Table of Contents
Advertisement
Configuring Custom DI and IDP Attack Objects
Using the Attack Object Wizard
Copyright © 2010, Juniper Networks, Inc.
Updates to the attack object database can include:
New descriptions or severities for existing attack objects
New attack objects
Deletion of obsolete attack objects
You can create custom DI and IDP attack objects to detect new attacks or customize
copies of existing attack objects to meet the unique needs of your network. For example,
you might want to edit the context of a custom attack object that is producing too many
false positives on your network, or you might want to create a new custom attack object
to detect the latest virus or Trojan that is sweeping the Internet.
The attack object creation process is similar for custom DI and IDP attack objects. To
create both object types, you use the Attack Object Wizard to enter attack object
information, attack pattern, and other important information. After you have configured
the object however, you use each object differently:
To use a custom DI attack object to protect your network, you must add the object to
a custom attack object group and then a DI Profile object, which you then select within
the Rule Options of a firewall rule. For information about creating a custom attack
object group, see "Creating Custom IDP Attack Groups" on page 363. For information
about creating a DI Profile object, see "Creating DI Profiles" on page 338.
To use a custom IDP attack object to protect your network, you can add the attack
object in an IDP rule.
NSM enables you to import custom attacks and custom attack groups from SRX Series
devices and display them as shared objects in Object Manager. You can also edit
custom attacks and custom attack groups using Object Manager and update the device
with these changes.
To help you create custom attack objects, NSM UI uses a Custom Attack Object wizard
to guide you through each step. During the creation process, the wizard prompts you for:
Attack object information—You must supply an attack object name and configure the
target platforms that support the attack object. You can also create an attack
description, enter attack references, and set a severity for the attack object, if desired.
The following sections detail the general attack object information fields.
Attack Version information—After you have selected the target platforms, you must
supply information about the attack version, including the protocol and context used
to perpetrate the attack, when the attack is considered malicious, the direction and
flow of the attack, the signature pattern of the attack, and the values found in the
header section of the attack traffic.
Chapter 8: Configuring Objects
343
Advertisement
Table of Contents
