IDP - Juniper JSRX Wiki

http://jsrx.juniperwiki.com/index.php?title=IDP

IDP
From Juniper JSRX Wiki
IDP (intrusion detection and prevention), or otherwise known as IDS (intrusion detection system), is a series of signatures this look for known malicious or attack traffic traversing a device. IDP is only available on J/SRX devices with a valid IDP license to do so.

Contents
1 Getting started with IDP 1.1 Licensing 1.2 Updating IDP 2 Configuration 2.1 Sensor Specific 2.2 Inspection Mode 2.2.1 Integrated Mode 2.2.2 Dedicated Mode 2.2.3 Inline Tap Mode 2.3 Automatic Updates 2.4 Custom Attack Object 2.4.1 Signature 2.4.2 Chain 2.5 IPS Policy 2.5.1 Exempt Rulebase 2.6 Security Policy 3 Troubleshooting 3.1 Important Files 3.2 Repairing the Attack Database

Getting started with IDP

Licensing
Before you are able to do anything with IDP, you will need to make sure you have a license for it. Here is how to view your current licenses
metacortex@KaelthasSunstrider> show system license License usage: Licenses Licenses Feature name used installed idp-sig 0 1 Licenses installed: License identifier: JUNOS214457

Licenses needed 0

Expiry 2012-07-27 00:00:00 UTC

1 de 11

06/06/2012 06:23 p.m.

IDP - Juniper JSRX Wiki

http://jsrx.juniperwiki.com/index.php?title=IDP

License version: 2 Valid for device: JN10E7914ADE Features: idp-sig - IDP Signature date-based, 2009-07-28 00:00:00 UTC - 2012-07-27 00:00:00 UTC

If Junipers Customer Care department has the serial number of your device already tied to a IDP license you can issue the following command to retrieve the license from Juniper's servers and install it.
metacortex@KaelthasSunstrider> request system license update

If you were given a plain-text license file by Customer Care or you generated it yourself on Juniper's Support Site, then you can use the following command to paste it into the terminal
metacortex@KaelthasSunstrider> request system license add terminal [Type ^D at a new line to end input, enter blank line between each license key] <paste the plain-text in here> ^D add license complete (no errors) metacortex@KaelthasSunstrider>

NOTE: Make sure there is a blank line at the end of the license after you paste it in

Updating IDP
To Update IDP to the full latest version, you need an active Internet connection on the box and then you run the following commands
metacortex@KaelthasSunstrider> request security idp security-package download full-update Will be processed in async mode. Check the status using the status checking CLI metacortex@KaelthasSunstrider> request security idp security-package download status In progress:downloading file ...libidp-detector.so.tgz.v metacortex@KaelthasSunstrider> request security idp security-package download status Done;Successfully downloaded from(https://services.netscreen.com/cgi-bin/index.cgi). Version info:1591(Tue Jan 26 12:28:34 2010, Detector=10.2.140091104) metacortex@KaelthasSunstrider> request security idp security-package install Will be processed in async mode. Check the status using the status checking CLI metacortex@KaelthasSunstrider> request security idp security-package install status In progress:performing DB update for an xml (groups.xml)

metacortex@KaelthasSunstrider> request security idp security-package install status Done;Attack DB update : successful - [UpdateNumber=1591,ExportDate=Tue Jan 26 12:28:34 2010,Detector=10.2.140091104] Updating control-plane with new detector : successful Updating data-plane with new attack or detector : not performed due to no existing running policy found.

When you update as seen above, the package is downloaded to /var/db/idpd/sec-repository before it is installed. If downloaded using NSM, it gets stored in /var/db/idpd/nsm-download.

Configuration
2 de 11 06/06/2012 06:23 p.m.

IDP - Juniper JSRX Wiki

http://jsrx.juniperwiki.com/index.php?title=IDP

Sensor Specific
In the rare case that you need to tweak the inspection properties of the SRX, you can do so here. Be careful with some of these options as it could aversely effect IPS functionality if you modify memory and queue sizes without knowing what you are doing.
[edit security idp sensor-configuration] metacortex@KaelthasSunstrider# set ? Possible completions: > log IDP Log Configuration > application-identification Application identification > flow Flow configuration > re-assembler Re-assembler configuration > ips Ips configuration > global Global configuration > detector Detector Configuration > ssl-inspection SSL inspection

Inspection Mode
On the High End SRX's you can change the IDP Mode. There are 3 different modes you can put it in Integrated Mode: Traffic is inspected by the firewall process. All traffic will be processed before being sent out egress interface. Has the possibility of impacting overall performance as the firewall process is handling both tasks. Dedicated Mode: Firewalling and IPS is handled by separate processes. Traffic is processed by firewall process, again by the IDP process, and then sent back to the firewall process for egress processing. Can dedicate resources on the SPU to either Firewall or IPS. Inline Tap Mode: The exact same as Dedicated Mode except the firewall process does not wait for the IDP process to finish inspecting the traffic before sending it out the egress interface. This will not stop single packet attacks but can stop attacks that span multiple packets and is faster than Dedicated Mode.

Integrated Mode
For Integrated Mode, you just want to make sure there is nothing under security forwarding-process application-services maximize-idp-sessions as Integrated Mode is the default mode.
[edit] metacortex@KaelthasSunstrider# delete security forwarding-process application-services maximize-idp-sessions

Dedicated Mode
security { forwarding-process { application-services { maximize-idp-sessions { weight { equal; firewall; idp; } } } } }

3 de 11

06/06/2012 06:23 p.m.

IDP - Juniper JSRX Wiki

http://jsrx.juniperwiki.com/index.php?title=IDP

set security forwarding-process application-services maximize-idp-sessions weight equal set security forwarding-process application-services maximize-idp-sessions weight firewall set security forwarding-process application-services maximize-idp-sessions weight idp

NOTE: You can only choose one option under weight. Equal distributes resources equally between firewall and IDP, firewall distributes resources 2/3rds to firewall and 1/3 to IDP, and idp distributes resources 2/3rds to IDP and 1/3 to firewall.

Inline Tap Mode

security { forwarding-process { application-services { maximize-idp-sessions { inline-tap { weight { equal; firewall; idp; } } } } } }

set security forwarding-process application-services maximize-idp-sessions inline-tap weight equal set security forwarding-process application-services maximize-idp-sessions inline-tap weight firewall set security forwarding-process application-services maximize-idp-sessions inline-tap weight idp

NOTE: You can only choose one option under weight. Equal distributes resources equally between firewall and IDP, firewall distributes resources 2/3rds to firewall and 1/3 to IDP, and idp distributes resources 2/3rds to IDP and 1/3 to firewall.

Automatic Updates
Updates happen almost daily to the attack database and it can be an administrative strain to go into each SRX every day, check if there are updates, download them, and install them. You can automate this process with this config
security { idp { security-package { automatic { start-time "2011-1-1.00:00:01 -0800"; interval 24; download-timeout 10; enable; } } } }

set set set set

security security security security

idp idp idp idp

security-package security-package security-package security-package

automatic automatic automatic automatic

start-time 2011-1-1.00:00:01 interval 24 download-timeout 10 enable

4 de 11

06/06/2012 06:23 p.m.

IDP - Juniper JSRX Wiki

http://jsrx.juniperwiki.com/index.php?title=IDP

This config will start automatic downloads as of January 1st 2011 at 00:00:01, check every 24 hours for a new update, and install the package after 10 minutes of idle time after the download is complete.

Custom Attack Object

There are two different types of attack objects. The first type is a Signature that is composed of a single regex signature and the second is a Chain that is composed of multiple regex signatures that can be matched on a OR/AND or combination or OR's and AND's.

Signature
Single signature attack objects are really strait forward. Here we will create a signature that will create a signature that will detect Google+ traffic.
security { idp { custom-attack Google+ { severity minor; attack-type { signature { context http-header-host; pattern ".*\[plus\.google\.com\]"; direction client-to-server; } } } } }

set set set set

security security security security

idp idp idp idp

custom-attack custom-attack custom-attack custom-attack

Google+ Google+ Google+ Google+

severity minor attack-type signature context http-header-host attack-type signature pattern ".*\[plus\.google\.com\]" attack-type signature direction client-to-server

Chain
Chain signatures are a little more complex than their single signature brothers. Here we will set up a signature to detect the downloading of files with various file extensions from the ftp user anonymous. First thing we are going to do is set up all of the signatures to detect the file extensions
security { idp { custom-attack FTP-installers { attack-type { chain { member DEB { attack-type { signature { context ftp-get-filename; pattern ".*\.\[deb\]"; direction client-to-server; } } } member RPM { attack-type { signature { context ftp-get-filename; pattern ".*\.\[rpm\]";

5 de 11

06/06/2012 06:23 p.m.

IDP - Juniper JSRX Wiki

http://jsrx.juniperwiki.com/index.php?title=IDP

direction client-to-server; } } } member EXE { attack-type { signature { context ftp-get-filename; pattern ".*\.\[exe\]"; direction client-to-server; } } } member DMG { attack-type { signature { context ftp-get-filename; pattern ".*\.\[dmg\]"; direction client-to-server; } } } } } } } }

set set set set set set set set set set set set

security security security security security security security security security security security security

idp idp idp idp idp idp idp idp idp idp idp idp

custom-attack custom-attack custom-attack custom-attack custom-attack custom-attack custom-attack custom-attack custom-attack custom-attack custom-attack custom-attack

FTP-installers FTP-installers FTP-installers FTP-installers FTP-installers FTP-installers FTP-installers FTP-installers FTP-installers FTP-installers FTP-installers FTP-installers

attack-type attack-type attack-type attack-type attack-type attack-type attack-type attack-type attack-type attack-type attack-type attack-type

chain chain chain chain chain chain chain chain chain chain chain chain

member member member member member member member member member member member member

DEB DEB DEB RPM RPM RPM EXE EXE EXE DMG DMG DMG

attack-type attack-type attack-type attack-type attack-type attack-type attack-type attack-type attack-type attack-type attack-type attack-type

signature signature signature signature signature signature signature signature signature signature signature signature

context ftp-g pattern ".*\. direction cli context ftp-g pattern ".*\. direction cli context ftp-g pattern ".*\. direction cli context ftp-g pattern ".*\. direction cli

As you can see in these signatures, it is detecting all .deb, .rpm, .exe, and .dmg files (case insensitive. Next we need to set up the signature to detect the anonymous user
security { idp { custom-attack FTP-installers { attack-type { chain { member FTP-Anonymous { attack-type { signature { context ftp-username; pattern "^anonymous$"; direction client-to-server; } } } } } } } }

set security idp custom-attack FTP-installers attack-type chain member FTP-Anonymous attack-type signature con set security idp custom-attack FTP-installers attack-type chain member FTP-Anonymous attack-type signature pat set security idp custom-attack FTP-installers attack-type chain member FTP-Anonymous attack-type signature dir

Now that we have the signatures set up, we need to define what order they must match in and set the

6 de 11

06/06/2012 06:23 p.m.

IDP - Juniper JSRX Wiki

http://jsrx.juniperwiki.com/index.php?title=IDP

severity of the signature.

security { idp { custom-attack FTP-installers { severity major; attack-type { chain { expression "(DEB OR RPM OR EXE OR DMG) AND FTP-Anonymous"; } } } } }

set security idp custom-attack FTP-installers severity major set security idp custom-attack FTP-installers attack-type chain expression "(DEB OR RPM OR EXE OR DMG) AND FTP

And that is it. We now have a signature that will detect the anonymous ftp user downloading all the files with the given extensions. Here is the full config.
security { idp { custom-attack FTP-installers { severity major; attack-type { chain { expression "(DEB OR RPM OR EXE OR DMG) AND FTP-Anonymous"; member DEB { attack-type { signature { context ftp-get-filename; pattern ".*\.\[deb\]"; direction client-to-server; } } } member RPM { attack-type { signature { context ftp-get-filename; pattern ".*\.\[rpm\]"; direction client-to-server; } } } member EXE { attack-type { signature { context ftp-get-filename; pattern ".*\.\[exe\]"; direction client-to-server; } } } member DMG { attack-type { signature { context ftp-get-filename; pattern ".*\.\[dmg\]"; direction client-to-server; } } } member FTP-Anonymous { attack-type { signature { context ftp-username; pattern "^anonymous$"; direction client-to-server; }

7 de 11

06/06/2012 06:23 p.m.

IDP - Juniper JSRX Wiki

http://jsrx.juniperwiki.com/index.php?title=IDP

} } } } } } }

set set set set set set set set set set set set set set set set set

security security security security security security security security security security security security security security security security security

idp idp idp idp idp idp idp idp idp idp idp idp idp idp idp idp idp

custom-attack custom-attack custom-attack custom-attack custom-attack custom-attack custom-attack custom-attack custom-attack custom-attack custom-attack custom-attack custom-attack custom-attack custom-attack custom-attack custom-attack

FTP-installers FTP-installers FTP-installers FTP-installers FTP-installers FTP-installers FTP-installers FTP-installers FTP-installers FTP-installers FTP-installers FTP-installers FTP-installers FTP-installers FTP-installers FTP-installers FTP-installers

severity major attack-type chain attack-type chain attack-type chain attack-type chain attack-type chain attack-type chain attack-type chain attack-type chain attack-type chain attack-type chain attack-type chain attack-type chain attack-type chain attack-type chain attack-type chain attack-type chain

expression "(DEB OR RPM OR EXE OR DMG) AND FTP member DEB attack-type signature context ftp-g member DEB attack-type signature pattern ".*\. member DEB attack-type signature direction cli member RPM attack-type signature context ftp-g member RPM attack-type signature pattern ".*\. member RPM attack-type signature direction cli member EXE attack-type signature context ftp-g member EXE attack-type signature pattern ".*\. member EXE attack-type signature direction cli member DMG attack-type signature context ftp-g member DMG attack-type signature pattern ".*\. member DMG attack-type signature direction cli member FTP-Anonymous attack-type signature con member FTP-Anonymous attack-type signature pat member FTP-Anonymous attack-type signature dir

IPS Policy
Currently, we can have only one active policy at a time on the SRX. The policy is basically what lists out all of the signatures/groups that are going to be used to inspect the traffic. Here we will set up a simple policy that contains our two custom signatures that we created earlier.
security { idp { idp-policy active { rulebase-ips { rule google+ { match { from-zone inside; source-address any; to-zone outside; destination-address any; application junos-http; attacks { custom-attacks Google+; } } then { action { close-client-and-server; } notification { log-attacks; } } } rule FTP { match { from-zone outside; source-address any; to-zone inside; destination-address any; application junos-ftp; attacks { custom-attacks FTP-installers; } } then { action { close-client-and-server;

8 de 11

06/06/2012 06:23 p.m.

IDP - Juniper JSRX Wiki

http://jsrx.juniperwiki.com/index.php?title=IDP

} notification { log-attacks; } } } } } } }

set set set set set set set set set set set set set set set set

security security security security security security security security security security security security security security security security

idp idp idp idp idp idp idp idp idp idp idp idp idp idp idp idp

idp-policy idp-policy idp-policy idp-policy idp-policy idp-policy idp-policy idp-policy idp-policy idp-policy idp-policy idp-policy idp-policy idp-policy idp-policy idp-policy

active active active active active active active active active active active active active active active active

rulebase-ips rulebase-ips rulebase-ips rulebase-ips rulebase-ips rulebase-ips rulebase-ips rulebase-ips rulebase-ips rulebase-ips rulebase-ips rulebase-ips rulebase-ips rulebase-ips rulebase-ips rulebase-ips

rule rule rule rule rule rule rule rule rule rule rule rule rule rule rule rule

google+ match from-zone inside google+ match source-address any google+ match to-zone outside google+ match destination-address any google+ match application junos-http google+ match attacks custom-attacks Google+ google+ then action close-client-and-server google+ then notification log-attacks FTP match from-zone outside FTP match source-address any FTP match to-zone inside FTP match destination-address any FTP match application junos-ftp FTP match attacks custom-attacks FTP-installers FTP then action close-client-and-server FTP then notification log-attacks

Now that we have a basic policy, all we need to do is to activate the policy
security { idp { active-policy active; } }

set security idp active-policy active

Exempt Rulebase
If you come across the situation where you need to exempt a specific signature for false-positive reasons, you can do it in the exempt rulebase. It is very similar to the standard ips rulebase as you will see (except it ignores this signature instead of taking action upon it). We will set up our Google+ signature as the signature we want to exempt.
security { idp { idp-policy active { rulebase-exempt { rule Google+ { match { from-zone inside; source-address any; to-zone outside; destination-address any; attacks { custom-attacks Google+; } } } } } } }

9 de 11

06/06/2012 06:23 p.m.

IDP - Juniper JSRX Wiki

http://jsrx.juniperwiki.com/index.php?title=IDP

set set set set set

security security security security security

idp idp idp idp idp

idp-policy idp-policy idp-policy idp-policy idp-policy

active active active active active

rulebase-exempt rulebase-exempt rulebase-exempt rulebase-exempt rulebase-exempt

rule rule rule rule rule

Google+ Google+ Google+ Google+ Google+

match match match match match

from-zone inside source-address any to-zone outside destination-address any attacks custom-attacks Google+

Security Policy
Once we have the IDP policy all set up, we need to actually reference it in a security policy. This is pretty simple as you will see here
security { policies { from-zone inside to-zone outside { policy outboud-http { then { permit { application-services { idp; } } } } } } }

set security policies from-zone inside to-zone outside policy outboud-http then permit application-services id

Troubleshooting
Important Files
/var/db/idpd/sec-download/SignatureUpdate.xml - The entire Attack Database /var/db/idpd/sec-download/groups.xml - Predefined dynamic groups /var/db/idpd/sec-repository/attack.list - All attacks that have signatures in name format /var/db/idpd/sec-repository/attack-group.list - List of attack groups by catigory /var/db/idpd/sec-repository/application.list - List of all AppID applications and their ports

Repairing the Attack Database

[edit] metacortex@KaelthasSunstrider# run start shell metacortex@KaelthasSunstrider% cd /var/db/idpd/db/ metacortex@KaelthasSunstrider% rm -rfv * dfa_cache.d01 dfa_cache.k01 dfa_group_cache.d02 dfa_group_cache.k02 dfacache.dbd pcre_cache.d03 pcre_cache.k03 rdm.taf secdb.d01 secdb.d02 secdb.d03

10 de 11

06/06/2012 06:23 p.m.

IDP - Juniper JSRX Wiki

http://jsrx.juniperwiki.com/index.php?title=IDP

secdb.d04 secdb.d05 secdb.d06 secdb.d07 secdb.d08 secdb.d09 secdb.d10 secdb.d11 secdb.d12 secdb.d13 secdb.d14 secdb.d15 secdb.dbd secdb.k01 secdb.k02 secdb.k03 secdb.k04 secdb.k05 secdb.k06 secdb.k07 secdb.k08 secdb.k09 secdb.k10 secdb.k11 secdb.k12 secdb.k13 secdb.k14 secdb.k15 secdb.k16 secdb.k17 secdb.k18 secdb.k19 secdb.k20 secdb.k21 secdb.k22 metacortex@KaelthasSunstrider% metacortex@KaelthasSunstrider%

cd /etc/ sh rc.idb

Database Initialization Utility RDM Embedded 7 [04-Aug-2006] http://www.birdstep.com Copyright (c) 1992-2006 Birdstep Technology, Inc. All Rights Reserved. secdb initialized

Database Initialization Utility RDM Embedded 7 [04-Aug-2006] http://www.birdstep.com Copyright (c) 1992-2006 Birdstep Technology, Inc. All Rights Reserved. dfacache initialized metacortex@KaelthasSunstrider% exit exit

[edit] metacortex@KaelthasSunstrider# run restart idp-policy IDP policy daemon started, pid 12990 [edit] metacortex@KaelthasSunstrider# run request security idp security-package download full-update Will be processed in async mode. Check the status using the status checking CLI

Retrieved from "http://jsrx.juniperwiki.com/index.php?title=IDP" This page was last modified on 18 July 2011, at 02:52. Content is available under GNU Free Documentation License 1.3.

11 de 11

06/06/2012 06:23 p.m.