Example: Traffic Anomalies Rule; Session Limiting; Example: Session Limiting; Adding The Traffic Anomalies Rulebase - Juniper NETWORK AND SECURITY MANAGER 2010.2 - ADMINISTRATION GUIDE REV1 Administration Manual

Network and Security Manager Administration Guide

Adding the Traffic Anomalies Rulebase

Defining a Match

492

Example: Traffic Anomalies Rule

You want to create a Traffic Anomalies rule that looks for network scans and ICMP
sweeps on your internal network. You set the IP Count to 50 and the Time to 120 seconds
for ICMP sweeps and network scans. The rule is matched if:
The same Source IP attempts to scan 50 IP addresses on your internal network within
120 seconds
The same Source IP attempts to ping 50 IP addresses on your internal network within
120 seconds

Session Limiting

You can set a session limit threshold that defines the maximum number of sessions
allowed from a single host within a second. For each source IP specified in the rule, the
Sensor tracks the sessions per second; if the session rate exceeds the user-defined
maximum, the Sensor generates a SCAN_SESSION_RATE_EXCEEDED event log record,
which appears in the Log Viewer. To take action when this event is triggered, configure
an IP action in the rule.

Example: Session Limiting

Your internal network typically has a low volume traffic. To detect a sudden increase in
traffic from a specific host (which might indicate a worm), set the source IP to your
Internal Network and the configure the session count as 200 session/sec. To block traffic
that exceeds the session limit, set an IP action of IDP Block and chose Source, Protocol
from the Blocking Options menu.
Before you can configure a rule in the Traffic Anomalies rulebase, you need to add the
Traffic Anomalies rulebase to a security policy.
In the main navigation tree, select Policies. Open a security policy by double-clicking
1.
the policy name in the Security Policies window or by clicking the policy name and
then selecting the Edit icon.
Click the Add icon in the upper right corner of the Security Policy window and select
2.
Add Traffic Anomalies Rulebase to open the Traffic Anomalies rulebase tab.
Configure a Traffic Anomalies rule by clicking the Add icon on the left side of the
3.
Security Policy window to open a default Traffic Anomalies rule. You can modify
this rule as needed.
You specify the traffic you want IDP to monitor for network anomalies.

Configuring Source and Destination Address Objects

Set the Source Object to Any. Set the Destination Object to any address objects you want
to protect.
Copyright © 2010, Juniper Networks, Inc.