Juniper NETWORK AND SECURITY MANAGER 2010.3 - ADMINISTRATION GUIDE REV1 Administration Manual page 399

Copyright © 2010, Juniper Networks, Inc.
Table 37: Attack Pattern Syntax Example Matches (continued)
This syntax Matches
[c-e]a(d|t) Anything with the first letter of c, d, or e, the
middle letter a and ending in d or t
[^c-d]a(d|t) Expressions that begin with a letter other
than c, d, or e, have the second letter a, and
end in d or t
a*b+c Any number of "a" characters followed by
one or more b characters followed by a c.
To negate the pattern, enable Negate.
Configuring Attack Context
Select the context that defines the location of the signature.
NOTE: For IDP attack objects, if you selected " Any" as the Service Binding in the Attack
Pattern screen, you cannot select a service context here.
If you know the service and the specific service context, select that service then select
the appropriate service contexts. If you know the service, but are unsure of the specific
service context, select Other then select one of the following general contexts:
NOTE: If you select a line, stream, stream 256, or a service context, you cannot specify
IP header contents (in the Header Match screen).
Select packet context to match the attack pattern within a packet. When you select
this option, you should also specify the Service Binding (in the General tab) and define
the service header options (in the Header Match tab). Although not required, specifying
these additional parameters helps to improve the accuracy of the attack object and
can improve performance.
Select first packet context detect the attack in only the first packet of a stream. When
the flow direction for the attack object is set to any, the security device checks the first
packet of both the server-to-client (STC) and client-to-server (CTS) flows. If you know
that the attack signature appears in the first packet of a session, choosing first packet
Chapter 8: Configuring Objects
Example
cad
cat
dad
dat
ead
eat
fad
zad
bc
abc
aaabbbc
349