Juniper NETWORK AND SECURITY MANAGER 2010.4 - ADMININISTRATION GUIDE REV1 Administration Manual page 404

Network and Security Manager Administration Guide
354
Table 37: Attack Pattern Syntax Example Matches (continued)
This syntax Matches
a*b+c Any number of "a" characters followed by
one or more b characters followed by a c.
To negate the pattern, enable Negate.
Configuring Attack Context
Select the context that defines the location of the signature.
NOTE: For IDP attack objects, if you selected " Any" as the Service Binding
in the Attack Pattern screen, you cannot select a service context here.
If you know the service and the specific service context, select that service then select
the appropriate service contexts. If you know the service, but are unsure of the specific
service context, select Other then select one of the following general contexts:
NOTE: If you select a stream, stream 256, stream 1K, stream 8K, or a service
context, you cannot specify IP header contents (in the Header Match screen).
Select packet context to match the attack pattern within a packet. When you select
this option, you should also specify the Service Binding (in the General tab) and define
the service header options (in the Header Match tab). Although not required, specifying
these additional parameters helps to improve the accuracy of the attack object and
can improve performance.
Select first packet context to detect the attack in only the first packet of a stream.
When the flow direction for the attack object is set to any, the security device checks
the first packet of both the server-to-client (STC) and client-to-server (CTS) flows. If
you know that the attack signature appears in the first packet of a session, choosing
first packet instead of packet reduces the amount of traffic the security device needs
to monitor, thereby improving performance.
Select first data packet context to detect the attack in only the first data packet of a
stream. If you know that the attack signature appears in the first data packet of a
session, choosing first data packet instead of first packet reduces the amount of traffic
the security device needs to monitor, thereby improving performance.
Select stream context to reassemble packets and extract the data to search for a
pattern match. However, a security device does not recognize packet boundaries for
stream contexts, so data for multiple packets is combined. Select this option only
when no other context option contains the attack.
Select stream 256 context to reassemble packets and search for a pattern match
within the first 256 bytes of a traffic stream. When the flow direction is set to any, the
Example
bc
abc
aaabbbc
Copyright © 2010, Juniper Networks, Inc.