Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

Verifying SRX-IDP Traffic Inspection and Attack Detection

0

0

Article ID: KB33123 KB Last Updated: 08 Sep 2018Version: 1.0
Summary:

An adminitrator has downloaded and installed an IDP attack database and applied it to a security policy and wants to make sure that traffic is being properly inspected. This article details how an IDP administrator can verify that traffic is being inspected and that attack detection is working.
 

Solution:

Verifying Traffic Inspection

The first thing to do is to see that the IDP engine is seeing traffic. This can be done in two ways, by checking the counters for historic data and by checking flows to see if they're being inspected by IDP.

​There's two parts to verifying IDP traffic inspection. First, we look to see if the IDP engine sees the traffic. Run 'show security idp status' to see if the counters are incrementing. You can clear these counters with the 'clear security idp status' command for a baseline of all 0's. If after running traffic all counters are still 0's, then the IDP engine is not seeing the traffic. 
 
​root@srx> show security idp status
State of IDP: Default,  Up since: 2018-08-22 16:24:37 UTC (6d 05:53 ago)

Packets/second: 17              Peak: 1787 @ 2018-08-24 22:55:46 UTC
KBits/second  : 13              Peak: 958 @ 2018-08-24 22:59:11 UTC
Latency (microseconds): [min: 0] [max: 0] [avg: 0]

Packet Statistics:
 [ICMP: 0] [TCP: 265051] [UDP: 274] [Other: 0]

Flow Statistics:
  ICMP: [Current: 0] [Max: 50 @ 2018-08-28 09:14:48 UTC]
  TCP: [Current: 18] [Max: 234 @ 2018-08-24 22:37:41 UTC]
  UDP: [Current: 0] [Max: 8 @ 2018-08-27 23:05:32 UTC]
  Other: [Current: 0] [Max: 0 @ 2018-08-24 00:15:38 UTC]

Session Statistics:
 [ICMP: 0] [TCP: 9] [UDP: 0] [Other: 0]
  Policy Name : HTTP-AUDIT
  Running Detector Version : 12.6.160180509

To verify any/particular traffic is seen by the IDP process, use the 'show security flow session idp' command. Filters can be applied to narrow the output:

root@srx> show security flow session idp source-prefix 20.20.20.20/32
Session ID: 50647, Policy name: secure-to-unsecure/4, Timeout: 1558, Valid
  In: 20.20.20.20/65181 --> 13.89.187.212/443;tcp, Conn Tag: 0x0, If: ge-0/0/2.0, Pkts: 104, Bytes: 11670,
  Out: 13.89.187.212/443 --> 10.85.48.6/18013;tcp, Conn Tag: 0x0, If: ge-0/0/1.0, Pkts: 59, Bytes: 12501,

Session ID: 52857, Policy name: secure-to-unsecure/4, Timeout: 1518, Valid
  In: 20.20.20.20/55196 --> 45.33.17.80/80;tcp, Conn Tag: 0x0, If: ge-0/0/2.0, Pkts: 18, Bytes: 2404,
  Out: 45.33.17.80/80 --> 10.85.48.6/20273;tcp, Conn Tag: 0x0, If: ge-0/0/1.0, Pkts: 37, Bytes: 36416,
Total sessions: 2

 

​Verifying Attack Detection

Sometimes verifying IDP attack detection can be tricky, as policies don't always have an easy attack to generate to verify detection. To work around this, install a policy that looks for a valid HTTP request and then matches against it and increments the IDP attack table.

Create an IDP rule that detects HTTP traffic and performs no action. This rule can be placed at the top of your IDP policy with the 'insert' command. In this case, add 'rule 1' (can be called anything) to the beginning of your IDP policy.

root@srx# show
idp-policy HTTP-AUDIT {
    rulebase-ips {
        rule 1 {
            match {
                source-address any;
                destination-address any;
                application default;
                attacks {
                    predefined-attacks HTTP:AUDIT:URL;
                }
            }
            then {
                action {
                    no-action;
                }
            }
        }
    }
}
active-policy HTTP-AUDIT;

After the policy is commited, verify hits via the 'show security idp attack table' command

root@srx> show security idp attack table
IDP attack statistics:
  Attack name                                  #Hits
  HTTP:AUDIT:URL                               3444


 
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search