Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[SRX] Where are log messages sent regarding an attack?

0

0

Article ID: KB33849 KB Last Updated: 31 Mar 2019Version: 1.0
Summary:

This article explains where log messages are written based on the content.

Solution:

This solution requires you to configure syslog to write RT_IDP, FLOW_IP_ACTION, and RT_SCREEN to an individual file.  The syslog configuration for this:

set system syslog file Attack any any
set system syslog file Attack match "RT_IDP | FLOW_IP_ACTION | RT_SCREEN"
commit


By default, when IDP detects a packet that matches an IDP signature or anomaly in the database, a log will be sent with the header RT_IDP.  

Example:

RT_IDP: IDP_ATTACK_LOG_EVENT: IDP: at 1544100355, ANOMALY Attack log <192.168.0.101/49080->1.1.1.1/853> for TCP protocol and service TCP application NONE by rule 1 of rulebase IPS in policy Getting_Started. attack: id=500, repeat=0, action=NONE, threat-severity=CRITICAL, name=TCP:C2S:AMBIG:C2S-SYN-DATA, NAT <172.16.10.30:27886->0.0.0.0:0>, time-elapsed=0, inbytes=0, outbytes=0, inpackets=0, outpackets=0, intf:trust:ge-0/0/0.0->untrust:ge-0/0/5.0, packet-log-id: 0, alert=no, username=N/A, roles=N/A and misc-message -


When a packet matches a session, the future connections for this session will be logged to RT_FLOW with the text FLOW_IP_ACTION.  This will not give you details of the attack, but it lets you know there is a future connection matching the original session where the attack was detected.

Example:

RT_FLOW - FLOW_IP_ACTION [junos@2636.1.1.1.2.133 source-address="192.168.0.100" source-port="48154" destination-address="1.1.1.1" destination-port="853" interface-name="ge-0/0/0.0" source-zone-name="trust" action="notify"] Flow IP action detected attack attempt: 192.168.0.100/48154 --> 1.1.1.1/853 from interface ge-0/0/0.0, from zone trust, action notify.


If there is an actual attack, as identified by Screening (specified from the security zone), this log will be sent with the header RT_SCREEN.

Example:

RT_IDS: RT_SCREEN_UDP: UDP flood! source: 172.16.10.54:2153, destination: 192.168.111.206:15017, zone name: untrust, interface name: ge-0/0/5.0, action: alarm-without-drop


To view these logs, you can issue the command:

show log Attacks
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search