SRX

 View Only
last person joined: 21 hours ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.
  • 1.  Excluding an IDP policy

    Posted 03-11-2011 06:41

    On our SRX210 I'm trying to exlude the policy HTTP:SQL:INJ:HEADER-3 from IDP. It's generating false positives and isn't recommended policy anyway.

     

    Any clue on how to achieve this?

     

    This is the config I'm trying (rule 0 should exlude the attack):

     

     

    {primary:node0}[edit security idp idp-policy HXS_Web_Server rulebase-ips]
    rule 0 {
        match {
            from-zone untrust;
            source-address any;
            to-zone trust;
            destination-address [ set-webserver set-ssl ];
            application default;
            attacks {
                predefined-attacks HTTP:SQL:INJ:HEADER-3;
            }
        }
        then {
            action {
                no-action;
            }
            notification {
                log-attacks;
            }
            severity warning;
        }
    }
    rule 1 {
        match {
            from-zone untrust;
            source-address any;
            to-zone trust;
            destination-address [ set-webserver set-ssl ];
            application default;
            attacks {
                predefined-attack-groups [ "IP - Major" "IP - Critical" "TCP - Critical" "TCP - Major" ];
            }
        }
        then {
            action {
                drop-packet;
            }
            notification {
                log-attacks;
            }
        }
    }
    rule 2 {
        match {
            from-zone untrust;
            source-address any;
            to-zone trust;
            destination-address [ set-webserver set-ssl ];
            application default;            
            attacks {                       
                predefined-attack-groups [ "FTP - Critical" "FTP - Major" "HTTP - Critical" "HTTP - Major" "SHELLCODE - Major" "SHELLCODE - Critical" ];
            }                               
        }                                   
        then {                              
            action {                        
                drop-packet;                
            }                               
            notification {                  
                log-attacks;                
            }                               
        }                                   
    }                                       
    rule 3 {                                
        match {                             
            from-zone untrust;              
            source-address any;             
            to-zone trust;                  
            destination-address [ set-webserver set-ssl ];
            application default;            
            attacks {                       
                predefined-attack-groups [ "FTP - Minor" "HTTP - Minor" "SHELLCODE - Minor" ];
            }                               
        }                                   
        then {                              
            action {                        
                no-action;                  
            }                               
            notification {                  
                log-attacks;                
            }                               
        }                                   
    }                                       

     

    However, the connections are still blocked.

     


    #IDP


  • 2.  RE: Excluding an IDP policy
    Best Answer

    Posted 03-11-2011 07:11

    Make sure you are running 10.2R3, there seemed to be some issues with previous versions excluding IDP rules.

    Use the following to exclude an item

     

    [edit security idp policy HXS_Web_Server]

    rulebase-exempt {
        rule HTTP-exempt {
             match {
                from-zone any;
                source-address any;
                to-zone any;
                destination-address any;
                attacks {
                    predefined-attacks HTTP:SQL:INJ:HEADER-3;
                }
            }
        }



  • 3.  RE: Excluding an IDP policy

    Posted 03-11-2011 08:25

    Thanks, that almost solved it. It was completely solved by matching the "match" criteria of the extempt rule to the "match" criteria of the rulebase-ips rule.