Table of Contents
Advertisement
Copyright © 2010, Juniper Networks, Inc.
Because all members of the compound attack object must use the same service binding,
the service binding you select determines the service contexts you can use for an attack
pattern, as well as the available predefined protocol anomaly attack objects you can
add as members.
To match all services, select Any as the Service Binding.
When adding an attack pattern as a member, you are restricted to the contexts
packet and first packet.
When adding a predefined protocol anomaly attack object as a member, you are
restricted to the IP-based protocol anomaly attack objects.
Additionally, because the number of session transactions are not known for the
service, you cannot specify a scope (in the Members tab).
To match a specific service, select the service binding and provide the protocol ID,
port/port range, program number if necessary.
Next, configure the members of the compound attack object.
Configuring Compound Attack Members
When configuring members, you add the signatures and protocol anomalies to detect
an attack that uses multiple methods to exploit a vulnerability. The attack traffic must
match all signatures and anomalies within the compound attack object before the device
considers the traffic as an attack. To be explicit about the events in an attack, you can
also specify the order in which signatures or anomalies must match before the security
device identifies traffic as an attack.
Configuring the Attack Object Scope
If the selected service supports multiple transactions within a single session, you can
also specify whether the match should occur over a single session or can be made across
multiple transactions within a session:
Select Session to allow multiple matches for the object within the same session.
Select Transaction to match the object across multiple transactions that occur within
the same session.
Configuring an Attack Pattern
You configure the attack pattern as a member of a compound attack object as you would
an attack pattern in a signature attack object. For details, see "Configuring Attack
Detection Properties" on page 347.
To add an attack pattern to the compound attack object, click the Add icon and select
Signature.
Pattern—Specify the pattern to match. You construct the attack pattern just as you
would when creating a new signature attack object. To negate the pattern, enable
Negate.
Chapter 8: Configuring Objects
355
Advertisement
Table of Contents
