SRX

 View Only

IMPORTANT MODERATION NOTICE

This community is currently under full moderation, meaning  all posts will be reviewed before appearing in the community. Please expect a brief delay—there is no need to post multiple times. If your post is rejected, you'll receive an email outlining the reason(s). We've implemented full moderation to control spam. Thank you for your patience and participation.



  • 1.  Excluding an IDP policy

    Posted 03-11-2011 06:41

    On our SRX210 I'm trying to exlude the policy HTTP:SQL:INJ:HEADER-3 from IDP. It's generating false positives and isn't recommended policy anyway.

     

    Any clue on how to achieve this?

     

    This is the config I'm trying (rule 0 should exlude the attack):

     

     

    {primary:node0}[edit security idp idp-policy HXS_Web_Server rulebase-ips]
    rule 0 {
        match {
            from-zone untrust;
            source-address any;
            to-zone trust;
            destination-address [ set-webserver set-ssl ];
            application default;
            attacks {
                predefined-attacks HTTP:SQL:INJ:HEADER-3;
            }
        }
        then {
            action {
                no-action;
            }
            notification {
                log-attacks;
            }
            severity warning;
        }
    }
    rule 1 {
        match {
            from-zone untrust;
            source-address any;
            to-zone trust;
            destination-address [ set-webserver set-ssl ];
            application default;
            attacks {
                predefined-attack-groups [ "IP - Major" "IP - Critical" "TCP - Critical" "TCP - Major" ];
            }
        }
        then {
            action {
                drop-packet;
            }
            notification {
                log-attacks;
            }
        }
    }
    rule 2 {
        match {
            from-zone untrust;
            source-address any;
            to-zone trust;
            destination-address [ set-webserver set-ssl ];
            application default;            
            attacks {                       
                predefined-attack-groups [ "FTP - Critical" "FTP - Major" "HTTP - Critical" "HTTP - Major" "SHELLCODE - Major" "SHELLCODE - Critical" ];
            }                               
        }                                   
        then {                              
            action {                        
                drop-packet;                
            }                               
            notification {                  
                log-attacks;                
            }                               
        }                                   
    }                                       
    rule 3 {                                
        match {                             
            from-zone untrust;              
            source-address any;             
            to-zone trust;                  
            destination-address [ set-webserver set-ssl ];
            application default;            
            attacks {                       
                predefined-attack-groups [ "FTP - Minor" "HTTP - Minor" "SHELLCODE - Minor" ];
            }                               
        }                                   
        then {                              
            action {                        
                no-action;                  
            }                               
            notification {                  
                log-attacks;                
            }                               
        }                                   
    }                                       

     

    However, the connections are still blocked.

     


    #IDP


  • 2.  RE: Excluding an IDP policy
    Best Answer

    Posted 03-11-2011 07:11

    Make sure you are running 10.2R3, there seemed to be some issues with previous versions excluding IDP rules.

    Use the following to exclude an item

     

    [edit security idp policy HXS_Web_Server]

    rulebase-exempt {
        rule HTTP-exempt {
             match {
                from-zone any;
                source-address any;
                to-zone any;
                destination-address any;
                attacks {
                    predefined-attacks HTTP:SQL:INJ:HEADER-3;
                }
            }
        }



  • 3.  RE: Excluding an IDP policy

    Posted 03-11-2011 08:25

    Thanks, that almost solved it. It was completely solved by matching the "match" criteria of the extempt rule to the "match" criteria of the rulebase-ips rule.