Table of Contents
Advertisement
Creating a Signature Attack Object
Copyright © 2010, Juniper Networks, Inc.
Signature Attack Object—(DI and IDP attack objects) A signature attack object uses
a stateful attack signature (a pattern that always exists within a specific section of the
attack) to detect known attacks. Stateful signature attack objects also include the
protocol or service used to perpetrate the attack and the context in which the attack
occurs. If you know the exact attack signature, the protocol, and the attack context
used for a known attack, select this option. For more information about creating a
signature attack object, see "Creating a Signature Attack Object" on page 347.
Protocol Anomaly Attack Object—(IDP attack objects only) A protocol anomaly attack
object detects unknown or sophisticated attacks that violate protocol specifications
(RFCs and common RFC extensions). You cannot create new protocol anomalies, but
you can configure a new attack object that controls how the security device handles
a predefined protocol anomaly when detected. If you don't know that exact attack
signature, but you do know the protocol anomaly that detects the attack, select this
option. For more information about creating a protocol anomaly attack object, see
"Configuring a Protocol Anomaly Attack Object" on page 359.
Compound Attack Object—(IDP attack objects only) A compound attack object detects
attacks that use multiple methods to exploit a vulnerability. This object combines
multiple signatures and protocol anomalies into a single attack object, forcing traffic
to match a pattern of combined signatures and anomalies within the compound attack
object before traffic is identified as an attack. By combining and even specifying the
order in which signatures or anomalies must match, you can be very specific about the
events that need to take place before the security device identifies traffic as an attack.
For more information about creating a compound attack object, see "Configuring a
Compound Attack Object" on page 359.
If you need to detect an attack that uses several benign activities to attack your network,
or if you want to enforce a specific sequence of events to occur before the attack is
considered malicious, select this option.
Click Next to configure the attack version information for the signature attack object.
You must enter some general information about attack version and specific details about
the attack pattern, such as the protocol and context used to perpetrate the attack. When
using a packet-related context, you can also define IP settings and protocol header
matches for the attack version.
When you configure a signature attack object, you enter important information about
the protocol and context used to perpetrate the attack, when the attack is considered
malicious, the direction and flow of the attack, the signature pattern of the attack, and
the values found in the header section of the attack traffic.
Configuring General Attack Properties
In the General Properties screen, you can define the false positive frequency for the attack
version, the service that the attack uses to enter your network, and the time parameters
(scope and count) that determine when a traffic abnormality is identified as an attack.
The following sections detail the attack version general properties.
Chapter 8: Configuring Objects
347
Advertisement
Table of Contents
