Juniper NETWORK AND SECURITY MANAGER 2010.4 - CONFIGURING INTRUSION DETECTION PREVENTION DEVICES GUIDE REV 01 Manual page 90

Configuring Intrusion Detection and Prevention Devices Guide
Table 41: Custom Attack – Attack Patterns (continued)
Setting
Context
Direction
Flow
74
Description
Select the context used by the attack to enter your network.
If you know the service and the specific service context, select that service and then select the
appropriate service contexts.
If you know the service, but are unsure of the specific service context, select Other and then select
one of the following general contexts:
Packet–Detects the pattern at the packet level. When you select this option, you should also
specify the Service Binding (in the General tab) and define the service header options (in the
Header Match tab). Although not required, specifying these additional parameters helps to
improve the accuracy of the attack object.
First Packet–Inspects only the first packet of a stream. When the flow direction for the Attack
Object is set to any, IDP checks the first packet of both the server-to-client (STC) and
client-to-server (CTS) flows. If you know that the attack signature appears in the first packet of
a session, choosing first packet instead of packet reduces the amount of traffic the security
device needs to monitor, which improves performance.
Stream Select–Reassembles packets and extracts the data to search for a pattern match.
However, IDP does not recognize packet boundaries for stream contexts, so data for multiple
packets is combined. Select this option only when no other context option contains the attack.
Stream 256–Reassembles packets and searches for a pattern match within the first 256 bytes
of a traffic stream. When the flow direction is set to any, DI checks the first 256 bytes of both
the STC and CTS flows. If you know that the attack signature will appear in the first 256 bytes
of a session, choosing stream 256 instead of stream reduces the amount of traffic that the
security device must monitor and cache, improving performance.
Line–Detects a pattern match within a specific line within your network traffic.
Select the direction in which to detect the attack:
Client to Server–Detects the attack only in client-to-server traffic.
Server to Client –Detects the attack only in server-to-client traffic.
Any–Detects the attack in either direction.
Select the flow in which to detect the attack:
Control–Detects the attack in the initial connection that is established persistently to issue
commands, requests, and so on.
Auxiliary–Detects the attack in the response connection established intermittently to transfer
requested data.
Both–Detects the attack in the initial and response connections.
TIP: Using a single flow (instead of Both) improves performance and increases detection accuracy.
Click Next.
On the Custom Attack – IP Settings and Header Matches page, specify signature
4.
settings as described in Table 42 on page 75.
Copyright © 2010, Juniper Networks, Inc.