Intrusion Prevention
Reply
Contributor
RichardHitti
Posts: 10
Registered: ‎01-13-2009
0

[Recommended]Attack Type Dynamic Groups

Hi,

As far as i know, the dynamic group [Recommended] Attack Type, contains all signatures and anomalies that Juniper networks considers to be serious threats. and therefore, Juniper recommends its clients to take action against these attack objects.

 

However, i noticed that some attack objects  (for example: "SMTP: Outlook Saved Search File") are listed under the  [Recommended] Attack Type group but the recommended action is None as per the IDP Attack detection set link(https://services.netscreen.com/restricted/sigupdates/nsm-updates/HTML/index.html#TCP).

 

Can someone explain to me that? Is the IDP Attack detection set  link up-to-date? Is my assumption regarding the [Recommended] Attack Type incorrect?

 

Thanks,

Richard Hitti  JNCIA-IDP

Recognized Expert
Daniele
Posts: 164
Registered: ‎11-06-2007
0

Re: [Recommended]Attack Type Dynamic Groups

Hi Richard,

recommended attacks and recommended actions are separate things.

The "Recommended Attacks" group contains the set of attacks that customer should use in a policy to inspect their traffic as recommended by Juniper.

The "Recommended Action"  is the action Juniper recommend to take when an attack is detected.

This is based on the Severity of the Attack:

 

Critical and Major: Drop connection,  Log

Minor and Warning: Log

Info: none

 

 

In this way customers with different level of knowledge about network security can implement the best IDP policy for their need.

Some customers can decide to rely on Juniper recommended Attacks and Actions, others prefer to use the recommended Attacks but decide the Action, or other choose to select the attacks and the action according to their needs.

 

 Hope this helps!

Daniele

***Contributor at Router Freak blog***
Contributor
RichardHitti
Posts: 10
Registered: ‎01-13-2009
0

Re: [Recommended]Attack Type Dynamic Groups

Thanks Daniele,

But i noticed a recommended action" drop" for few signatures with severity info. So can we rely on the method to drop signatures based on severities (critical and Major)? 

What i need to understand is if the recommended action is to drop, this means that Juniper consider this signature as a threat even if the severity of this signature is Info or Minor. So why the severity of this signature is not set as Critical or Major.

\Thanks,

Richard Hitti JNCIA-IDP 

Recognized Expert
Daniele
Posts: 164
Registered: ‎11-06-2007
0

Re: [Recommended]Attack Type Dynamic Groups

Hi Richard,

yes you're right, the Severity is not the only method used to decide the recommended action.

I found attacks like this one:

DNS: Mismatching Reply AN

 

that has Severity Info because is a strange behaviour that doesn't mean that an attack is going on.

But the recommended action is Drop Packet because there's no point of let it pass the IDP.

 

 The Severity and the Action recommended are not related to each other, depending on the specific Attack Juniper decide what is the best recommendation for the customers.

 

 

 

Hope this helps

Daniele

***Contributor at Router Freak blog***
Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.