We help IT Professionals succeed at work.
Get Started

SRX Custom Attack

587 Views
Last Modified: 2015-04-25
we are getting as an attack given in the below and we try to add custom attacks to the idp but any of them can't catch the attacker strangely, Rules are working i know because they catch lots of other ip addresses :) where do we make mistake

       custom-attack Block_TTL {
            recommended-action drop-packet;
            severity major;
            time-binding {
                count 10;
                scope source;
            }
            attack-type {
                signature {
                    protocol-binding {
                        udp {
                            minimum-port 0 maximum-port 65535;
                        }
                    }
                    context packet;
                    direction any;
                    shellcode intel;
                    protocol {
                        ipv4 {
                            ttl {
                                match equal;
                                value 62;
                            }
                        }
                    }
                }
            }
        }
        custom-attack Block_Size {
            recommended-action drop-packet;
            severity major;
            time-binding {
                count 10;
                scope source;
            }
            attack-type {
                signature {
                    protocol-binding {
                        udp {
                            minimum-port 0 maximum-port 65535;
                        }
                    }
                    context packet;
                    direction any;
                    shellcode intel;
                    protocol {
                        ipv4 {
                            total-length {
                                match equal;
                                value 1;
                            }
                        }
                    }
                }
            }
        }
        custom-attack Block_Length {
            recommended-action drop-packet;
            severity major;
            time-binding {
                count 10;
                scope source;
            }
            attack-type {
                signature {
                    context packet;
                    direction any;
                    shellcode intel;
                    protocol {
                        udp {
                            data-length {
                                match equal;
                                value 1;
                            }
                        }
                    }
                }
            }
        }
        custom-attack Block_Flag {
            recommended-action drop-packet;
            severity major;
            time-binding {
                count 10;
                scope source;
            }
            attack-type {
                signature {
                    protocol-binding {
                        udp {
                            minimum-port 0 maximum-port 65535;
                        }
                    }
                    context packet;
                    direction any;
                    shellcode intel;
                    protocol {
                        ipv4 {
                            ip-flags df;
                        }
                    }
                }
            }
        }

Open in new window





02:06:30.678789 IP (tos 0x0, ttl  62, id 27604, offset 0, flags [DF], proto: UDP (17), length: 29) 185.9.156.2.58253 > 178.20.231.165.9987: [udp sum ok] UDP, length 1
        0x0000:  4500 001d 6bd4 4000 3e11 e235 b909 9c02  E...k.@.>..5....
        0x0010:  b214 e7a5 e38d 2703 0009 9a84 6c00 0000  ......'.....l...
        0x0020:  0000 0000 0000 0000 0000 0000 0000       ..............
02:06:30.679774 IP (tos 0x0, ttl  62, id 28335, offset 0, flags [DF], proto: UDP (17), length: 29) 185.9.156.2.58253 > 178.20.231.165.9987: [udp sum ok] UDP, length 1
        0x0000:  4500 001d 6eaf 4000 3e11 df5a b909 9c02  E...n.@.>..Z....
        0x0010:  b214 e7a5 e38d 2703 0009 9a84 6c00 0000  ......'.....l...
        0x0020:  0000 0000 0000 0000 0000 0000 0000       ..............
02:06:30.680880 IP (tos 0x0, ttl  62, id 29088, offset 0, flags [DF], proto: UDP (17), length: 29) 185.9.156.2.58253 > 178.20.231.165.9987: [udp sum ok] UDP, length 1
        0x0000:  4500 001d 71a0 4000 3e11 dc69 b909 9c02  E...q.@.>..i....
        0x0010:  b214 e7a5 e38d 2703 0009 9a84 6c00 0000  ......'.....l...
        0x0020:  0000 0000 0000 0000 0000 0000 0000       ..............
02:06:30.681780 IP (tos 0x0, ttl  62, id 29894, offset 0, flags [DF], proto: UDP (17), length: 29) 185.9.156.2.58253 > 178.20.231.165.9987: [udp sum ok] UDP, length 1
        0x0000:  4500 001d 74c6 4000 3e11 d943 b909 9c02  E...t.@.>..C....
        0x0010:  b214 e7a5 e38d 2703 0009 9a84 6c00 0000  ......'.....l...
        0x0020:  0000 0000 0000 0000 0000 0000 0000       ..............
02:06:30.682775 IP (tos 0x0, ttl  62, id 30682, offset 0, flags [DF], proto: UDP (17), length: 29) 185.9.156.2.58253 > 178.20.231.165.9987: [udp sum ok] UDP, length 1
        0x0000:  4500 001d 77da 4000 3e11 d62f b909 9c02  E...w.@.>../....
        0x0010:  b214 e7a5 e38d 2703 0009 9a84 6c00 0000  ......'.....l...
        0x0020:  0000 0000 0000 0000 0000 0000 0000       ..............
02:06:30.683773 IP (tos 0x0, ttl  62, id 31453, offset 0, flags [DF], proto: UDP (17), length: 29) 185.9.156.2.58253 > 178.20.231.165.9987: [udp sum ok] UDP, length 1
        0x0000:  4500 001d 7add 4000 3e11 d32c b909 9c02  E...z.@.>..,....
        0x0010:  b214 e7a5 e38d 2703 0009 9a84 6c00 0000  ......'.....l...
        0x0020:  0000 0000 0000 0000 0000 0000 0000       ..............
02:06:30.684776 IP (tos 0x0, ttl  62, id 32208, offset 0, flags [DF], proto: UDP (17), length: 29) 185.9.156.2.58253 > 178.20.231.165.9987: [udp sum ok] UDP, length 1
        0x0000:  4500 001d 7dd0 4000 3e11 d039 b909 9c02  E...}.@.>..9....
        0x0010:  b214 e7a5 e38d 2703 0009 9a84 6c00 0000  ......'.....l...
        0x0020:  0000 0000 0000 0000 0000 0000 0000       ..............

Open in new window

Comment
Watch Question
CERTIFIED EXPERT
Top Expert 2014
Commented:
This problem has been solved!
Unlock 1 Answer and 13 Comments.
See Answer
Why Experts Exchange?

Experts Exchange always has the answer, or at the least points me in the correct direction! It is like having another employee that is extremely experienced.

Jim Murphy
Programmer at Smart IT Solutions

When asked, what has been your best career decision?

Deciding to stick with EE.

Mohamed Asif
Technical Department Head

Being involved with EE helped me to grow personally and professionally.

Carl Webster
CTP, Sr Infrastructure Consultant
Ask ANY Question

Connect with Certified Experts to gain insight and support on specific technology challenges including:

  • Troubleshooting
  • Research
  • Professional Opinions
Did You Know?

We've partnered with two important charities to provide clean water and computer science education to those who need it most. READ MORE