Juniper NETWORK AND SECURITY MANAGER 2010.3 - CONFIGURING INTRUSION DETECTION AND PREVENTION GUIDE REV1 Manual page 114

Configuring Intrusion Detection and Prevention Devices Guide
Table 51: IDP Device Configuration: Protocol Thresholds and Configuration Settings (continued)
Setting Description
HTTP Maximum Request length–Raises a protocol anomaly if IDP detects an HTTP request that contains more
bytes than the specified maximum. The default is 8192 bytes.
Maximum Header length–Raises a protocol anomaly if IDP detects an HTTP header that contains more bytes
than the specified maximum. The default is 8192 bytes.
Maximum Cookie length –Raises a protocol anomaly if IDP detects a cookie that contains more bytes than
the specified maximum. The default is 8192 bytes.
Cookies that exceed the cookie length setting can match the protocol anomaly "r;HTTP-HEADER-OVERFLOW"
and produce unnecessary log records. If you are getting too many log records for the
HTTP-HEADER-OVERFLOW protocol anomaly, increase the maximum cookie length.
Maximum Authorization length–Raises a protocol anomaly if IDP detects an HTTP header authorization line
that contains more bytes than the specified maximum. The default is 512 bytes.
Use this setting to tune results from the Auth Overflow attack object (key is HTTP:OVERFLOW:AUTH-OVFLW).
Maximum Content-type length–Raises a protocol anomaly if IDP detects an HTTP header content-type that
contains more bytes than the specified maximum. The default is 512 bytes.
Maximum User-agent length–Raises a protocol anomaly if IDP detects an HTTP header user-agent that
contains more bytes than the specified maximum. The default is 256 bytes.
Maximum Host length–Raises a protocol anomaly if IDP detects an HTTP header host that contains more
bytes than the specified maximum. The default is 64 bytes.
Maximum Referrer length –Raises a protocol anomaly if IDP detects an HTTP header referrer that contains
more bytes than the specified maximum. The default is 8192 bytes.
Use alternate ports as http service–If selected, the security module watches for HTTP traffic on the following
ports in addition to tcp/80: 7001; 8000; 8001; 8100; 8200; 8080; 8888; 9080. This setting is enabled by
default.
Maximum number of login failures per-minute–Raises a protocol anomaly if IDP detects, between a unique
pair of hosts, more login failures than the specified maximum. The default is 4 HTTP authentication failures
per minute.
This setting tunes the BRUTE_FORCE attack object.
Maximum number of 301/403/404 or 405 errors per-minute–Raises a protocol anomaly if IDP detects,
between a unique pair of hosts, more 301/403/404/405 errors than the specified maximum. The default is
16 HTTP errors per minute.
ICMP Maximum Packets per second to trigger a flood–Raises a protocol anomaly if IDP detects more ICMP packets
than the specified maximum. The default is 250 packets per second.
Minimum time interval (in seconds) between packets–Raises a protocol anomaly if IDP detects ICMP packets
that have less than the specified minimum time interval between them. The default is 1 second.
Use this setting to tune the Flood attack object (ICMP:EXPLOIT:FLOOD).
98 Copyright © 2010, Juniper Networks, Inc.