I'm try to search whether the juniper IPS signature have signature for blocking Monero Mining Malware but not found.
Appreciate if someone can explain to me.
I would not expect the IPS to block this kind of malware.
This is more a task for the AV-engine or the Sky ATP file emulation service combined with the threatfeed for C&C servers (actually I do not know if C&C for crypto miners are in this category, you will have to ask Juniper SE's to get this information).
It could also to some extend be accomplished by the enhanced webfilter blocking categories like "Compromised Websites", "Suspicious Content", "Bot Networks", "Potentially Unwanted Software" or similar.
(all categories are listed here: https://www.juniper.net/documentation/en_US/junos/topics/reference/configuration-statement/security-edit-category-web-filtering.html)
If both AV and Sky ATP should have a chance catching this malware, I would also expect you should run ssl forward proxy on the SRX gateway to be able to scan https traffic.
Sky ATP threatfeeds and Enhanced webfilter will work without ssl forward proxy.
I hope this clarifies your options to mitigate this kind of threat.
It's look like the signture attack just been released yesterday. So my second question how to check whether this signature attack already bundle into "Recommnded" policy template or not. Because currently i'm using "Recommended" polic template. Appreciate any one feedback
srx5800> show security idp attack detail HTTP:BIT-COIN-MININGDisplay Name: HTTP: Bit-Coin Cryptocurrency MiningSeverity: MajorCategory: HTTPRecommended: trueRecommended Action: DropType: signatureDirection: CTSFalse Positives: unknownShellcode: noFlow: controlContext: http-first-data-chunkNegate: falseTimeBinding:Scope: noneCount: 1Hidden Pattern: TruePattern: Protected
Can you try "file show /var/db/idpd/sets/Recommnded.set | find "BIT-COIN-MINING"