SRX

Expand all | Collapse all

IDP Exempt Rulebases with logging enabled ?

Jump to Best Answer
  • 1.  IDP Exempt Rulebases with logging enabled ?

    Posted 11-10-2011 14:19

    Hi

     

    I have an IDP policy on a SRX with 2 rules.

     

    Rule 1 matches Critical prefined attack groups

     

    Rule 2 matches Major predined attack groups

     

    Both log alert and block

     

    One predefined attack within the critical attack group is tiggering and blocking traffic. I have created an exempt rulebase for this one attack. It now is not dropping the traffic or showing up in the attack table, but i'm unable to still log alerts from this attack because the exempt rulebase doesn't allow the " THEN " option like normal IDP rule options.

     

    How can I make this one attack not block and still alert ?

     

    I have removed the exempt rulebase, and made another IDP rule within the IDP policy and just matched this one attack with alert and no action. But as soon as the second rule in the IDP policy matches the crititcal attack group it matches again and blocks.

     

    So still no joy

     

    Any ideas please ?


    #IDPRULEBASESEXEMPT


  • 2.  RE: IDP Exempt Rulebases with logging enabled ?
    Best Answer

    Posted 11-10-2011 17:34

    The IDP rulebase doesn't work like a normal firewall rulebase that terminates by default on a match.   It will traverse through the policy and it can match multiple criteria.  It takes the most severe action and uses that on a multimatch.  The only way to get this to work in the way you are looking for is to move the rule to the top of the rulebase, and to make it a terminal rule.  So that once it matches it stops processing in the IDP rulebase.

     

    edit the specific rule, and "set terminal"  to make it a terminal rule.

     

    Hope this helps.

     

     



  • 3.  RE: IDP Exempt Rulebases with logging enabled ?

    Posted 11-11-2011 13:38

    Excellent

     

    That works great

     

    Thanks

     

     



  • 4.  RE: IDP Exempt Rulebases with logging enabled ?

    Posted 01-30-2019 06:33

    Hello team,

    I have an issue related to this.

    I am trying to make an idp rule to inspect a few customized pattern which has to be permitted, and then drop anything else.

    I have created a first rulebase which matches correctly and has "no action", and then a second rulebase which denies everything.

    The problem is that traffic is beind dropped because of the most severe action.

    I have seen this post and thought I could make a terminal rulebase, but I guess that way won't deny any traffic.

    This is an example:


    set security idp idp-policy IPS_SIP rulebase-ips rule "Whitelist: Permitted ranges" description "Whitelist: Permitted ranges"
    set security idp idp-policy IPS_SIP rulebase-ips rule "Whitelist: Permitted ranges" match application default
    set security idp idp-policy IPS_SIP rulebase-ips rule "Whitelist: Permitted ranges" match attacks custom-attacks VOIP:SIP:HEADER-1000
    set security idp idp-policy IPS_SIP rulebase-ips rule "Whitelist: Permitted ranges" match attacks custom-attacks VOIP:SIP:HEADER-2000
    set security idp idp-policy IPS_SIP rulebase-ips rule "Whitelist: Permitted ranges" then action recommended
    set security idp idp-policy IPS_SIP rulebase-ips rule "Whitelist: Permitted ranges" then notification log-attacks

    set security idp idp-policy IPS_SIP rulebase-ips rule "Whitelist: Permitted ranges" terminal
    set security idp idp-policy IPS_SIP rulebase-ips rule "Blacklist: Denied ranges" description "Blacklist: Denied ranges"
    set security idp idp-policy IPS_SIP rulebase-ips rule "Blacklist: Denied ranges" match application default
    set security idp idp-policy IPS_SIP rulebase-ips rule "Blacklist: Denied ranges" match attacks custom-attacks VOIP:SIP:RANGE-ANY
    set security idp idp-policy IPS_SIP rulebase-ips rule "Blacklist: Denied ranges" then action drop-packet
    set security idp idp-policy IPS_SIP rulebase-ips rule "Blacklist: Denied ranges" then notification log-attacks
    set security idp idp-policy IPS_SIP rulebase-ips rule "Blacklist: Denied ranges" then severity info

     

    I need some help.

     

     



  • 5.  RE: IDP Exempt Rulebases with logging enabled ?

    Posted 01-30-2019 06:38

    Hi,

     

    I will advise to create a new post for your issue in specific because this post is already in Resolved status.