Table of Contents
Advertisement
Network and Security Manager Administration Guide
360
You cannot add predefined or custom attack objects to a compound attack object.
Instead, you specify the signature directly within the compound attack object, including
such details as service (or service binding), service context, attack pattern, and direction.
You can add between 2 and 32 protocol anomaly attack objects and signatures as
members of the compound attack object. However, all members must use the same
service setting or service binding.
Configuring General Attack Properties
False positive and time-based attack properties are configured for a compound attack
object the same way as they are for a signature attack object.
Because all members of the compound attack object must use the same service binding,
the service binding you select determines the service contexts you can use for an attack
pattern, as well as the available predefined protocol anomaly attack objects you can
add as members.
To match all services, select Any as the Service Binding.
When adding an attack pattern as a member, you are restricted to the contexts
packet, first data packet, and first packet.
When adding a predefined protocol anomaly attack object as a member, you are
restricted to the IP-based protocol anomaly attack objects.
Additionally, because the number of session transactions are not known for the
service, you cannot specify a scope (in the Members tab).
To match a specific service, select the service binding and provide the protocol ID,
port/port range, program number if necessary.
Next, configure the members of the compound attack object.
Configuring Compound Attack Members
When configuring members, you add the signatures and protocol anomalies to detect
an attack that uses multiple methods to exploit a vulnerability. The attack traffic must
match all signatures and anomalies within the compound attack object before the device
considers the traffic as an attack. To be explicit about the events in an attack, you can
also specify the order in which signatures or anomalies must match before the security
device identifies traffic as an attack.
Configuring the Attack Object Scope
If the selected service supports multiple transactions within a single session, you can
also specify whether the match should occur over a single session or can be made across
multiple transactions within a session:
Select Session to allow multiple matches for the object within the same session.
Select Transaction to match the object across multiple transactions that occur within
the same session.
Copyright © 2010, Juniper Networks, Inc.
Advertisement
Table of Contents
