Table of Contents
Advertisement
Creating a Signature Attack Object
Copyright © 2010, Juniper Networks, Inc.
events that need to take place before the security device identifies traffic as an attack.
For more information about creating a compound attack object, see "Configuring a
Compound Attack Object" on page 356.
If you need to detect an attack that uses several benign activities to attack your network,
or if you want to enforce a specific sequence of events to occur before the attack is
considered malicious, select this option.
Click Next to configure the attack version information for the signature attack object.
You must enter some general information about attack version and specific details about
the attack pattern, such as the protocol and context used to perpetrate the attack. When
using a packet-related context, you can also define IP settings and protocol header
matches for the attack version.
When you configure a signature attack object, you enter important information about
the protocol and context used to perpetrate the attack, when the attack is considered
malicious, the direction and flow of the attack, the signature pattern of the attack, and
the values found in the header section of the attack traffic.
Configuring General Attack Properties
In the general properties screen, you can define the false positive frequency for the attack
version, the service that the attack uses to enter your network, and the time parameters
(scope and count) that determine when a traffic abnormality is identified as an attack.
The following sections detail the attack version general properties.
Configuring False Positives
Select a false positive setting that indicates the frequency (unknown, rarely, occasionally,
frequently) the attack object produces a false positive on your network. Although you
might now have this information when you initially configure the custom attack object,
as you fine-tune your system to your network traffic you can change this setting to help
you track false positives.
Configuring Service Binding (IDP Attack Objects Only)
For IDP attack objects, select the service that the attack uses to enter your network. You
must select a service other than " Any" if you want to chose a service context for the
attack object.
NOTE: For DI attack objects, you do not select a service binding.
Any—If you are unsure of the correct service, select Any and DI attempts to match the
signature in all services. Because some attacks use multiple services to attack your
network, you might want to select the Any service binding to detect the attack regardless
of which service the attack chooses for a connection.
IP—If you are not sure of the correct service but know the IP protocol type, select IP
for the service binding. You can specify the name of the protocol type, or the protocol
type number. If you select IP as the service type, you should also specify an attack
pattern (in the Detection area) and IP settings values (in the IP area). Additionally, if
Chapter 8: Configuring Objects
345
Advertisement
Table of Contents
