Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[EOL/EOE] How to modify the threshold value for a protocol anomaly in an ISG-IDP or standalone IDP security device via NSM

0

0

Article ID: KB22740 KB Last Updated: 18 Oct 2020Version: 2.0
Summary:
Note: A product listed in this article has either reached hardware End of Life (EOL) OR software End of Engineering (EOE).  Refer to End of Life Products & Milestones for the EOL, EOE, and End of Support (EOS) dates.
This article provides information on how to adjust the threshold value for a protocol anomaly, via NSM, for ISG-IDP or stand-alone IDP security devices.

The triggered protocol anomaly for numerous attack signatures can be seen in the NSM Log Viewer, when it is detected to be above the preset threshold.
Symptoms:
Many IDP Protocol anomalies thresholds can be adjusted as required. For example, HTTP:Too many parameters.


In the following image, the protocol anomaly is triggered when it detects an HTTP request with the number of parameters above the preset threshold.

 


 
Cause:
The default IDP Protocol anomaly thresholds may trigger false positives in your environment.
Solution:
The threshold value for protocol anomaly can be adjusted on NSM.
 

 

  1. For stand-alone IDP, edit the device on NSM and go to Sensor Settings. Under Sensor Settings, click the Protocols Thresholds and Configuration tab, and adjust the threshold value for the required protocol.
     



    As per the above example, the threshold for the HTTP :Too many parameters protocol anomaly can be modified under HTTP > Maximum Request length.

  2. To achieve the same for ISG-IDP 1000/2000, edit the security device on NSM and go to Security > IDP SM Settings. Under IDP SM Settings, click Protocol Thresholds and Configuration and adjust the threshold value for the required protocol.
     



For more information on attach signatures, refer to the following link:

http://services.netscreen.com/documentation/signatures/





 
Modification History:
2020-10-18: Tagged article for EOL/EOE.
 
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search