SRX

Expand all | Collapse all

what actualy action done by IDP when the action is "recommended"?

Jump to Best Answer
  • 1.  what actualy action done by IDP when the action is "recommended"?

    Posted 09-07-2017 07:34

    Hi all,

     

    When we use idp template "Recomended" then in the template will show the action "recommended". May i know what actually action done by "recommended"? Is it just bypass or block or etc.

     

    Another question if add new rule on existing template then is it enough to commit only so the idp template will apply with new rule that i just add? Or i need to delete template and apply template back same as first time we apply the idp template?

     

     

    [edit security idp idp-policy Recommended]
    test@vSRX-LAB# show
    /* This legacy template policy covers most current vulnerabilities.  This template is supported on all platforms, including Branch devices with 1G of memory. */
    rulebase-ips {
        rule TCP/IP {
            /* This rule is designed to protect your networks against important TCP/IP attacks. */
            match {
                from-zone any;
                source-address any;
                to-zone any;
                destination-address any;
                application default;
                attacks {
                    predefined-attack-groups [ "[Recommended]IP - Critical" "[Recommended]IP - Minor" "[Recommended]IP - Major" "[Recommended]TCP - Critical" "[Recommended]TCP - Minor" "[Recommended]TCP - Major" ];
                }
            }
            then {
                action {
                    recommended;
                }
                notification {
                    log-attacks;
                }
            }
        }
    rule Block-Torrent {
            description "Torrent Blocker";
            match {
                from-zone any;
                source-address any;
                to-zone any;
                destination-address any;
                application default;
                attacks {
                    predefined-attack-groups "P2P - All";
                }
            }
            then {
                action {
                    drop-connection;
                }
                notification {
                    log-attacks;
                }
            }
        }
    }

     

    Thanks and appreciate any feedback



  • 2.  RE: what actualy action done by IDP when the action is "recommended"?

    Posted 09-07-2017 09:13

    Hello, kronicklez!

     

    Recommended will take the predefined action set by Juniper depending on the object. Here is some more information.

     

    Recommended
    All predefined attack objects have a default action associated with them. This is the action that Juniper Networks recommends when that attack is detected.
    Note: This action is supported only for IPS rulebases.

    Source

     

    Helpful commands:

    show security flow ip-action

    show security idp status



  • 3.  RE: what actualy action done by IDP when the action is "recommended"?

    Posted 09-07-2017 10:34

    Hi synackray,

     

     

    Using the command that u provide still not display what action that take by "recommended".

     

     

    Appreciate any expert feedback regarding the action "recommend" in default template IDP .

     

     

    Thanks



  • 4.  RE: what actualy action done by IDP when the action is "recommended"?

    Posted 09-07-2017 10:43

    Hi, sorry I should have given more detail. Please see below. The key is you must understand this is controlled at an attack object level, not the attack groups. Each individual object may have a different recommended action. Therefore, you want to see what's inside of the predefined attack groups and then review the individual attack objects.

     

    [SRX] How to view the IDP attacks that are listed under a pre-defined attack group

    Understanding Predefined IDP Attack Objects and Object Groups

     

    Run the following commands to check the details and description of an attack:
    
    For example, HTTP:LINUX:REDHAT-ACCEPT-LANG:
    [edit]
    root@srx> show security idp attack detail HTTP:LINUX:REDHAT-ACCEPT-LANG 
    Display Name: HTTP: Red Hat Directory Server Accept-Language HTTP Header Parsing Buffer Overflow
    Severity: Major
    Category: HTTP
    Recommended: true
    Recommended Action: Drop
    Type: chain
    False Positives: unknown
    Service: HTTP
    
    [edit]
    root@srx> show security idp attack description HTTP:LINUX:REDHAT-ACCEPT-LANG

    Source



  • 5.  RE: what actualy action done by IDP when the action is "recommended"?

    Posted 09-07-2017 16:31

    Hi synackray/all,

     

     

     

    Sorry, i'm still cannot get it how to see what action taken done by "recommended" on idp policy template "Recommended". Is there any actual command that can see the action taken by "recommended"?

     

    Thanks and appreciate any additional input/advise.



  • 6.  RE: what actualy action done by IDP when the action is "recommended"?

    Posted 09-07-2017 23:35

     

     snackray gave you the answer. There will be one of several recommended action by Juniper.

    Snackray gave you answer. The out put shows the recommended action
    https://www.juniper.net/documentation/en_US/junos12.1x44/topics/reference/configuration-statement/security-edit-recommended-action.html
    Syntax
    recommended-action (close | close-client | close-server | drop | drop-packet | ignore | none);
    Hierarchy Level
    [edit security idp custom-attack attack-name]


    Description
    When the security device detects an attack, it performs the specified action.

    Options
    The seven actions are as follows, from most to least severe:

    close—Reset the client and the server.
    close-client—Reset the client.
    close-server—Reset the server.
    drop—Drop the particular packet and all subsequent packets of the flow.
    drop-packet—Drop the particular packet of the flow.
    ignore—Do not inspect any further packets.
    none—Do not perform any action.

    root@srx> show security idp attack detail HTTP:LINUX:REDHAT-ACCEPT-LANG 
    Display Name: HTTP: Red Hat Directory Server Accept-Language HTTP Header Parsing Buffer Overflow
    Severity: Major
    Category: HTTP
    Recommended: true
    Recommended Action: Drop
    Type: chain
    False Positives: unknown
    Service: HTTP

     



  • 7.  RE: what actualy action done by IDP when the action is "recommended"?

    Posted 09-08-2017 00:02

    Hi lyndidon,

     

    Thanks for the url. Based on the url so it means the "recomend" action will use sequence action (close | close-client | close-server | drop | drop-packet | ignore | none) right?

     

     

    Please correct me if i wrong intepretation that url.

     

     

    Thanks



  • 8.  RE: what actualy action done by IDP when the action is "recommended"?
    Best Answer

    Posted 09-08-2017 06:53

    The recommended action is what Juniper recommends. The link shows it is one of those actions that can be taken. It does not mean that is  the order. Juniper can recommend any one of those actions. the "|" symbol simply says it is one of those actions that can be taken.



  • 9.  RE: what actualy action done by IDP when the action is "recommended"?

    Posted 09-08-2017 09:32

    Just to followup and answer the second question you asked: "Another question if add new rule on existing template then is it enough to commit only so the idp template will apply with new rule that i just add? Or i need to delete template and apply template back same as first time we apply the idp template?"

     

    No need to delete the template and reapply- I think you mean the point where you specify which template will be made active. Once the template is made active, any modification you make will be applied once you commit the configuration. Similar to if you created a firewall filter and keep adding terms, once the filter has been applied, no need to delete and reapply it, the terms you added will be evaluated.