This article describes how to capture packets before and after an attack.
NOTE: This feature is available on SRX-HE platforms (SRX-5400, SRX-5600, SRX-5400, SRX-3600, SRX-3400, SRX-1400) as of Junos OS release 10.2. This feature is on SRX-branch platforms (SRX100 - SRX650) as of Junos OS release 12.1X46.
I want to know how to capture packets for analysis before and after an attack.
Viewing packets that precede and follow an attack is helpful in determining the purpose and extent of an attempted attack, whether an attack was successful, and if any network damage was caused by an attack. Packet analysis also aids in defining attack signatures to minimize false positives. If packet capture is enabled when an attack is logged, a specified number of packets before and after the attack can be captured for the session. When all packets have been collected, they are transmitted in Device Management Interface (DMI) to a host device for offline analysis.
A notification option in the IDP policy rule enables packet capture when a rule match occurs. The option further defines the number of packets to be captured and the duration of packet capture for the associated session. An IDP sensor configuration defines the device specifications for the packet capture. Options for this command determine the memory to be allocated for packet capture, and the source and host devices between which the packet capture object will be transmitted.
To configure the security packet capture:
-
Navigate to the notification level for rule 1, policy pol0 in the configuration hierarchy.
[edit]
user@host# edit security idp idp-policy pol0 rulebase-ips rule 1 then notification
-
Define the size and timing constraints for each packet capture.
[edit security idp idp-policy pol0 rulebase-ips rule 1 then notification]
user@host# set packet-log pre-attack 10 post-attack 3 post-attack-timeout 60
-
Enable security idp sensor-configuration
.
[edit]
user@host# edit security idp sensor-configuration
-
Allocate the device resources to be used for packet capture.
[edit security idp sensor-configuration]
user@host# set packet-log total-memory 5 max-sessions 15
Confirm your configuration by entering the show security idp
command
[edit]
user@host# show security idp
idp-policy pol0 {
rulebase-ips {
rule 1 {
then {
notification {
packet-log {
pre-attack 10;
post-attack 3;
post-attack-timeout 60;
}
}
}
}
}
}
sensor-configuration {
packet-log {
total-memory 5;
max-sessions 15;
source-address 10.56.97.3;
host {
10.24.45.7;
port 5;
}
}
}
If you have finished configuring the device, enter the commit
command from configuration mode.
Verify Security Packet Capture
From operational mode, enter the show security idp counters packet-log
command. This command was introduced in Release 10.2 of Junos OS.
user@host> show security idp counters packet-log
IDP counters: Value
Total packets captured since packet capture was activated 0
Total sessions enabled since packet capture was activated 0
Sessions currently enabled for packet capture 0
Packets currently captured for enabled sessions 0
Packet clone failures 0
Session log object failures 0
Session packet log object failures 0
Sessions skipped because session limit exceeded 0
Packets skipped because total memory limit exceeded 0
The following table lists the output fields for the show security idp counters packet-log
command.
Field Name and Description:
Total packets captured since packet capture was activated:
Total sessions enabled since packet capture was activated:
Sessions currently enabled for packet capture:
Packets currently captured for enabled sessions:
- Number of packets that have been captured by active sessions
Packet clone failures:
- Number of packet capture failures due to cloning error
Session log object failures:
- Number of objects containing log messages generated during packet capture that were not successfully transmitted to the host
Session packet log object failures:
- Number of objects containing captured packets that were not successfully transmitted to the host
Sessions skipped because session limit exceeded:
- Number of sessions that could not initiate packet capture because the maximum number of sessions specified for the device were conducting captures at that time
Packets skipped because packet limit exceeded:
Packets skipped because total memory limit exceeded:
2020/07/27: Article reviewed for accuracy; no changes required; article valid and relevant