Table of Contents
Advertisement
Network and Security Manager Administration Guide
352
Peer. Select this option to detect attacks between source and destination IP
addresses of the sessions for the specified number of times.
Count/Min—Enter the number of times per minute that the attack object must detect
an attack within the specified Scope before the device considers the attack object to
match the attack. For example, the TCP Protocol Anomaly " Segment Out of Window"
is harmless and is occasionally seen on networks. Thousands of these anomalies
between given peers, however, is suspicious.
The minute timer starts when the signature first matches the event. If the signature
matches the same event for the specific count or higher within 60 seconds, the signature
is considered to have matched the attack object.
If you bind the attack object to multiple ports (see "Configuring Attack Detection
Properties" on page 352) and the attack object detects that attack on different ports,
each attack on each port is counted as a separate occurrence. For example, when the
attack object detects that attack TCP/80 and then on TCP/8080, the count is two.
After you finish entering the general attack properties for the attack type, click Next to
configure the attack detection properties.
Configuring Attack Detection Properties
In the Attack Pattern screen, you can define the signature pattern of the attack, the
context in which the attack occurs, and the direction and flow of the attack.
Configuring Attack Pattern
The attack pattern is the signature of the attack you want to detect. A signature is a
pattern that always exists within an attack; if the attack is present, so is the signature.
To create the attack pattern, you must first analyze the attack to detect a pattern (such
as a segment of code, a URL, or a value in a packet header), then create a syntactical
expression that represents that pattern. Table 36 on page 352 lists the syntax based on
regular expressions to match signature patterns for DI and IDP.
Table 36: Attack Pattern Syntax
Pattern
Direct binary match (octal)
Direct binary match (hexadecimal)
Case insensitive matches
Match any symbol
Match 1 or more symbols
Match 0 or 1 symbols
Grouping of expressions
Alternation, typically used with ( )
Syntax
\0<octal-number>
\X<hexadecimal-number>\X
\[<character-set\]
.
*
?
()
|
Copyright © 2010, Juniper Networks, Inc.
Advertisement
Table of Contents
