Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[SRX] Enabling IDP signatures with the "not-recommended" flag causes high CPU on SRX devices

0

0

Article ID: KB33393 KB Last Updated: 27 Nov 2018Version: 1.0
Summary:

This article explains why high CPU may be observed after enabling IDP policies on an SRX device, and describes how to determine whether an IDP signature is recommended or not recommended before using one.

 

Symptoms:
  • CPU spikes up to 99% observed via the show security monitoring performance spu command

  • IDP policy configured using a variety of APP, TROJAN, and SHELLCODE IDP signatures

 

Solution:

Using signatures that have the Recommended flag of false can cause high CPU on SRX devices, and can impair performance. As a general rule, the following signatures are considered "not recommended," because they can have a high impact on the CPU:

  • Most of the SHELL code signatures starting with SHELLCODE:X86:LINUX

  • Most of the Trojan signatures starting with TROJAN:APT1

  • Most of the App-related signatures starting with APP:

 

To determine whether a signature is recommended or not recommended, look at the details of each attack.

For example, to check whether APP:ADOBE-FLASH-RTMP-RCE is recommended or not recommended, use the following syntax:

 
root@srx345> show security idp attack detail APP:ADOBE-FLASH-RTMP-RCE 
Display Name: APP: Adobe Flash Player RTMP Message Handling Remote Code
              Execution
Severity: Major
Category: APP
Recommended: false
Recommended Action: Drop
Type: signature
Direction: STC
False Positives: unknown
Service: TCP/1935
Shellcode: no
Flow: control
Context: stream
Negate: false
TimeBinding: 
        Scope: none
        Count: 1
Hidden Pattern: True
Pattern: Protected
 

As seen in the above output, the Recommended flag is set to false, which means that this signature is going to be very costly on the CPU, and can contribute to a high CPU condition.

 

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search