Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

How to modify the threshold value for a protocol anomaly in an ISG-IDP or standalone IDP security device via NSM

0

0

Article ID: KB22740 KB Last Updated: 24 Jan 2012Version: 1.0
Summary:
This article provides information on how to adjust the threshold value for a protocol anomaly, via NSM, for ISG-IDP or stand-alone IDP security devices.

The triggered protocol anomaly for numerous attack signatures can be seen in the NSM Log Viewer, when it is detected to be above the preset threshold.
Symptoms:
Many IDP Protocol anomalies thresholds can be adjusted as required. For example, HTTP:Too many parameters.


In the following image, the protocol anomaly is triggered when it detects an HTTP request with the number of parameters above the preset threshold.

 



Cause:
The default IDP Protocol anomaly thresholds may trigger false positives in your environment.
Solution:
The threshold value for protocol anomaly can be adjusted on NSM.

  1. For stand-alone IDP, edit the device on NSM and go to Sensor Settings. Under Sensor Settings, click the Protocols Thresholds and Configuration tab, and adjust the threshold value for the required protocol.



    As per the above example, the threshold for the HTTP :Too many parameters protocol anomaly can be modified under HTTP > Maximum Request length.

  2. To achieve the same for ISG-IDP 1000/2000, edit the security device on NSM and go to Security > IDP SM Settings. Under IDP SM Settings, click Protocol Thresholds and Configuration and adjust the threshold value for the required protocol.



For more information on attach signatures, refer to the following link:

http://services.netscreen.com/documentation/signatures/






Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search