Support Support Downloads Knowledge Base Apex Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[SRX] Commit error fails to display on SRX when IDP policy is configured with non-existent signature

0

0

Article ID: KB31478 KB Last Updated: 26 Jun 2020Version: 2.0
Summary:

When we configure an IDP policy with a non-existent signature, a commit error should occur. However, this does not happen. This article explains why the IDP detector will not check it with the signature database, and suggests a solution.

Symptoms:

SRX has valid IDP license and the IDP signature database is also up to date. However, when IDP policy is configured with non-existing signature (SSL:TEST),  there is no commit error shown even though there should be.


root@SRX> show system license
License usage:
                        Licenses       Licenses   Licenses     Expiry
Feature name                used      installed     needed
av_key_kaspersky_engine     0         1            0           2018-02-05 00:00:00 UTC
anti_spam_key_sbl           0         1            0           2018-02-05 00:00:00 UTC
wf_key_surfcontrol_cpa      0         1            0           2018-02-05 00:00:00 UTC
idp-sig                     0         2            0           2018-02-05 00:00:00 UTC

root@SRX> show security idp security-package-version
Attack database version:2830(Thu Feb 16 18:34:14 2017 UTC)
Detector version :12.6.160161014
Policy template version :N/A

[edit]
root@SRX# load set terminal
[Type ^D at a new line to end input]
set security idp idp-policy TEST rulebase-ips rule PRODUCTION1 match attacks predefined-attacks SSL:TEST
set security idp idp-policy TEST rulebase-ips rule PRODUCTION1 then action recommended
load complete

[edit]
root@SRX# commit
commit complete

[edit]
root@SRX#run show security idp attack description SSL:TEST
error: Attack SSL:TEST does not exist in the database


Cause:

The commit error does not show because the IDP Active Policy is not the policy which is configured with the wrong signature. The IDP detector will not check it with the signature database. Only Active Policy is checked by the detector for valid signatures.

[edit]
root@SRX#run show security idp attack description SSL:OPENSSL-SRP-BO
Description: This signature detects attempts to exploit a known vulnerability
in the OpenSSL. A successful attack can lead to a buffer overflow
and arbitrary remote code execution within the context of the
OpenSSL.

[edit]
root@SRX# run show security idp attack description SSL:TEST
error: Attack SSL:TEST does not exist in the database

[edit]

root@SRX# show security idp | display set | no-more
set security idp idp-policy HTTP rulebase-ips rule PRODUCTION match attacks predefined-attacks SSL:OPENSSL-SRP-BO
set security idp idp-policy HTTP rulebase-ips rule PRODUCTION then action recommended
set security idp active-policy HTTP

[edit]
root@SRX# load set terminal
[Type ^D at a new line to end input]
set security idp idp-policy TEST rulebase-ips rule PRODUCTION1 match attacks predefined-attacks SSL:TEST
set security idp idp-policy TEST rulebase-ips rule PRODUCTION1 then action recommended
load complete

[edit]
root@SRX# commit
commit complete

[edit]
root@SRX# show security idp | display set | no-more
set security idp idp-policy HTTP rulebase-ips rule PRODUCTION match attacks predefined-attacks SSL:OPENSSL-SRP-BO
set security idp idp-policy HTTP rulebase-ips rule PRODUCTION then action recommended
set security idp idp-policy TEST rulebase-ips rule PRODUCTION1 match attacks predefined-attacks SSL:TEST
set security idp idp-policy TEST rulebase-ips rule PRODUCTION1 then action recommended
set security idp active-policy HTTP


Solution:
Change the active policy to the one which is configured with the wrong signature. The IDP detector will check it with the signature database, so the commit error will display.
[edit]
root@SRX# set security idp active-policy TEST  <<<<< Configured with TEST

[edit]
root@SRX# commit
[edit security idp idp-policy TEST rulebase-ips rule PRODUCTION1 match attacks]
'predefined-attacks SSL:TEST'
Unknown attack:SSL:TEST
error: configuration check-out failed
Modification History:
2020-06-26: Article reviewed for accuracy; no changes required.

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search