SRX

Problem configuring multiple IDP policies for Unified Security Policies

  • 1.  Problem configuring multiple IDP policies for Unified Security Policies

    Posted 05-14-2021 11:53

    Hi.

    I have a problem configuring  idp policy on srx34. My goal is to configure idp inspection for inbound traffic by a policy 1, and outbound traffic by a policy 2. Governing by this doc, which states that: "In SRX 18.3 versions and above, security policies may use different a different IDP policy allowing unique IDP rules processing for each security-policy" I created this test configuration:

    [show security policies from-zone outbound to-zone inbound]
    policy ...
    ...
    policy alarmtest {
        match {
            source-address any;
            destination-address any;
            application junos-defaults;
            dynamic-application junos:HTTP; 
        }
        then {
            permit {
                application-services {
                    idp-policy Alarm-Test;
                }
            }
        }
    }
    policy deny-all {
        match {
            source-address any;
            destination-address any;
            application any;
            dynamic-application any;
        }
        then {
            deny;
            count;
        }
    }
    
    [show security policies from-zone inbound to-zone outbound]
    policy ...
    ...
    policy apt {
        match {
            source-address any;
            destination-address [ artifacts.elastic.co ftp.us.debian.org security.debian.org ];
            application [ junos-http junos-https ];
            dynamic-application [ junos:HTTP junos:SSL junos:DEBIAN junos:DEBIAN-UPDATE ];
        }
        then {
            permit {
                application-services {
                    idp-policy Client-Protection;
                }
            }
        }
    }
    policy deny-all {
        match {
            source-address any;
            destination-address any;
            application any;
            dynamic-application any;
        }
        then {
            reject;
            count;
        }
    }
    
    [show security idp idp-policy Alarm-Test]
    rulebase-ips {
        rule Alarm-Test {
            match {
                from-zone any;
                source-address any;
                to-zone any;
                destination-address any;
                application default;
                attacks {
                    custom-attacks alarmtest;
                }
            }
            then {
                action {
                    recommended;
                }
                notification {
                    log-attacks;
                }
            }
        }
    }
    
    [show security idp custom-attack alarmtest]
    recommended-action none;
    severity major;
    attack-type {
        signature {
            context http-get-url;
            pattern .*;
            direction client-to-server;
        }
    }
    


    When I make an http request from outbound zone to inbound, Alarm-Test policy logs attack as expected:

    May 14 13:48:05  HOSTNAME RT_IDP: IDP_ATTACK_LOG_EVENT: IDP: at 1621000083, SIG Attack log <[oubound ip]/48140->[inbound ip]/80> for TCP protocol and service SERVICE_IDP application HTTP by rule 1 of rulebase IPS in policy Alarm-Test. attack: id=1048576, repeat=0, action=NONE, threat-severity=HIGH, name=alarmtest, NAT <0.0.0.0:0->0.0.0.0:0>, time-elapsed=0, inbytes=0, outbytes=0, inpackets=0, outpackets=0, intf:outbound:reth0.540->inbound:reth0.541, packet-log-id: 0, alert=no, username=N/A, roles=N/A, xff-header=N/A and misc-message -
    


    But when I do an http request from inbound host out, my test attack is triggered also in policy Client-Protection:

    May 14 13:48:17  HOSTNAME RT_IDP: IDP_ATTACK_LOG_EVENT: IDP: at 1621000094, SIG Attack log <[inbound ip]/36708->151.101.66.132/80> for TCP protocol and service SERVICE_IDP application DEBIAN-UPDATE by rule 1 of rulebase IPS in policy Client-Protection. attack: id=1048576, repeat=0, action=NONE, threat-severity=HIGH, name=alarmtest, NAT <0.0.0.0:0->0.0.0.0:0>, time-elapsed=0, inbytes=0, outbytes=0, inpackets=0, outpackets=0, intf:inbound:reth0.541->outbound:reth0.540, packet-log-id: 0, alert=no, username=N/A, roles=N/A, xff-header=N/A and misc-message -
    

    This is weird because Client-Protection policy does not contains a rule, that inspects my custom attack as it is provided by juniper predefined idp Policy Templates and left unchanged.

    So why alarmtest attack is triggered in outbound direction in Client-Protection policy which does not contain check for this attack?

    Additional info:

    node0:
    --------------------------------------------------------------------------
    Hostname: HOSTNAME
    Model: srx345-dual-ac
    Junos: 19.4R3.11
    JUNOS Software Release [19.4R3.11]
    
    node1:
    --------------------------------------------------------------------------
    Hostname: HOSTNAME
    Model: srx345-dual-ac
    Junos: 19.4R3.11
    JUNOS Software Release [19.4R3.11]
    
    node0:
    --------------------------------------------------------------------------
    
      Attack database version:3382(Thu May 13 14:42:19 2021 UTC)
      Detector version :12.6.160200828
      Policy template version :3381
    
    node1:
    --------------------------------------------------------------------------
    
      Attack database version:3382(Thu May 13 14:42:19 2021 UTC)
      Detector version :12.6.160200828
      Policy template version :3381
    


    ------------------------------
    KIRILL SHESTAKOV
    ------------------------------