This article describes how to capture packets before and after an attack.

NOTE: This feature is available on SRX-HE platforms (SRX-5400, SRX-5600, SRX-5400, SRX-3600, SRX-3400, SRX-1400) as of Junos OS release 10.2. This feature is on SRX-branch platforms (SRX100 - SRX650) as of Junos OS release 12.1X46.

 

I want to know how to capture packets for analysis before and after an attack.

 

Viewing packets that precede and follow an attack is helpful in determining the purpose and extent of an attempted attack, whether an attack was successful, and if any network damage was caused by an attack. Packet analysis also aids in defining attack signatures to minimize false positives. If packet capture is enabled when an attack is logged, a specified number of packets before and after the attack can be captured for the session. When all packets have been collected, they are transmitted in Device Management Interface (DMI) to a host device for offline analysis.

A notification option in the IDP policy rule enables packet capture when a rule match occurs. The option further defines the number of packets to be captured and the duration of packet capture for the associated session. An IDP sensor configuration defines the device specifications for the packet capture. Options for this command determine the memory to be allocated for packet capture, and the source and host devices between which the packet capture object will be transmitted.

To configure the security packet capture:

1. Navigate to the notification level for rule 1, policy pol0 in the configuration hierarchy.

[edit]
user@host# edit security idp idp-policy pol0 rulebase-ips rule 1 then notification

2. Define the size and timing constraints for each packet capture.

[edit security idp idp-policy pol0 rulebase-ips rule 1 then notification]
user@host# set packet-log pre-attack 10 post-attack 3 post-attack-timeout 60

3. Enable security idp sensor-configuration.

[edit]
user@host# edit security idp sensor-configuration

4. Allocate the device resources to be used for packet capture.

[edit security idp sensor-configuration]
user@host# set packet-log total-memory 5 max-sessions 15

Confirm your configuration by entering the show security idp command

[edit]
user@host# show security idp
idp-policy pol0 {
    rulebase-ips {
        rule 1 {
            then {
                notification {
                    packet-log {
                        pre-attack 10;
                        post-attack 3;
                        post-attack-timeout 60;
                     }
                }
            }
        }
    }
}
sensor-configuration {
    packet-log {
        total-memory 5;
        max-sessions 15;
        source-address 10.56.97.3;
        host {
            10.24.45.7;
            port 5;
        }
    }
}

If you have finished configuring the device, enter the commit command from configuration mode.

Verify Security Packet Capture

From operational mode, enter the show security idp counters packet-log command. This command was introduced in Release 10.2 of Junos OS.

user@host> show security idp counters packet-log
IDP counters:                                                         Value
Total packets captured since packet capture was activated               0
Total sessions enabled since packet capture was activated               0
Sessions currently enabled for packet capture                           0
Packets currently captured for enabled sessions                         0
Packet clone failures                                                   0
Session log object failures                                             0
Session packet log object failures                                      0
Sessions skipped because session limit exceeded                         0
Packets skipped because total memory limit exceeded                     0

The following table lists the output fields for the show security idp counters packet-log command.

Field Name and Description:

Total packets captured since packet capture was activated:

• Number of packets captured by the device by the IDP service

Total sessions enabled since packet capture was activated:

• Number of sessions that have performed packet capture since the capture facility was activated

Sessions currently enabled for packet capture:

• Number of sessions that are actively capturing packets at this time

Packets currently captured for enabled sessions:

• Number of packets that have been captured by active sessions

Packet clone failures:

• Number of packet capture failures due to cloning error

Session log object failures:

• Number of objects containing log messages generated during packet capture that were not successfully transmitted to the host

Session packet log object failures:

• Number of objects containing captured packets that were not successfully transmitted to the host

Sessions skipped because session limit exceeded:

• Number of sessions that could not initiate packet capture because the maximum number of sessions specified for the device were conducting captures at that time

Packets skipped because packet limit exceeded:

• Number of packets not captured because the packet limit specified for this device was reached

Packets skipped because total memory limit exceeded:

• Number of packets not captured because the memory allocated for packet capture on this device was exceeded

 

2020/07/27: Article reviewed for accuracy; no changes required; article valid and relevant