Configuring Attack Detection Properties - Juniper NETWORK AND SECURITY MANAGER 2010.2 - ADMINISTRATION GUIDE REV1 Administration Manual

Copyright © 2010, Juniper Networks, Inc.
Table 35: Supported Services for Service Bindings (continued)
Service Description
YMSG Yahoo! Messenger
Configuring Time Binding
Use Time Binding to configure the time attributes for the custom attack object. Time
attributes control how the attack object identifies attacks that repeat for a certain number
of times. By configuring the scope and count of an attack, you can detect a sequence of
the same attacks over a period of time (one minute) across sessions.
After you enable Time Binding, configure the following time attributes:
Scope—Select the scope within which the count occurs:
Source. Select this option to detect attacks from the source IP address for the
specified number of times, regardless of the destination IP address.
Destination. Select this option to detect attacks to the destination IP address for
the specified number of times, regardless of the source IP address.
Peer. Select this option to detect attacks between source and destination IP
addresses of the sessions for the specified number of times.
Count—Enter the number of times that the attack object must detect an attack within
the specified Scope before the device considers the attack object to match the attack.
For example, the TCP Protocol Anomaly " Segment Out of Window" is harmless and
is occasionally seen on networks. Thousands of these anomalies between given peers,
however, is suspicious.
If you bind the attack object to multiple ports (see "Configuring Attack Detection
Properties" on page 349) and the attack object detects that attack on different ports,
each attack on each port is counted as a separate occurrence. For example, when the
attack object detects that attack TCP/80 and then on TCP/8080, the count is two.
After you finish entering the general attack properties for the attack type, click Next to
configure the attack detection properties.

Configuring Attack Detection Properties

In the Attack Pattern screen, you can define the signature pattern of the attack, the
context in which the attack occurs, and the direction and flow of the attack.
Configuring Attack Pattern
The attack pattern is the signature of the attack you want to detect. A signature is a
pattern that always exists within an attack; if the attack is present, so is the signature.
To create the attack pattern, you must first analyze the attack to detect a pattern (such
as a segment of code, a URL, or a value in a packet header), then create a syntactical
expression that represents that pattern. Table 36 on page 350 lists the syntax based on
regular expressions to match signature patterns for DI and IDP.
Chapter 8: Configuring Objects
Default Port
349