection
Copyright © 2010, Juniper Networks, Inc.
Description
Buffer Overflow emulator–Turns on buffer overflow emulation.
Attack matches per packet when Signature Hierarchy (0 to disable) take effect–Sets the threshold
for activating Signature Hierarchy calculations.
Common attack can be composed of several known vulnerabilities. Each vulnerability has an attack
object, and each would generate a separate log entry if the signature hierarchy feature were disabled.
For example, for a policy with critical, high, medium, low, and info attacks and logging enabled, a
single detection of HTTP:IIS:COMMAND-EXEC attack generates the following logs:
HTTP:IIS:COMMAND-EXEC [wininnt/system32/cmd.exe] (medium)
HTTP:WIN-CMD:WIN-CMD-EXE [cmd.exe] (medium)
HTTP:REQERR:REQ-MALFORMED-URL [anomaly for %xx] (medium)
HTTP:DIR:TRAVERSE-DIRECTORY (anomaly for ../) (medium)
HTTP:REQERR:REQ-LONG-UTF8CODE (anomaly for oe) (medium)
TCP:AUDIT:BAD-SYN-NONSYN (info)
HTTP:AUDIT:URL (info)
TCP:AUDIT:BAD-SYN-NONSYN (info)
If the number of attacks in a packet exceeds the set value, then IDP examines its signature hierarchy
to see if some attacks are actually part of a larger attack. If so, then only the parent attack is
displayed in the logs. In this example, if the value was set to 9 or lower, then only a log for
HTTP:IIS:COMMAND-EXEC would be generated.
An attack in the signature hierarchy may have multiple parents or multiple children. If a child attack
is part of two discovered parents, IDP takes action based on the parent with the highest severity.
Specify 0 to disable.
Chapter 8: Configuring Intrusion Detection and Prevention Device Settings
91