SRX

 View Only

IMPORTANT MODERATION NOTICE

This community is currently under full moderation, meaning  all posts will be reviewed before appearing in the community. Please expect a brief delay—there is no need to post multiple times. If your post is rejected, you'll receive an email outlining the reason(s). We've implemented full moderation to control spam. Thank you for your patience and participation.



  • 1.  IDP Log actions

    Posted 07-14-2011 07:59

    Hi All,

     

      I have been playing around alot with the SRX IDP logging.  I have had it go to STRM, NSM, and used the onboard syslog.  Once thing I noticed is that the system logs the Attack that was seen but does not log the action ( dropped, allowed).  How can I see what was done to the traffic.

     

    Here is an example of an IDP log that I get.  No clue if the IDP dropped these or accepted them.  The policy is the template Web_Server policy.

     

    Jul 13 08:30:02 FW newsyslog[93646]: logfile turned over due to size>100K
    Jul 13 08:30:29  FW RT_IDP: IDP_ATTACK_LOG_EVENT: IDP: at 1310560201, ANOMALY Attack log <72.14.164.189/17136->77.28.105.200/80> for TCP protocol and service HTTP application NONE by rule 1 of rulebase IPS in policy www. attack: repeat=2, action=NONE, threat-severity=INFO, name=HTTP:AUDIT:URL, NAT <0.0.0.0:0->192.168.0.12:0>, time-elapsed=0, inbytes=0, outbytes=0, inpackets=0, outpackets=0, intf:untrust:ge-0/0/0.0->trust:vlan.3, packet-log-id: 0 and misc-message - 
    Jul 13 08:30:52  FW RT_IDP: IDP_ATTACK_LOG_EVENT: IDP: at 1310560228, ANOMALY Attack log <72.14.164.189/17136->77.28.105.200/80> for TCP protocol and service HTTP application NONE by rule 1 of rulebase IPS in policy www. attack: repeat=0, action=NONE, threat-severity=INFO, name=HTTP:AUDIT:URL, NAT <0.0.0.0:0->192.168.0.12:0>, time-elapsed=0, inbytes=0, outbytes=0, inpackets=0, outpackets=0, intf:untrust:ge-0/0/0.0->trust:vlan.3, packet-log-id: 0 and misc-message - 
    Jul 13 08:30:52  FW RT_IDP: IDP_ATTACK_LOG_EVENT: IDP: at 1310560251, ANOMALY Attack log <72.14.164.189/17136->77.28.105.200/80> for TCP protocol and service HTTP application NONE by rule 1 of rulebase IPS in policy www. attack: repeat=0, action=NONE, threat-severity=INFO,

     


    #logging
    #IDP


  • 2.  RE: IDP Log actions

     
    Posted 07-15-2011 03:09
    Is there an action to be taken on HTTP:AUDIT:URL ? From your first sentence I assume you tried some attack which is of higher severity than INFO, or just created one for test with a more interesting action, right ? 🙂


  • 3.  RE: IDP Log actions
    Best Answer

     
    Posted 07-15-2011 07:08

    Hi

     

    In you case, "action=NONE" means nothing was done to the traffic.

    It also could be drop, etc. Does this answer your question?



  • 4.  RE: IDP Log actions

    Posted 07-18-2011 06:39

    Smiley Mad .....I am blind.  I must have read that log 10 times and did not see the action=.  Thanks for pointing it out.