Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[SRX-IDP] How to configure security packet capture on SRX

0

0

Article ID: KB26794 KB Last Updated: 05 Mar 2017Version: 5.0
Summary:

This article describes how to capture packets before and after an attack.

Symptoms:

How to capture packets for analysis before and after an attack .

NOTE: This feature is on SRX-HE platforms (SRX-5400, SRX-5600, SRX-5400, SRX-3600, SRX-3400, SRX-1400) as of 10.2.  This feature is on SRX-branch platforms (SRX100 - SRX650 ) as of 12.1X46

Cause:

Solution:

Viewing packets that precede and follow an attack is helpful in determining the purpose and extent of an attempted attack, whether an attack was successful, and if any network damage was caused by an attack. Packet analysis also aids in defining attack signatures to minimize false positives. If packet capture is enabled when an attack is logged, a specified number of packets before and after the attack can be captured for the session. When all packets have been collected, they are transmitted in Device Management Interface (DMI) to a host device for offline analysis.

A notification option in the IDP policy rule enables packet capture when a rule match occurs. The option further defines the number of packets to be captured and the duration of packet capture for the associated session. An IDP sensor configuration defines the device specifications for the packet capture. Options for this command determine the memory to be allocated for packet capture, and the source and host devices between which the packet capture object will be transmitted.

To configure the security packet capture:


  1. Navigate to the notification level for rule 1, policy pol0 in the configuration hierarchy.

  2.  [edit]
     user@host# edit security idp idp-policy pol0 rulebase-ips rule 1 then notification


  3. Define the size and timing constraints for each packet capture.

  4.  [edit security idp idp-policy pol0 rulebase-ips rule 1 then notification]
     user@host# set packet-log pre-attack 10 post-attack 3 post-attack-timeout 60


  5. Enable security idp sensor-configuration.

  6.  [edit]
     user@host# edit security idp sensor-configuration


  7. Allocate the device resources to be used for packet capture.

  8.  [edit security idp sensor-configuration]
     user@host# set packet-log total-memory 5 max-sessions 15

Confirm your configuration by entering the show security idp command

 [edit]
 user@host# show security idp
 idp-policy pol0 {
     rulebase-ips {
         rule 1 {
             then {
                 notification {
                     packet-log {
                         pre-attack 10;
                         post-attack 3;
                         post-attack-timeout 60;
                      }
                 }
             }
         }
     }
 }
 sensor-configuration {
     packet-log {
         total-memory 5;
         max-sessions 15;
         source-address 10.56.97.3;
         host {
             10.24.45.7;
             port 5;
         }
     }
 }

If you are done configuring the device, enter the  commit command from configuration mode.

Verify Security Packet Capture

From operational mode, enter the show security idp counters packet-log command. This command was introduced in Release 10.2 of Junos OS.

user@host> show security idp counters packet-log
IDP counters:                                                         Value
Total packets captured since packet capture was activated               0
Total sessions enabled since packet capture was activated               0
Sessions currently enabled for packet capture                           0
Packets currently captured for enabled sessions                         0
Packet clone failures                                                   0
Session log object failures                                             0
Session packet log object failures                                      0
Sessions skipped because session limit exceeded                         0
Packets skipped because total memory limit exceeded                     0

The following table lists the output fields for the show security idp counters packet-log command.


Field Name and Description:

Total packets captured since packet capture was activated:
Number of packets captured by the device by the IDP service.

Total sessions enabled since packet capture was activated:
Number of sessions that have performed packet capture since the capture facility was activated.

Sessions currently enabled for packet capture:
Number of sessions that are actively capturing packets at this time.

Packets currently captured for enabled sessions:
Number of packets that have been captured by active sessions.

Packet clone failures:
Number of packet capture failures due to cloning error.

Session log object failures:
Number of objects containing log messages generated during packet capture that were not successfully transmitted to the host.

Session packet log object failures:
Number of objects containing captured packets that were not successfully transmitted to the host.

Sessions skipped because session limit exceeded:
Number of sessions that could not initiate packet capture because the maximum number of sessions specified for the device were conducting captures at that time.

Packets skipped because packet limit exceeded:
Number of packets not captured because the packet limit specified for this device was reached.

Packets skipped because total memory limit exceeded:
Number of packets not captured because the memory allocated for packet capture on this device was exceeded.

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search