Knowledge Search


×
 

Verifying SRX-IDP Traffic Inspection and Attack Detection

  [KB33123] Show Article Properties


Summary:

An adminitrator has downloaded and installed an IDP attack database and applied it to a security policy and wants to make sure that traffic is being properly inspected. This article details how an IDP administrator can verify that traffic is being inspected and that attack detection is working.
 

Solution:

Verifying Traffic Inspection

The first thing to do is to see that the IDP engine is seeing traffic. This can be done in two ways, by checking the counters for historic data and by checking flows to see if they're being inspected by IDP.

​There's two parts to verifying IDP traffic inspection. First, we look to see if the IDP engine sees the traffic. Run 'show security idp status' to see if the counters are incrementing. You can clear these counters with the 'clear security idp status' command for a baseline of all 0's. If after running traffic all counters are still 0's, then the IDP engine is not seeing the traffic. 
 
​root@srx> show security idp status
State of IDP: Default,  Up since: 2018-08-22 16:24:37 UTC (6d 05:53 ago)

Packets/second: 17              Peak: 1787 @ 2018-08-24 22:55:46 UTC
KBits/second  : 13              Peak: 958 @ 2018-08-24 22:59:11 UTC
Latency (microseconds): [min: 0] [max: 0] [avg: 0]

Packet Statistics:
 [ICMP: 0] [TCP: 265051] [UDP: 274] [Other: 0]

Flow Statistics:
  ICMP: [Current: 0] [Max: 50 @ 2018-08-28 09:14:48 UTC]
  TCP: [Current: 18] [Max: 234 @ 2018-08-24 22:37:41 UTC]
  UDP: [Current: 0] [Max: 8 @ 2018-08-27 23:05:32 UTC]
  Other: [Current: 0] [Max: 0 @ 2018-08-24 00:15:38 UTC]

Session Statistics:
 [ICMP: 0] [TCP: 9] [UDP: 0] [Other: 0]
  Policy Name : HTTP-AUDIT
  Running Detector Version : 12.6.160180509

To verify any/particular traffic is seen by the IDP process, use the 'show security flow session idp' command. Filters can be applied to narrow the output:

root@srx> show security flow session idp source-prefix 20.20.20.20/32
Session ID: 50647, Policy name: secure-to-unsecure/4, Timeout: 1558, Valid
  In: 20.20.20.20/65181 --> 13.89.187.212/443;tcp, Conn Tag: 0x0, If: ge-0/0/2.0, Pkts: 104, Bytes: 11670,
  Out: 13.89.187.212/443 --> 10.85.48.6/18013;tcp, Conn Tag: 0x0, If: ge-0/0/1.0, Pkts: 59, Bytes: 12501,

Session ID: 52857, Policy name: secure-to-unsecure/4, Timeout: 1518, Valid
  In: 20.20.20.20/55196 --> 45.33.17.80/80;tcp, Conn Tag: 0x0, If: ge-0/0/2.0, Pkts: 18, Bytes: 2404,
  Out: 45.33.17.80/80 --> 10.85.48.6/20273;tcp, Conn Tag: 0x0, If: ge-0/0/1.0, Pkts: 37, Bytes: 36416,
Total sessions: 2

 

​Verifying Attack Detection

Sometimes verifying IDP attack detection can be tricky, as policies don't always have an easy attack to generate to verify detection. To work around this, install a policy that looks for a valid HTTP request and then matches against it and increments the IDP attack table.

Create an IDP rule that detects HTTP traffic and performs no action. This rule can be placed at the top of your IDP policy with the 'insert' command. In this case, add 'rule 1' (can be called anything) to the beginning of your IDP policy.

root@srx# show
idp-policy HTTP-AUDIT {
    rulebase-ips {
        rule 1 {
            match {
                source-address any;
                destination-address any;
                application default;
                attacks {
                    predefined-attacks HTTP:AUDIT:URL;
                }
            }
            then {
                action {
                    no-action;
                }
            }
        }
    }
}
active-policy HTTP-AUDIT;

After the policy is commited, verify hits via the 'show security idp attack table' command

root@srx> show security idp attack table
IDP attack statistics:
  Attack name                                  #Hits
  HTTP:AUDIT:URL                               3444


 
Related Links: