Hi.
I have a problem configuring idp policy on srx34. My goal is to configure idp inspection for inbound traffic by a policy 1, and outbound traffic by a policy 2. Governing by this doc, which states that: "In SRX 18.3 versions and above, security policies may use different a different IDP policy allowing unique IDP rules processing for each security-policy" I created this test configuration:
[show security policies from-zone outbound to-zone inbound]
policy ...
...
policy alarmtest {
match {
source-address any;
destination-address any;
application junos-defaults;
dynamic-application junos:HTTP;
}
then {
permit {
application-services {
idp-policy Alarm-Test;
}
}
}
}
policy deny-all {
match {
source-address any;
destination-address any;
application any;
dynamic-application any;
}
then {
deny;
count;
}
}
[show security policies from-zone inbound to-zone outbound]
policy ...
...
policy apt {
match {
source-address any;
destination-address [ artifacts.elastic.co ftp.us.debian.org security.debian.org ];
application [ junos-http junos-https ];
dynamic-application [ junos:HTTP junos:SSL junos:DEBIAN junos:DEBIAN-UPDATE ];
}
then {
permit {
application-services {
idp-policy Client-Protection;
}
}
}
}
policy deny-all {
match {
source-address any;
destination-address any;
application any;
dynamic-application any;
}
then {
reject;
count;
}
}
[show security idp idp-policy Alarm-Test]
rulebase-ips {
rule Alarm-Test {
match {
from-zone any;
source-address any;
to-zone any;
destination-address any;
application default;
attacks {
custom-attacks alarmtest;
}
}
then {
action {
recommended;
}
notification {
log-attacks;
}
}
}
}
[show security idp custom-attack alarmtest]
recommended-action none;
severity major;
attack-type {
signature {
context http-get-url;
pattern .*;
direction client-to-server;
}
}
When I make an http request from outbound zone to inbound, Alarm-Test policy logs attack as expected:
May 14 13:48:05 HOSTNAME RT_IDP: IDP_ATTACK_LOG_EVENT: IDP: at 1621000083, SIG Attack log <[oubound ip]/48140->[inbound ip]/80> for TCP protocol and service SERVICE_IDP application HTTP by rule 1 of rulebase IPS in policy Alarm-Test. attack: id=1048576, repeat=0, action=NONE, threat-severity=HIGH, name=alarmtest, NAT <0.0.0.0:0->0.0.0.0:0>, time-elapsed=0, inbytes=0, outbytes=0, inpackets=0, outpackets=0, intf:outbound:reth0.540->inbound:reth0.541, packet-log-id: 0, alert=no, username=N/A, roles=N/A, xff-header=N/A and misc-message -
But when I do an http request from inbound host out, my test attack is triggered also in policy Client-Protection:
May 14 13:48:17 HOSTNAME RT_IDP: IDP_ATTACK_LOG_EVENT: IDP: at 1621000094, SIG Attack log <[inbound ip]/36708->151.101.66.132/80> for TCP protocol and service SERVICE_IDP application DEBIAN-UPDATE by rule 1 of rulebase IPS in policy Client-Protection. attack: id=1048576, repeat=0, action=NONE, threat-severity=HIGH, name=alarmtest, NAT <0.0.0.0:0->0.0.0.0:0>, time-elapsed=0, inbytes=0, outbytes=0, inpackets=0, outpackets=0, intf:inbound:reth0.541->outbound:reth0.540, packet-log-id: 0, alert=no, username=N/A, roles=N/A, xff-header=N/A and misc-message -
This is weird because Client-Protection policy does not contains a rule, that inspects my custom attack as it is provided by juniper predefined idp Policy Templates and left unchanged.
So why alarmtest attack is triggered in outbound direction in Client-Protection policy which does not contain check for this attack?
Additional info:
node0:
--------------------------------------------------------------------------
Hostname: HOSTNAME
Model: srx345-dual-ac
Junos: 19.4R3.11
JUNOS Software Release [19.4R3.11]
node1:
--------------------------------------------------------------------------
Hostname: HOSTNAME
Model: srx345-dual-ac
Junos: 19.4R3.11
JUNOS Software Release [19.4R3.11]
node0:
--------------------------------------------------------------------------
Attack database version:3382(Thu May 13 14:42:19 2021 UTC)
Detector version :12.6.160200828
Policy template version :3381
node1:
--------------------------------------------------------------------------
Attack database version:3382(Thu May 13 14:42:19 2021 UTC)
Detector version :12.6.160200828
Policy template version :3381
------------------------------
KIRILL SHESTAKOV
------------------------------