Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

SRX Getting Started - Troubleshoot Intrusion Detection and Prevention (IDP)

1

0

Article ID: KB16109 KB Last Updated: 07 Dec 2011Version: 5.0
Summary:

This article addresses troubleshooting Intrusion Detection and Prevention on SRX devices.

For configuration information, refer to KB16561.

Symptoms:

Troubleshoot IDP

Cause:

Solution:

This article contains the following sections for troubleshooting IDP on SRX devices.  Click the section titles in the bullet list below to jump directly to that section:


Troubleshoot IDP Basics

  1. If using one of the SRX branch devices, is the hardware the correct hardware to support IDP?
    For the SRX Branch products to use the IDP feature, they must have at least 1Gig Memory (also known as High-Mem). Refer to KB15413 on how to tell if your model is a low or high memory model.

  2. Do you have the IDP License applied to your SRX? 
    Use the command "show system license" to check and look for the feature 'idp-sig'.   If running a Chassis Cluster, then the IDP license needs to exist on both nodes. 

    You must be running the IDP license to be able to download attack signatures from Juniper Networks.  If you are only using customer signatures, you should not need an IDP license; however, there is a bug in Junos 9.5 and 9.6 that requires that you to have the license.  You will get a warning on commit, so make sure that you have the license enabled, or contact JTAC to get the patched SRX version.

  3. Licenses can be loaded via JWeb, NSM, or using the CLI with the command: “request system license add <filename>”

  4. Have you downloaded the attack signatures successfully?
    If using the Juniper defined attack signatures, you must download them first from Juniper Networks with the “request security idp security-package download” command.  Issue the “request security idp security-package download status” to view the status of the download. You may also want to download the policy templates using the “request security idp security-package download policy-templates” command. 

  5. If you do not have Internet access to download the attack signatures, then you can simply transfer the “/var/db/idpd” folder from another SRX to your SRX. 

  6. Have you installed the attack signatures on the SRX device?
    You must install the attack signatures on the device after you have downloaded them or they will not be used for IDP inspection. To install the attack signatures use the “request security idp install” for attacks, “request security idp install policy-templates” for the templates; or check the install status with “request security idp install status”.

  7. Have you set an active policy for the SRX to detect attacks against?
    After you have downloaded and installed the attack signatures, you must create a policy, or use an existing policy from the Policy Templates. (You need to download the policy templates as your active IDP policy.) Only one policy can be active at a time, and this policy can be configured with the command “set security idp active-policy <policy-name>”

  8. Have you checked the IDP status to make sure that it is up and running properly?
    Make sure that the IDP engine is running properly with the following commands: “show security idp status” and the command “show security idp security-package-version”.  Refer to 'Verify IDP and Check IDP Statistics' section for more information below. 

  9. Have you enabled IDP processing for the firewall rule which you wish to perform IDP processing on?
    IDP processing is not enabled for firewall rules unless it is explicitly configured to be enabled. You can check to see whether the IDP is enabled on a policy by using the command “show security policies” to view if application services is enabled.  Although you will still need to delve further into the configuration to determine if IDP is enabled.

  10. root@SRX210# run show security policies from-zone vpn to-zone trust
    From zone: vpn, To zone: trust
    Policy: VPN-Policy, State: enabled, Index: 9, Sequence number: 1
    Source addresses: 172.31.0.0/16
    Destination addresses: 192.168.0.0/16
    Applications: any
    Action: permit, application services, log

  11. In your configuration, have you classified traffic in the exempt rulebase, terminal match, or ignore action on the IDP policy?
    If the IDP is not detecting the appropriate attacks, make sure that you have not configured these sessions to match under the exempt rulebase, which will not log or match attacks based upon the configuration.

    The ignore action will ignore all other attacks that are matched within that flow, so it will not drop that connection, and will not further inspect it. 

    Did you enable terminal match in the IDP rulebase?  Terminal rulebase will not evaluate rules any further when enabled.

  12. Have you checked the logs?
  13. Use the command "show log messages" to identify policy load issues and IDP attack log matching.

    If that does not help, capture the IDP trace and review it:  Tracing idpd


Verify IDP and Check IDP Statistics

Below are some additional command output steps to verify that IDP is working properly.
  • Check the status of IDP:   show security idp status
root@SRX210> show security idp status

## Here the SRX shows that the IDP engine is up and running:
Status of IDP: s0, Up since: 2009-08-11 16:34:11 UTC (2w2d 22:12 ago)
 

## Below, the SRX shows how many packets the IDP engine is currently processing along with the throughput. This information is based on the maximum numbers and when they occurred.
Packets/second: 56 Peak: 400 @ 2009-08-14 19:11:35 UTC
KBits/second : 10456 Peak: 111129 @ 2009-08-14 19:11:40 UTC
Latency (microseconds): [min: 0] [max: 0] [avg: 0]

Packet Statistics:
[ICMP: 0] [TCP: 15] [UDP: 0] [Other: 0]

## Below, the current breakdown of the IDP sessions on the platform based on protocol is shown:
Flow Statistics:
ICMP: [Current: 0] [Max: 0 @ 2009-08-11 16:34:11 UTC]
TCP: [Current: 15] [Max: 2 @ 2009-08-14 19:11:35 UTC]
UDP: [Current: 0] [Max: 0 @ 2009-08-11 16:34:11 UTC]
Other: [Current: 0] [Max: 0 @ 2009-08-11 16:34:11 UTC]
## Finally, the active policy and the active detector engine are shown:
Session Statistics:
[ICMP: 0] [TCP: 15] [UDP: 0] [Other: 0]
Policy Name : IDP-Policy v0
Running Detector Version : 9.2.160090324

  • Check to see which attack db version and detector engines are active:   show security idp security-package-version
root@SRX210> show security idp security-package-version
Attack database version:N/A(N/A)
Detector version :9.2.160090324
Policy template version :N/A

## In the above output, the detector engine is active, as depicted by the version number instead of N/A, but the SRX does not have the attack database installed. The lack of policy templates (with the N/A) is not necessarily an issue in and of itself unless you are trying to use policy templates; this output could also mean that you haven’t installed the security package.

  • Check if attack detection is working:   show security idp attack table
## Displays attack table (attack hits are aggregated across all SPUs)
user@host> show security idp attack table
IDP attack statistics:
Attack name                    #Hits
TROJAN:SUBSEVEN:SCAN            1303
APP:CA:ARCSRV:DISCOVERY-OF      1301
SCADA:DNP3:NON-DNP3             1301
TCP:C2S:AMBIG:C2S-SYN-DATA      1300
SCADA:MODBUS:NON-MODBUS         1299
OS:LINUXX86:NTPDX-OF             975
NETBIOS:WINS:REPLICATION-PTR     944
RPC:RPC.STATD:STATD-FMT-STR2     154
DOS:NETDEV:CISCO-PIM              16
DOS:NETDEV:CISCO-SUNND            16
SCADA:MODBUS:SLAVE-ID              7
SCADA:MODBUS:READ-ID               6

  • Check IDP data plane memory statistics:  show security idp memory

    root@SRX210> show security idp memory
## Here the output shows that there is plenty of IDP memory available for processing
Total IDP data plane memory : 188 MB
Used : 7 MB ( 7168 KB )
Available : 181 MB ( 185344 KB )

If you are experience performance issues, check the memory utilization with the above command.  The SRX pre-allocates a certain amount of memory for the IDP, but if it is highly utilized then this can cause performance issues.

  • Additional helpful IDP show commands:

  • show security idp application-identification application-system-cache
    show security idp application-statistics
    show security idp counters ?
    show security idp counters flow
    show security idp counters ips
    show security idp ssl-inspection session-id-cache

Tracing idpd

The IDPD process can be traced to gain some insight into the IDPD if there is a problem with it a commit that fails or to observe the status of large policy compilations.  The following items are captured in the idpd trace:  
  • Policy parsing, compilation, packing
  • Application Signature parsing, compilation and packing
  • Policy memory estimate
  • Sensor configuration
  • Policy load operation status


The information located within the IDPD debug is primarily around the downloads/updates to the IDP engine, as well as commit information.

set security idp traceoptions flag all
set security idp traceoptions file <filename>
Below is the output of enabling a trace and performing an update/commit

root@SRX210> show log idpd

Aug 14 19:07:05 idpd_config_read: called: check: 0
Aug 14 19:07:05 idpd commit in progres ...

## IDP update called from Attack Object update
Aug 14 19:07:05 Entering enable processing.
Aug 14 19:07:05 Enable value (default)
Aug 14 19:07:05 IDP processing default.
Aug 14 19:07:05 idp config knob set to (2)
Aug 14 19:07:05 Compiling policy IDP-Policy....
Aug 14 19:07:05 Apply policy configuration, policy ops bitmask = 41
Aug 14 19:07:06 Starting policy(IDP-Policy) compile...
Aug 14 19:07:10 policy compilation memory estimate: 9768
Aug 14 19:07:21 ...Passed
## A check to make sure that there is enough memory to perform this IDP policy compilation is performed, and the output shows that enough memory is available.
Aug 14 19:07:21 Starting policy package...
Aug 14 19:07:26 ...Policy Packaging Passed
Aug 14 19:07:26 idpd_policy_apply_config idpd_policy_set_config()
Aug 14 19:07:26 Reading sensor config...
Aug 14 19:07:26 sensor/idp node does not exist, apply defaults
Aug 14 19:07:26 sensor conf saved
Aug 14 19:07:26 idpd_dev_add_ipc_connection called...
Aug 14 19:07:26 idpd_dev_add_ipc_connection: done.
Aug 14 19:07:26 idpd_policy_apply_config: IDP state (2) being set
Aug 14 19:07:26 idpd_comm_server_get_event:522: evGetNext got event.
Aug 14 19:07:26 idpd_comm_server_get_event:530: evDispatch OK
Aug 14 19:07:26 Apply policy configuration, policy ops bitmask = 4
Aug 14 19:07:26 Starting policy load...
## The policy compilation is begun in this step, starting by unpacking the current IDP policy (IDP-Policy) and begin to update the policy.
Aug 14 19:07:26 Loading policy(/var/db/idpd/bins/IDP-Policy.bin.gz.v + /var/db/idpd/sec-repository/installed-detector/libidp-detector.so.tgz.v + /var/db/idpd/bins/compressed_ai.bin)...
Aug 14 19:07:26 idpd_dev_add_ipc_connection called...
Aug 14 19:07:26 idpd_dev_add_ipc_connection: done.
Aug 14 19:07:31 idpd_policy_load: creating temp tar directory '/var/db/idpd//bin s/2f238f1'
Aug 14 19:07:31 sc_policy_unpack_tgz: running addver cmd '/usr/bin/addver -r /va r/db/idpd/sec-repository/installed-detector/libidp-detector.so.tgz.v /var/db/idp d//bins/2f238f1/__temp.tgz'
## Unpack and update new detector engine
Aug 14 19:07:32 sc_policy_unpack_tgz: running tar cmd '/usr/bin/tar -C /var/db/idpd//bins/2f238f1 -xzf /var/db/idpd//bins/2f238f1/__temp.tgz'
Aug 14 19:07:36 idpd_policy_load: running cp cmd 'cp /var/db/idpd//bins/2f238f1/ detector4.so /var/db/idpd//bins/detector.so'
Aug 14 19:07:38 idpd_policy_load: running chmod cmd 'chmod 755 /var/db/idpd//bin s/detector.so'
Aug 14 19:07:38 idpd_policy_load: running rm cmd 'rm -fr /var/db/idpd//bins/2f23 8f1'
Aug 14 19:07:40 idpd_policy_load: detector version: 9.2.160090324
## Begin to load the new IDP policy with the new detector engine
Aug 14 19:07:40 idpd_comm_server_get_event:522: evGetNext got event.
Aug 14 19:07:40 idpd_comm_server_get_event:530: evDispatch OK
Aug 14 19:07:40 idp_policy_loader_command: sc_klibs_subs_policy_pre_compile() returned 0 (EOK)

Aug 14 19:07:40 idpd_policy_load: IDP_LOADER_POLICY_PRE_COMPILE returned EAGAIN, retrying... after (5) secs
Aug 14 19:07:45 idpd_comm_server_get_event:522: evGetNext got event.
Aug 14 19:07:45 idpd_comm_server_get_event:530: evDispatch OK
Aug 14 19:07:45 idp_policy_loader_command: sc_klibs_subs_policy_pre_compile() returned 0 (EOK)

Aug 14 19:07:45 idpd_policy_load: idp policy parser pre compile succeeded, after (1) retries
Aug 14 19:07:45 idpd_policy_load: policy parser compile subs s0 name /var/db/idpd/bins/IDP-Policy.bin.gz.v.1 buf 0x0 size 0zones 0xb14542 z_size 102 detector /var/db/idpd//bins/detector.so ai_buf 0x0 ai_size 0 ai /var/db/idpd/bins/compressed_ai.bin
## The policy is successfully compiled, if there is an error compiling the policy then an event would be shown here.
Aug 14 19:07:45 idpd_comm_server_get_event:522: evGetNext got event.
Aug 14 19:07:45 idpd_comm_server_get_event:530: evDispatch OK
Aug 14 19:07:47 idpd_comm_server_get_event:522: evGetNext got event.
Aug 14 19:07:47 idpd_comm_server_get_event:530: evDispatch OK
Aug 14 19:07:47 idpd_policy_load: idp policy parser compile succeeded
Aug 14 19:07:47 idpd_comm_server_get_event:522: evGetNext got event.
Aug 14 19:07:47 idpd_comm_server_get_event:530: evDispatch OK
Aug 14 19:07:47 idpd_policy_load: idp policy pre-install succeeded
Aug 14 19:07:47 idpd_comm_server_get_event:522: evGetNext got event.
Aug 14 19:07:47 idpd_comm_server_get_event:530: evDispatch OK
Aug 14 19:07:48 idpd_comm_server_get_event:522: evGetNext got event.
Aug 14 19:07:48 idpd_comm_server_get_event:530: evDispatch OK
Aug 14 19:07:48 idpd_policy_load: idp policy install succeeded
Aug 14 19:07:48 idpd_comm_server_get_event:522: evGetNext got event.
Aug 14 19:07:48 idpd_comm_server_get_event:530: evDispatch OK
Aug 14 19:07:48 idpd_policy_load: idp policy post-install succeeded
Aug 14 19:07:49 IDP policy[/var/db/idpd/bins/IDP-Policy.bin.gz.v] and detector[/var/db/idpd/sec-repository/installed-detector/libidp-detector.so.tgz.v] loaded successfully.
## IDP Policy install completed and loaded new detector engine
Aug 14 19:07:50 Applying sensor configuration
Aug 14 19:07:50 idpd_dev_add_ipc_connection called...
Aug 14 19:07:50 idpd_dev_add_ipc_connection: done.
## Link in IDP connection
Aug 14 19:07:50 idpd_comm_server_get_event:522: evGetNext got event.
Aug 14 19:07:50 idpd_comm_server_get_event:530: evDispatch OK
Aug 14 19:07:50 idpd_comm_server_get_event:522: evGetNext got event.
Aug 14 19:07:50 idpd_comm_server_get_event:530: evDispatch OK
Aug 14 19:07:50
...idpd commit end
## IDP update/compilation/installation complete
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search