SRX

IMPORTANT MODERATION NOTICE

This community is currently under full moderation, meaning  all posts will be reviewed before appearing in the community. Please expect a brief delay—there is no need to post multiple times. If your post is rejected, you'll receive an email outlining the reason(s). We've implemented full moderation to control spam. Thank you for your patience and participation.



Problem configuring multiple IDP policies for Unified Security Policies

  • 1.  Problem configuring multiple IDP policies for Unified Security Policies

    Posted 05-14-2021 11:53

    Hi.

    I have a problem configuring  idp policy on srx34. My goal is to configure idp inspection for inbound traffic by a policy 1, and outbound traffic by a policy 2. Governing by this doc, which states that: "In SRX 18.3 versions and above, security policies may use different a different IDP policy allowing unique IDP rules processing for each security-policy" I created this test configuration:

    [show security policies from-zone outbound to-zone inbound]
    policy ...
    ...
    policy alarmtest {
        match {
            source-address any;
            destination-address any;
            application junos-defaults;
            dynamic-application junos:HTTP; 
        }
        then {
            permit {
                application-services {
                    idp-policy Alarm-Test;
                }
            }
        }
    }
    policy deny-all {
        match {
            source-address any;
            destination-address any;
            application any;
            dynamic-application any;
        }
        then {
            deny;
            count;
        }
    }
    
    [show security policies from-zone inbound to-zone outbound]
    policy ...
    ...
    policy apt {
        match {
            source-address any;
            destination-address [ artifacts.elastic.co ftp.us.debian.org security.debian.org ];
            application [ junos-http junos-https ];
            dynamic-application [ junos:HTTP junos:SSL junos:DEBIAN junos:DEBIAN-UPDATE ];
        }
        then {
            permit {
                application-services {
                    idp-policy Client-Protection;
                }
            }
        }
    }
    policy deny-all {
        match {
            source-address any;
            destination-address any;
            application any;
            dynamic-application any;
        }
        then {
            reject;
            count;
        }
    }
    
    [show security idp idp-policy Alarm-Test]
    rulebase-ips {
        rule Alarm-Test {
            match {
                from-zone any;
                source-address any;
                to-zone any;
                destination-address any;
                application default;
                attacks {
                    custom-attacks alarmtest;
                }
            }
            then {
                action {
                    recommended;
                }
                notification {
                    log-attacks;
                }
            }
        }
    }
    
    [show security idp custom-attack alarmtest]
    recommended-action none;
    severity major;
    attack-type {
        signature {
            context http-get-url;
            pattern .*;
            direction client-to-server;
        }
    }
    


    When I make an http request from outbound zone to inbound, Alarm-Test policy logs attack as expected:

    May 14 13:48:05  HOSTNAME RT_IDP: IDP_ATTACK_LOG_EVENT: IDP: at 1621000083, SIG Attack log <[oubound ip]/48140->[inbound ip]/80> for TCP protocol and service SERVICE_IDP application HTTP by rule 1 of rulebase IPS in policy Alarm-Test. attack: id=1048576, repeat=0, action=NONE, threat-severity=HIGH, name=alarmtest, NAT <0.0.0.0:0->0.0.0.0:0>, time-elapsed=0, inbytes=0, outbytes=0, inpackets=0, outpackets=0, intf:outbound:reth0.540->inbound:reth0.541, packet-log-id: 0, alert=no, username=N/A, roles=N/A, xff-header=N/A and misc-message -
    


    But when I do an http request from inbound host out, my test attack is triggered also in policy Client-Protection:

    May 14 13:48:17  HOSTNAME RT_IDP: IDP_ATTACK_LOG_EVENT: IDP: at 1621000094, SIG Attack log <[inbound ip]/36708->151.101.66.132/80> for TCP protocol and service SERVICE_IDP application DEBIAN-UPDATE by rule 1 of rulebase IPS in policy Client-Protection. attack: id=1048576, repeat=0, action=NONE, threat-severity=HIGH, name=alarmtest, NAT <0.0.0.0:0->0.0.0.0:0>, time-elapsed=0, inbytes=0, outbytes=0, inpackets=0, outpackets=0, intf:inbound:reth0.541->outbound:reth0.540, packet-log-id: 0, alert=no, username=N/A, roles=N/A, xff-header=N/A and misc-message -
    

    This is weird because Client-Protection policy does not contains a rule, that inspects my custom attack as it is provided by juniper predefined idp Policy Templates and left unchanged.

    So why alarmtest attack is triggered in outbound direction in Client-Protection policy which does not contain check for this attack?

    Additional info:

    node0:
    --------------------------------------------------------------------------
    Hostname: HOSTNAME
    Model: srx345-dual-ac
    Junos: 19.4R3.11
    JUNOS Software Release [19.4R3.11]
    
    node1:
    --------------------------------------------------------------------------
    Hostname: HOSTNAME
    Model: srx345-dual-ac
    Junos: 19.4R3.11
    JUNOS Software Release [19.4R3.11]
    
    node0:
    --------------------------------------------------------------------------
    
      Attack database version:3382(Thu May 13 14:42:19 2021 UTC)
      Detector version :12.6.160200828
      Policy template version :3381
    
    node1:
    --------------------------------------------------------------------------
    
      Attack database version:3382(Thu May 13 14:42:19 2021 UTC)
      Detector version :12.6.160200828
      Policy template version :3381
    


    ------------------------------
    KIRILL SHESTAKOV
    ------------------------------