Juniper NETWORK AND SECURITY MANAGER 2010.3 - CONFIGURING INTRUSION DETECTION AND PREVENTION GUIDE REV1 Manual page 86

Configuring Intrusion Detection and Prevention Devices Guide
Table 40: Custom Attack – General Properties (continued)
Property
Service Binding
Time Binding
70
Description
Any–If you are unsure of the correct service, select Any to match the signature in all services.
Because some attacks use multiple services to attack your network, you might want to select the
Any service binding to detect the attack regardless of which service the attack selects for a
connection.
NOTE: You must select a service binding other than Any if you want to select a context for the
attack.
IP–If you are not sure of the correct service, but know the IP protocol type, select IP protocol type
for the service binding.
Specify the protocol type number.
If you select this option, you should also specify an attack pattern and IP header values later in the
wizard. However, if you use a context binding of first packet, you must leave the attack pattern
empty.
TCP, UDP, or ICMP–Attacks that do not use a specific service might use a specific protocol to
attack your network. Some TCP and UDP attacks use standard ports to enter your network and
establish a connection.
For TCP and UDP protocol types, specify the port ranges.
RPC–The remote procedure call (RPC) protocol is used by distributed processing applications to
handle interaction between processes remotely. When a client makes a remote procedure call to
an RPC server, the server replies with a remote program; each remote program uses a different
program number.
To detect attacks that use RPC, configure the service binding as RPC and specify the RPC program
ID.
Service–Most attacks use a specific service to attack your network.
If you select Service, the wizard displays a second selection box where you specify the service used
for the attack.
If you select this option, you are restricted to general attack contexts (packet, first packet, stream,
stream 256, or line context).
Enable–Time attributes control how the attack object identifies attacks that repeat for a certain
number of times.
Scope–Select the scope within which the count occurs:
Source– Detects attacks from the source IP address for the specified number of times, regardless
of the destination IP address.
Destination–Detects attacks to the destination IP address for the specified number of times,
regardless of the source IP address.
Peer–Detects attacks between source and destination IP addresses of the sessions for the
specified number of times.
Count/Min–Enter the number of times per minute that the attack object must detect an attack
within the specified scope before the device considers the attack object to match the attack.
Copyright © 2010, Juniper Networks, Inc.