root@srx210h-poe> show configuration | no-more ## Last commit: 2011-09-05 14:21:06 UTC by root version 10.4R6.5; system { host-name srx210h-poe; root-authentication { encrypted-password "$1$.HWBin9a$fO0M3AbpyDzByg6fDHR1m1"; ## SECRET-DATA } name-server { 192.168.1.254; } services { ssh; web-management { http { interface ge-0/0/0.0; } } } syslog { user * { any emergency; } file messages { any critical; authorization info; } file interactive-commands { interactive-commands error; } } max-configurations-on-flash 5; max-configuration-rollbacks 5; license { autoupdate { url https://ae1.juniper.net/junos/key_retrieval; } } ntp { server 93.94.105.122; server 212.68.213.7; server 91.183.89.89; } } interfaces { ge-0/0/0 { unit 0 { family inet { address 192.168.75.1/24; } } } fe-0/0/2 { unit 0 { family inet { dhcp { server-address 192.168.1.254; } } } } } security { idp { idp-policy Web_Server { /* This template policy is designed to protect commonly used HTTP servers from remote attacks. */ rulebase-ips { rule 1 { /* This rule drops all packets that should not occur on a clean network, and can be used by attackers to evade IDSs. This rule is necessary to harden the IDP against evasion attempts. */ match { from-zone any; source-address any; to-zone any; destination-address any; application default; attacks { predefined-attack-groups [ "IP - Major" "IP - Critical" "TCP - Critical" "TCP - Major" ]; } } then { action { drop-packet; } notification { log-attacks; } } } rule 2 { /* This rule drops all DNS and DHCP packets that contain critical severity attacks and logs them as alarms. Enable this rule if you are running your IDP in "in-line" mode, and wish to protect your network against critical DNS and DHCP attacks. */ match { from-zone any; source-address any; to-zone any; destination-address any; application default; attacks { predefined-attack-groups [ "DNS - Critical" "DNS - Major" ]; } } then { action { drop-packet; } notification { log-attacks; } } } rule 3 { /* This rule drops critical and high severity attacks against common web and IIS services and logs them as alarms. Enable this rule if you are running your IDP in "in-line" mode, and wish to protect your network against critical and high severity attacks. */ match { from-zone any; source-address any; to-zone any; destination-address any; application default; attacks { predefined-attack-groups [ "FINGER - Critical" "FINGER - Major" "GOPHER - Critical" "GOPHER - Major" "FTP - Critical" "FTP - Major" "HTTP - Critical" "HTTP - Major" "SHELLCODE - Major" "SHELLCODE - Critical" "NNTP - Critical" "NNTP - Major" ]; } } then { action { drop-packet; } notification { log-attacks; } } } rule 4 { /* This rule logs medium severity attacks. Enable this rule if you are running your IDP in "in-line" mode, and wish to monitor your network for attacks and IDS evasion attempts. */ match { from-zone any; source-address any; to-zone any; destination-address any; application default; attacks { predefined-attack-groups [ "DNS - Minor" "FINGER - Minor" "FTP - Minor" "GOPHER - Minor" "HTTP - Minor" "NNTP - Minor" "SHELLCODE - Minor" ]; } } then { action { no-action; } notification { log-attacks; } } } inactive: rule 5 { /* This rule logs low severity attacks. The rule is disabled by default, as some networks contain many low severity events, which results in many logs. */ match { from-zone any; source-address any; to-zone any; destination-address any; application default; attacks { predefined-attack-groups [ "Anomaly - Warning" "Signature - Warning" ]; } } then { action { no-action; } notification { log-attacks; } } } inactive: rule 6 { /* This rule logs informational events. This rule is disabled by default as it generates many logs. Informational signatures are included not to necessarily detect attacks, but to provide additional understanding of your network's traffic. */ match { from-zone any; source-address any; to-zone any; destination-address any; application default; attacks { predefined-attack-groups [ "Anomaly - Info" "Signature - Info" ]; } } then { action { no-action; } notification { log-attacks; } } } } } idp-policy DMZ_Services { /* This template policy is designed to be used to protect a typical DMZ environment. */ rulebase-ips { rule 1 { /* This rule drops all packets that should not occur on a clean network, and can be used by attackers to evade IDSs. This rule is necessary to harden the IDP against evasion attempts. */ match { from-zone any; source-address any; to-zone any; destination-address any; application default; attacks { predefined-attack-groups [ "IP - Major" "IP - Critical" "TCP - Critical" "TCP - Major" ]; } } then { action { drop-packet; } notification { log-attacks { alert; } } } } rule 2 { /* This rule drops all DNS and DHCP packets that contain critical severity attacks and logs them as alarms. Enable this rule if you are running your IDP in \"in-line\" mode, and wish to protect your network against critical DNS and DHCP attacks. */ match { from-zone any; source-address any; to-zone any; destination-address any; application default; attacks { predefined-attack-groups [ "DNS - Critical" "DNS - Major" ]; } } then { action { drop-packet; } notification { log-attacks { alert; } } } } rule 3 { /* This rule drops critical and high severity attacks against common DMZ services and logs them as alarms. Enable this rule if you are running your IDP in \"in-line\" mode, and wish to protect your network against critical and high severity attacks. */ match { from-zone any; source-address any; to-zone any; destination-address any; application default; attacks { predefined-attack-groups [ "FINGER - Critical" "FINGER - Major" "GOPHER - Critical" "GOPHER - Major" "FTP - Critical" "FTP - Major" "HTTP - Critical" "HTTP - Major" "SHELLCODE - Major" "SHELLCODE - Critical" "NNTP - Critical" "NNTP - Major" "IMAP - Critical" "IMAP - Major" "POP3 - Critical" "POP3 - Major" "SMTP - Critical" "SMTP - Major" "SSH - Critical" "SSH - Major" ]; } } then { action { drop-packet; } notification { log-attacks { alert; } } } } rule 4 { /* This rule logs medium severity attacks. Enable this rule if you are running your IDP in "in-line" mode, and wish to monitor your network for attacks and IDS evasion attempts. */ match { from-zone any; source-address any; to-zone any; destination-address any; application default; attacks { predefined-attack-groups [ "FINGER - Minor" "FTP - Minor" "GOPHER - Minor" "HTTP - Minor" "IMAP - Minor" "NNTP - Minor" "POP3 - Minor" "SHELLCODE - Minor" "SMTP - Minor" "SSH - Minor" ]; } } then { action { no-action; } notification { log-attacks; } } } inactive: rule 5 { /* This rule logs low severity attacks. The rule is disabled by default, as some networks contain many low severity events, which results in many logs. */ match { from-zone any; source-address any; to-zone any; destination-address any; application default; attacks { predefined-attack-groups [ "Anomaly - Warning" "Signature - Warning" ]; } } then { action { no-action; } notification { log-attacks; } } } inactive: rule 6 { /* This rule logs informational events. This rule is disabled by default as it generates many logs. Informational signatures are included not to necessarily detect attacks, but to provide additional understanding of your network's traffic. */ match { from-zone any; source-address any; to-zone any; destination-address any; application default; attacks { predefined-attack-groups [ "Anomaly - Info" "Signature - Info" ]; } } then { action { no-action; } notification { log-attacks; } } } } } idp-policy DNS_Service { /* This template policy is designed to protect DNS services. Use this template as a starting point to customize your desired level of protection. */ rulebase-ips { rule 1 { /* This rule drops all packets that should not occur on a clean network, and can be used by attackers to evade IDSs. This rule is necessary to harden the IDP against evasion attempts. */ match { from-zone any; source-address any; to-zone any; destination-address any; application default; attacks { predefined-attack-groups [ "IP - Major" "IP - Critical" "TCP - Critical" "TCP - Major" ]; } } then { action { drop-packet; } notification { log-attacks { alert; } } } } rule 2 { /* This rule drops all DNS and DHCP packets that contain critical severity attacks and logs them as alarms. Enable this rule if you are running your IDP in "in-line" mode, and wish to protect your network against critical DNS and DHCP attacks. */ match { from-zone any; source-address any; to-zone any; destination-address any; application default; attacks { predefined-attack-groups [ "DNS - Critical" "DNS - Major" ]; } } then { action { drop-packet; } notification { log-attacks { alert; } } } } rule 3 { /* This rule logs medium severity DNS attacks. Enable this rule to investigate possible threats against Domain Name Services. */ match { from-zone any; source-address any; to-zone any; destination-address any; application default; attacks { predefined-attack-groups "DNS - Minor"; } } then { action { no-action; } notification { log-attacks; } } } inactive: rule 4 { /* This rule logs low severity attacks. The rule is disabled by default, as some networks contain many low severity events, which results in many logs. */ match { from-zone any; source-address any; to-zone any; destination-address any; application default; attacks { predefined-attack-groups [ "Anomaly - Warning" "Signature - Warning" ]; } } then { action { no-action; } notification { log-attacks; } } } inactive: rule 5 { /* This rule logs informational events. This rule is disabled by default as it generates many logs. Informational signatures are included not to necessarily detect attacks, but to provide additional understanding of your network's traffic. */ match { from-zone any; source-address any; to-zone any; destination-address any; application default; attacks { predefined-attack-groups [ "Anomaly - Info" "Signature - Info" ]; } } then { action { no-action; } notification { log-attacks; } } } } } idp-policy File_Server { /* This template policy is designed to provide protection to various file sharing services such as AMB, NFS, FTP, and others. */ rulebase-ips { rule 1 { /* This rule drops all packets that should not occur on a clean network, and can be used by attackers to evade IDSs. This rule is necessary to harden the IDP against evasion attempts. */ match { from-zone any; source-address any; to-zone any; destination-address any; application default; attacks { predefined-attack-groups [ "IP - Major" "IP - Critical" "TCP - Critical" "TCP - Major" ]; } } then { action { drop-packet; } notification { log-attacks { alert; } } } } rule 2 { /* This rule drops all DNS and DHCP packets that contain critical severity attacks and logs them as alarms. Enable this rule if you are running your IDP in \"in-line\" mode, and wish to protect your network against critical DNS and DHCP attacks. */ match { from-zone any; source-address any; to-zone any; destination-address any; application default; attacks { predefined-attack-groups [ "DNS - Critical" "DNS - Major" "DHCP - Critical" "DHCP - Major" "SHELLCODE - Critical" "SHELLCODE - Major" ]; } } then { action { drop-packet; } notification { log-attacks { alert; } } } } rule 3 { /* This rule drops critical and high severity attacks against common DMZ services and logs them as alarms. Enable this rule if you are running your IDP in "in-line" mode, and wish to protect your network against critical and high severity attacks. */ match { from-zone any; source-address any; to-zone any; destination-address any; application default; attacks { predefined-attack-groups [ "FTP - Critical" "FTP - Major" "SSH - Critical" "SSH - Major" "NFS - Critical" "NFS - Major" "PORTMAPPER - Critical" "PORTMAPPER - Major" "RPC - Critical" "RPC - Major" "SMB - Critical" "SMB - Major" "MS-RPC - Critical" "MS-RPC - Major" "NETBIOS - Critical" "NETBIOS - Major" "TFTP - Critical" "TFTP - Major" ]; } } then { action { drop-packet; } notification { log-attacks { alert; } } } } rule 4 { /* This rule logs medium severity file service attacks. Enable this rule to investigate possible threats against file sharing services. */ match { from-zone any; source-address any; to-zone any; destination-address any; application default; attacks { predefined-attack-groups [ "FTP - Minor" "SSH - Minor" "MS-RPC - Minor" "NETBIOS - Minor" "NFS - Minor" "PORTMAPPER - Minor" "RPC - Minor" "SMB - Minor" "TFTP - Minor" ]; } } then { action { no-action; } notification { log-attacks; } } } inactive: rule 5 { /* This rule logs low severity attacks. The rule is disabled by default, as some networks contain many low severity events, which results in many logs. */ match { from-zone any; source-address any; to-zone any; destination-address any; application default; attacks { predefined-attack-groups [ "Anomaly - Warning" "Signature - Warning" ]; } } then { action { no-action; } notification { log-attacks; } } } inactive: rule 6 { /* This rule logs informational events. This rule is disabled by default as it generates many logs. Informational signatures are included not to necessarily detect attacks, but to provide additional understanding of your network's traffic. */ match { from-zone any; source-address any; to-zone any; destination-address any; application default; attacks { predefined-attack-groups [ "Anomaly - Info" "Signature - Info" ]; } } then { action { no-action; } notification { log-attacks; } } } } } idp-policy Getting_Started { /* This template is a good starting point for learning how to create IDP policies. */ rulebase-ips { rule 1 { match { from-zone any; source-address any; to-zone any; destination-address any; application default; attacks { predefined-attack-groups [ "IP - Major" "IP - Critical" "IP - Minor" "TCP - Critical" "TCP - Major" "TCP - Minor" ]; } } then { action { no-action; } notification { log-attacks; } } } rule 2 { match { from-zone any; source-address any; to-zone any; destination-address any; application default; attacks { predefined-attack-groups [ "ICMP - Critical" "ICMP - Major" "ICMP - Minor" ]; } } then { action { no-action; } notification { log-attacks; } } } rule 3 { match { from-zone any; source-address any; to-zone any; destination-address any; application default; attacks { predefined-attack-groups [ "HTTP - Critical" "HTTP - Major" "HTTP - Minor" ]; } } then { action { no-action; } notification { log-attacks; } } } rule 4 { match { from-zone any; source-address any; to-zone any; destination-address any; application default; attacks { predefined-attack-groups [ "SMTP - Critical" "SMTP - Major" "SMTP - Minor" ]; } } then { action { no-action; } notification { log-attacks; } } } rule 5 { match { from-zone any; source-address any; to-zone any; destination-address any; application default; attacks { predefined-attack-groups [ "DNS - Critical" "DNS - Major" "DNS - Minor" ]; } } then { action { no-action; } notification { log-attacks; } } } rule 6 { match { from-zone any; source-address any; to-zone any; destination-address any; application default; attacks { predefined-attack-groups [ "FTP - Critical" "FTP - Major" "FTP - Minor" ]; } } then { action { no-action; } notification { log-attacks; } } } rule 7 { match { from-zone any; source-address any; to-zone any; destination-address any; application default; attacks { predefined-attack-groups [ "POP3 - Critical" "POP3 - Major" "POP3 - Minor" ]; } } then { action { no-action; } notification { log-attacks; } } } rule 8 { match { from-zone any; source-address any; to-zone any; destination-address any; application default; attacks { predefined-attack-groups [ "IMAP - Critical" "IMAP - Major" "IMAP - Minor" ]; } } then { action { no-action; } notification { log-attacks; } } } rule 9 { match { from-zone any; source-address any; to-zone any; destination-address any; application default; attacks { predefined-attack-groups [ "TROJAN - Critical" "TROJAN - Major" "TROJAN - Minor" "VIRUS - Critical" "VIRUS - Major" "VIRUS - Minor" "WORM - Critical" "WORM - Major" "WORM - Minor" ]; } } then { action { no-action; } notification { log-attacks; } } } } } idp-policy IDP_Default { /* This template policy represents a good blend od security and performance. Use this template for "in-line" mode. */ rulebase-ips { rule 1 { /* This rule drops all packets that should not occur on a clean network, and can be used by attackers to evade IDSs. This rule is necessary to harden the IDP against evasion attempts. */ match { from-zone any; source-address any; to-zone any; destination-address any; application default; attacks { predefined-attack-groups [ "IP - Major" "IP - Critical" "TCP - Critical" "TCP - Major" ]; } } then { action { drop-packet; } notification { log-attacks { alert; } } } } rule 2 { /* This rule drops high severity attacks and logs them as alarms. Enable this rule if you are running your IDP in "in-line" mode, and wish to protect your network against critical attacks and IDS evasion attempts. */ match { from-zone any; source-address any; to-zone any; destination-address any; application default; attacks { predefined-attack-groups [ "DB - Critical" "DB - Major" "DDOS - Critical" "DDOS - Major" "DHCP - Critical" "DHCP - Major" "DNS - Critical" "DNS - Major" "DOS - Critical" "DOS - Major" "FTP - Critical" "FTP - Major" "HTTP - Critical" "HTTP - Major" "ICMP - Critical" "ICMP - Major" "IMAP - Critical" "IMAP - Major" "NETBIOS - Critical" "NETBIOS - Major" "MS-RPC - Critical" "MS-RPC - Major" "NFS - Critical" "NFS - Major" "POP3 - Critical" "POP3 - Major" "PORTMAPPER - Critical" "PORTMAPPER - Major" "RPC - Critical" "RPC - Major" "SCAN - Critical" "SCAN - Major" "SHELLCODE - Critical" "SHELLCODE - Major" "SMB - Critical" "SMB - Major" "SMTP - Critical" "SMTP - Major" "SSH - Critical" "SSH - Major" "TELNET - Critical" "TELNET - Major" "TROJAN - Critical" "TROJAN - Major" "WORM - Critical" "WORM - Major" "APP - Critical" "APP - Major" ]; } } then { action { drop-packet; } notification { log-attacks { alert; } } } } rule 3 { /* This rule logs medium severity attacks. Enable this rule if you are running your IDP in "in-line" mode, and wish to monitor your network for attacks and IDS evasion attempts. */ match { from-zone any; source-address any; to-zone any; destination-address any; application default; attacks { predefined-attack-groups [ "DB - Minor" "DDOS - Minor" "DHCP - Minor" "DNS - Minor" "DOS - Minor" "FTP - Minor" "HTTP - Minor" "ICMP - Minor" "IMAP - Minor" "NETBIOS - Minor" "MS-RPC - Minor" "NFS - Minor" "POP3 - Minor" "PORTMAPPER - Minor" "RPC - Minor" "SCAN - Minor" "SHELLCODE - Minor" "SMB - Minor" "SMTP - Minor" "SSH - Minor" "TELNET - Minor" "TROJAN - Minor" "WORM - Minor" "APP - Minor" ]; } } then { action { no-action; } notification { log-attacks; } } } inactive: rule 4 { /* This rule logs low severity attacks. The rule is disabled by default, as some networks contain many low severity events, which results in many logs. */ match { from-zone any; source-address any; to-zone any; destination-address any; application default; attacks { predefined-attack-groups [ "Anomaly - Warning" "Signature - Warning" ]; } } then { action { no-action; } notification { log-attacks; } } } inactive: rule 5 { /* This rule logs informational events. This rule is disabled by default as it generates many logs. Informational signatures are included not to necessarily detect attacks, but to provide additional understanding of your network's traffic. */ match { from-zone any; source-address any; to-zone any; destination-address any; application default; attacks { predefined-attack-groups [ "Anomaly - Info" "Signature - Info" ]; } } then { action { no-action; } notification { log-attacks; } } } } } idp-policy Recommended { /* This template policy covers the most important vulnerabilities. Use this template as a base line. */ rulebase-ips { rule 1 { /* This rule is designed to protect your networks against important TCP/IP attacks. */ match { from-zone any; source-address any; to-zone any; destination-address any; application default; attacks { predefined-attack-groups [ "[Recommended]IP - Critical" "[Recommended]IP - Minor" "[Recommended]IP - Major" "[Recommended]TCP - Critical" "[Recommended]TCP - Minor" "[Recommended]TCP - Major" ]; } } then { action { recommended; } notification { log-attacks; } } } rule 2 { /* This rule is designed to protect your network against important ICMP attacks. */ match { from-zone any; source-address any; to-zone any; destination-address any; application default; attacks { predefined-attack-groups [ "[Recommended]ICMP - Major" "[Recommended]ICMP - Minor" ]; } } then { action { recommended; } notification { log-attacks; } } } rule 3 { /* This rule is designed to protect your network against important HTTP attacks. */ match { from-zone any; source-address any; to-zone any; destination-address any; application default; attacks { predefined-attack-groups [ "[Recommended]HTTP - Critical" "[Recommended]HTTP - Major" "[Recommended]HTTP - Minor" ]; } } then { action { recommended; } notification { log-attacks; } } } rule 4 { /* This rule is designed to protect your network against important SMTP attacks. */ match { from-zone any; source-address any; to-zone any; destination-address any; application default; attacks { predefined-attack-groups [ "[Recommended]SMTP - Critical" "[Recommended]SMTP - Major" "[Recommended]SMTP - Minor" ]; } } then { action { recommended; } notification { log-attacks; } } } rule 5 { /* This rule is designed to protect your network against important DNS attacks. */ match { from-zone any; source-address any; to-zone any; destination-address any; application default; attacks { predefined-attack-groups [ "[Recommended]DNS - Critical" "[Recommended]DNS - Minor" "[Recommended]DNS - Major" ]; } } then { action { recommended; } notification { log-attacks; } } } rule 6 { /* This rule is designed to protect your network against important FTP attacks. */ match { from-zone any; source-address any; to-zone any; destination-address any; application default; attacks { predefined-attack-groups [ "[Recommended]FTP - Critical" "[Recommended]FTP - Minor" "[Recommended]FTP - Major" ]; } } then { action { recommended; } notification { log-attacks; } } } rule 7 { /* This rule is designed to protect your network against important POP3 attacks. */ match { from-zone any; source-address any; to-zone any; destination-address any; application default; attacks { predefined-attack-groups [ "[Recommended]POP3 - Critical" "[Recommended]POP3 - Minor" "[Recommended]POP3 - Major" ]; } } then { action { recommended; } notification { log-attacks; } } } rule 8 { /* This rule is designed to protect your network against important IMAP attacks. */ match { from-zone any; source-address any; to-zone any; destination-address any; application default; attacks { predefined-attack-groups [ "[Recommended]IMAP - Critical" "[Recommended]IMAP - Major" ]; } } then { action { recommended; } notification { log-attacks; } } } rule 9 { /* This rule is designed to protect your network against common internet malware. */ match { from-zone any; source-address any; to-zone any; destination-address any; application default; attacks { predefined-attack-groups [ "[Recommended]TROJAN - Critical" "[Recommended]TROJAN - Major" "[Recommended]TROJAN - Minor" "[Recommended]VIRUS - Critical" "[Recommended]VIRUS - Major" "[Recommended]VIRUS - Minor" "[Recommended]WORM - Critical" "[Recommended]WORM - Major" "[Recommended]WORM - Minor" ]; } } then { action { recommended; } notification { log-attacks; } } } } } idp-policy fb-https-drop { rulebase-ips { rule 1 { match { from-zone trust; to-zone untrust; application junos-https; attacks { custom-attack-groups facebook-https-block; } } then { action { recommended; } notification { log-attacks; } severity major; } } } } active-policy fb-https-drop; custom-attack fb-https-client { recommended-action close-client; severity major; attack-type { signature { context ssl-client-hello; pattern ".*facebook\.com.*"; direction client-to-server; } } } custom-attack fb-https-server { recommended-action close-client; severity major; attack-type { signature { context ssl-cert-common-name; pattern ".*facebook\.com.*"; direction server-to-client; } } } custom-attack-group facebook-https-block { group-members [ fb-https-server fb-https-client ]; } } nat { source { rule-set RS1 { from zone trust; to zone untrust; rule RS1-r1 { match { source-address 192.168.75.0/24; destination-address 0.0.0.0/0; } then { source-nat { interface; } } } } } } screen { ids-option untrust-screen { icmp { ping-death; } ip { source-route-option; tear-drop; } tcp { syn-flood { alarm-threshold 1024; attack-threshold 200; source-threshold 1024; destination-threshold 2048; queue-size 2000; ## Warning: 'queue-size' is deprecated timeout 20; } land; } } } zones { security-zone trust { tcp-rst; interfaces { ge-0/0/0.0 { host-inbound-traffic { system-services { all; } } } } } security-zone untrust { interfaces { fe-0/0/2.0 { host-inbound-traffic { system-services { all; } } } } } } policies { from-zone trust to-zone trust { policy default-permit { match { source-address any; destination-address any; application any; } then { permit; } } } from-zone trust to-zone untrust { policy fb-https-block { match { source-address any; destination-address any; application junos-https; } then { permit { application-services { idp; } } log { session-close; } } } policy default-permit { match { source-address any; destination-address any; application any; } then { permit; } } } from-zone untrust to-zone trust { policy default-deny { match { source-address any; destination-address any; application any; } then { deny; } } } } }