Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

NSM logs indicate traffic being dropped and accepted for the same session

0

0

Article ID: KB15812 KB Last Updated: 10 Jun 2010Version: 2.0
Summary:
This article details the reason for IDP logging traffic being dropped and accepted for the same session.
Symptoms:

Solution:
If an attack is detected on a particular sessions, IDP applies the action defined in the policy and sends a log to NSM.  In some cases, single sessions may match mutiple rules in the IDP policy because the matched attack may be part of the signature groups defined in both the rules.  IDP always takes the most severe action on the traffic but it always logs all the matched rules.
For example:
If a particular session matches 2 IDP rules, with one rule having the action as "Connection Drop" and other rule having the action as "None".   IDP sends 2 different logs to NSM, one log indicating action as "ACCEPT" and second log indicating action as "Conn Dropped". Both logs also indicate the individual rule numbers.

IDP also drops the connection as "Connection Drop" is the most severe action. 

Below is a screen shot displaying NSM logs indicating an attack "TCP: Sockstress Denial of Service" being accepted as well as "conn Dropped".




This type of log may cause confusion.  In order to avoid the confusion,  customer should re-arrange the rules in IDP policy.
  • Rules that have severe actions such as "conn drop", "drop packet" should be moved to the top of the list with "Terminate Match" enabled.
  • All rules with action "None" should be moved to bottom of the rule base.
Contact JTAC for further assistance if there are many rules in the policy.
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search