Table of Contents
Advertisement
Network and Security Manager Administration Guide
Configuring a Compound Attack Object
354
NOTE: Protocol anomaly attack objects are supported by IDP-capable security devices
only, such as the ISG2000 or ISG1000 running ScreenOS 5.3 or later IDP1.
To configure a custom protocol anomaly attack object, you must:
Configure the false positive setting—For details, see "Configuring Attack Detection
Properties" on page 347.
Select a predefined protocol anomaly—Select the protocol anomaly you want to use
for this attack object. The list of available predefined protocol anomalies depends on
the protocols supported by the target platform. For details, refer to the NSM Online
Help.
Configure the time-based settings—For details, see "Configuring Time Binding" on
page 347.
A compound attack object combines multiple signatures and protocol anomalies into a
single attack object, forcing traffic to match all combined signatures and anomalies
within the compound attack object before traffic is identified as an attack. By combining
and even specifying the order in which signatures or anomalies must match, you can be
very specific about the events that need to take place before the security device identifies
traffic as an attack.
NSM 2006.1 and later releases also support Boolean expressions for standalone IDP
signatures.
NOTE: Compound attack objects are supported by IDP-capable security devices only,
such as the ISG series with Security Module or any of the standalone IDP Sensors. ISG
series devices do not support Boolean expressions.
When configuring a custom compound attack object:
All members of the compound attack object must use the same service setting or
service binding, such as FTP, Telnet, YMSG, or TCP/80.
You can add protocol anomaly attack objects to a compound attack object.
You cannot add predefined or custom attack objects to a compound attack object.
Instead, you specify the signature directly within the compound attack object, including
such details as service (or service binding), service context, attack pattern, and direction.
You can add between 2 and 32 protocol anomaly attack objects and signatures as
members of the compound attack object. However, all members must use the same
service setting or service binding.
Configuring General Attack Properties
False positive and time-based attack properties are configured for a compound attack
object the same way as they are for a signature attack object.
Copyright © 2010, Juniper Networks, Inc.
Advertisement
Table of Contents
