01-26-2009 01:20 AM
As far as i know, the dynamic group [Recommended] Attack Type, contains all signatures and anomalies that Juniper networks considers to be serious threats. and therefore, Juniper recommends its clients to take action against these attack objects.
However, i noticed that some attack objects (for example: "SMTP: Outlook Saved Search File") are listed under the [Recommended] Attack Type group but the recommended action is None as per the IDP Attack detection set link(https://services.netscreen.com/restricted/sigupdat
Can someone explain to me that? Is the IDP Attack detection set link up-to-date? Is my assumption regarding the [Recommended] Attack Type incorrect?
Richard Hitti JNCIA-IDP
01-26-2009 04:40 AM
recommended attacks and recommended actions are separate things.
The "Recommended Attacks" group contains the set of attacks that customer should use in a policy to inspect their traffic as recommended by Juniper.
The "Recommended Action" is the action Juniper recommend to take when an attack is detected.
This is based on the Severity of the Attack:
Critical and Major: Drop connection, Log
Minor and Warning: Log
In this way customers with different level of knowledge about network security can implement the best IDP policy for their need.
Some customers can decide to rely on Juniper recommended Attacks and Actions, others prefer to use the recommended Attacks but decide the Action, or other choose to select the attacks and the action according to their needs.
Hope this helps!
01-26-2009 09:30 PM
But i noticed a recommended action" drop" for few signatures with severity info. So can we rely on the method to drop signatures based on severities (critical and Major)?
What i need to understand is if the recommended action is to drop, this means that Juniper consider this signature as a threat even if the severity of this signature is Info or Minor. So why the severity of this signature is not set as Critical or Major.
Richard Hitti JNCIA-IDP
01-27-2009 05:13 AM
yes you're right, the Severity is not the only method used to decide the recommended action.
I found attacks like this one:
DNS: Mismatching Reply AN
that has Severity Info because is a strange behaviour that doesn't mean that an attack is going on.
But the recommended action is Drop Packet because there's no point of let it pass the IDP.
The Severity and the Action recommended are not related to each other, depending on the specific Attack Juniper decide what is the best recommendation for the customers.
Hope this helps