Knowledge Search


×
 

[SRX] How to get detailed information on an IDP Attack Signature

  [KB29429] Show Article Properties


Summary:

This article describes how an IDP administrator can get more details related to an attack on an IDP-enabled device, including how to pull extended information from the attack signatures on all IDP enabled devices (Stand Alone IDP, ISG-IDP, and Junos-IDP).

Symptoms:

How do you get detailed information about an attack on an IDP enabled device?

Solution:

After learning about an attack on an IDP-enabled device via the NSM log or the CLI of the IDP device, an IDP administrator can get more details on the attack from three sources: the NSM, the Junos CLI, and the Juniper Signatures Page.

The way to get more details from these sources is described below. It is based on an example using the HTTP:AUDIT:URL informational signature.

NSM

Although the SRX can be used with the NSM, the NSM is usually used with Stand Alone IDP (SA-IDP), and the ISG series is usually used with IDP Security Modules (ISG-IDP).

In the NSM logs, attack information is displayed in long-form: HTTP: URL Access Information.

On the CLI of an IDP-enabled device, attack information is displayed in short-form: HTTP:AUDIT:URL.

Procedure

  1. To get more information on an attack from the NSM, click the Configure bar, then expand the Object Manager tree.

  2. After the object tree is open, expand the Attack Objects tree, then select IDP Objects.

    • All of the objects in the current version of the attack DB on the NSM are pulled up. Note that this can take a while to load.

    • After all the objects are loaded, note that the attacks are listed, by default, in their long names.

    • To see the short names, click View then Show Attack Short Names. (Again, this example is based on the long name of HTTP: URL Access Information.)

  3. Find the object and double-click it: Highlight the first attack in the list, then press the "\" key. Options for finding the object appear.

    • For this example, click "c" to find a pattern inside the entire search string, then enter URL Access Information, and press <enter>.

    • General information about the attack object is brought up, as well as a tab for extended information.

    • The information displayed includes an extended description, type, severity, attack pattern, context, and more.

Junos CLI

On non-Junos devices, the attack table can be viewed, but it will not include a description of the attack object.

Junos devices running IDP, however, can show the extended information if either of the following commands is executed from the Junos CLI:

  • show security idp attack description
  • show security idp attack detail

show security idp attack description

This command shows the description of the attack:

root@SRX-3400-151.112> show security idp attack description HTTP:AUDIT:URL
Description: This protocol anomaly triggers when it detects an HTTP URL access.

show security idp attack detail

This command shows the details of the attack:

root@SRX-3400-151.112> show security idp attack detail HTTP:AUDIT:URL
Display Name: HTTP: URL Access Information
Severity: Info
Category: HTTP
Recommended: false
Recommended Action: None
Type: anomaly
Direction: CTS
False Positives: unknown
Service: HTTP

Juniper Signatures Page

The best way to search for the signature information:

  1. Go to this site: Signatures - Security Intelligence Center - Juniper Networks.

  2. Open the Find bar (press Ctrl+F).

  3. Search for the short version of the attack name example (HTTP:AUDIT:URL).

    • When found, the hit is highlighted.

  4. Click the highlighted item.

    • The Signature Detail window opens.

    • Like the NSM and Junos CLI, this source reveals extended information about the attack, as well as the release date, the sig DB update number in which it was first included, and more.

Modification History:
2019-10-05: Article reviewed for accuracy; no changes required.
2017-03-24: Fixed incorrect hyperlink in the solution section.
Related Links: