SRX

Expand all | Collapse all

after upgrade too 15.1X49-D140.2 screen logging stopped

Jump to Best Answer
  • 1.  after upgrade too 15.1X49-D140.2 screen logging stopped

    Posted 10-09-2018 09:21

    hello upgrade to 15.1X49-D140.2 in july, i noticed our screen loggin has stopped 

     

    the screen is still havtice and the counters are incresing but it is not logging at all ??? 



  • 2.  RE: after upgrade too 15.1X49-D140.2 screen logging stopped

    Posted 10-09-2018 09:33

    Hello Andrew,

     

    Can you share with us your screen and logging config? 

     

    If you can also share a sample log from the time it was working, it will be great too.

     

     



  • 3.  RE: after upgrade too 15.1X49-D140.2 screen logging stopped

    Posted 10-09-2018 10:34

    show log messages.3.gz | match screen
    Oct 09 12:30:19
    Jul 19 18:17:02 rtr_199_w10_1G RT_IDS: RT_SCREEN_TCP: TCP sweep!

     

    show system uptime
    Oct 09 12:30:47
    System booted: 2018-07-19 21:39:33 CDT

     

     show configuration security screen | display set
    Oct 09 12:34:25
    set security screen ids-option untrust-screen icmp ip-sweep threshold 1000000
    set security screen ids-option untrust-screen icmp ping-death
    set security screen ids-option untrust-screen ip source-route-option
    set security screen ids-option untrust-screen ip unknown-protocol
    set security screen ids-option untrust-screen ip tear-drop
    set security screen ids-option untrust-screen tcp syn-fin
    set security screen ids-option untrust-screen tcp tcp-no-flag
    set security screen ids-option untrust-screen tcp syn-frag
    set security screen ids-option untrust-screen tcp port-scan threshold 1000000
    set security screen ids-option untrust-screen tcp syn-flood alarm-threshold 1024
    set security screen ids-option untrust-screen tcp syn-flood attack-threshold 1500
    set security screen ids-option untrust-screen tcp syn-flood source-threshold 200
    set security screen ids-option untrust-screen tcp syn-flood destination-threshold 200
    set security screen ids-option untrust-screen tcp syn-flood timeout 10
    set security screen ids-option untrust-screen tcp land
    set security screen ids-option untrust-screen tcp winnuke
    set security screen ids-option untrust-screen tcp tcp-sweep threshold 1000000
    set security screen ids-option untrust-screen udp udp-sweep threshold 1000000
    set security screen ids-option untrust-screen limit-session source-ip-based 2000
    set security screen ids-option untrust-screen limit-session destination-ip-based 2000

    show configuration system syslog
    Oct 09 12:31:21
    user * {
    any critical;
    }
    host 10.x.x.x {
    any info;
    source-address 192.x.x.x.;
    }
    file messages {
    any warning;
    authorization warning;
    }

    file ids {
    any any;
    match RT_IDS;
    archive world-readable;
    structured-data;

     

    show log ids
    Oct 09 12:32:15
    Jul 19 18:17:00 rtr_199_w10_1G newsyslog[75343]: logfile turned over due to -F request
    <11>1 2018-07-19T18:17:02.309-05:00 rtr_199_w10_1G RT_IDS - RT_SCREEN_TCP [junos@2636.1.1.1.2.137 attack-name="TCP sweep!" source-address="113.x.x.x=" source-port="6000" destination-address="40.x.x.x." destination-port="1433" source-zone-name="untrust"



  • 4.  RE: after upgrade too 15.1X49-D140.2 screen logging stopped

    Posted 10-09-2018 10:58

    The configuration looks fine. Is the "untrust-screen" applied to a specific security-zone?

     

    Are you testing/triggering an attack on that zone that will trigger any of the screens hence the logging of them?

     

     



  • 5.  RE: after upgrade too 15.1X49-D140.2 screen logging stopped

    Posted 10-09-2018 11:02

    im seeing hits i cleared this a couple hours ago, 

     

    its applied to untrust and our interface is in the untrust zone

     

    set security zones security-zone untrust screen untrust-screen

     

    show security screen statistics zone untrust
    Oct 09 13:00:21
    Screen statistics:

    IDS attack type Statistics
    ICMP flood 0
    UDP flood 0
    TCP winnuke 0
    TCP port scan 440
    UDP port scan 0
    ICMP address sweep 0
    TCP sweep 136
    UDP sweep 885
    IP tear drop 0
    TCP SYN flood 0
    SYN flood source 0
    SYN flood destination 0
    IP spoofing 0
    ICMP ping of death 0
    IP source route option 0
    TCP land attack 0
    TCP SYN fragment 0
    TCP no flag 0
    IP unknown protocol 0
    IP bad options 0
    IP record route option 0
    IP timestamp option 0
    IP security option 0
    IP loose source route option 0
    IP strict source route option 0
    IP stream option 0
    ICMP fragment 0
    ICMP large packet 0
    TCP SYN FIN 0
    TCP FIN no ACK 0
    Source session limit 0
    TCP SYN-ACK-ACK proxy 0
    IP block fragment 0
    Destination session limit 0
    IPv6 extension header 0
    IPv6 extension hop by hop option 0
    IPv6 extension destination option 0
    IPv6 extension header limit 0
    IPv6 malformed header 0
    ICMPv6 malformed packet 0
    IP tunnel summary 0



  • 6.  RE: after upgrade too 15.1X49-D140.2 screen logging stopped

    Posted 10-09-2018 11:38

    Can you post the config under [edit security log]? I would like to see if mode "event" is configured.

     

    Whats the SRX model?

     

     



  • 7.  RE: after upgrade too 15.1X49-D140.2 screen logging stopped

    Posted 10-09-2018 11:43

    show configuration security log | display set
    Oct 09 13:41:15

     

    nothing, (this has never benn configured) 

     

    SRX1500 



  • 8.  RE: after upgrade too 15.1X49-D140.2 screen logging stopped
    Best Answer

    Posted 10-09-2018 12:05

    Andrew,

     

    You need to configure mode "event" under that hierarchy.

     

    NOTE

    Starting with Junos OS Release 15.1X49-D100, the default mode for SRX1500 device is stream mode. Prior to Junos OS Release 15.1X49-D100, the default mode for SRX1500 device was event mode.

     

    https://www.juniper.net/documentation/en_US/junos/topics/concept/security-system-log-message-overview.html

     

    Please let us know if you see the logs after setting mode event.

     



  • 9.  RE: after upgrade too 15.1X49-D140.2 screen logging stopped

    Posted 10-09-2018 15:21

    working now with the below 

     

    this will still make it to our syslog server correct? 

     

    show configuration security log | display set
    Oct 09 17:20:03
    set security log mode event
    set security log format sd-syslog
    set security log source-address 192



  • 10.  RE: after upgrade too 15.1X49-D140.2 screen logging stopped

    Posted 10-09-2018 15:41

    Nice! Yes it should work becuase the configuration under [edit system syslog] didnt change after the upgrade.