Junos OS

IMPORTANT MODERATION NOTICE

This community is currently under full moderation, meaning  all posts will be reviewed before appearing in the community. Please expect a brief delay—there is no need to post multiple times. If your post is rejected, you'll receive an email outlining the reason(s). We've implemented full moderation to control spam. Thank you for your patience and participation.



  • 1.  SRX Firewall IPS Signature Demonstration

    Posted 10-04-2021 10:51
    I am using SRX320 with IPS. I need to demonstrate IPS signature trigger by traffic/access simulation, I am trying SQL injection by web access but it doesn't seem to work.  What's the easiest way to demonstrate any IPS signature?

    ------------------------------
    Avil Tauro
    ------------------------------


  • 2.  RE: SRX Firewall IPS Signature Demonstration

     
    Posted 10-04-2021 13:27

    Hi, 

    One of the easiest signatures to trigger is IP:EXPLOIT:SAME-SRC-DST

    You can use hping to spoof src IP to be same as a dst IP which will trigger this signature.

    Other potential signatures are HTTP based HTTP:EXPLOIT:BRUTE-FORCE and HTTP:PHP:WP-BRUTE-FORCE-LOGIN
    This requires having an HTTP server and wordpress for second one. Note HTTP:EXPLOIT:BRUTE-FORCE does not result in blocking action.

    For brute-force attacks you can use tools like hydra or wpscan for wordpress.

    HTH.

    Ashvin



    ------------------------------
    Ashvin
    ------------------------------



  • 3.  RE: SRX Firewall IPS Signature Demonstration

    Posted 10-05-2021 05:18
    I have the web server running, http allowed and I am appending the following to URL, but I don't see any logs getting generated. Could you share the policy for IPS to trigger alerts.

    get_int_filtered.php?id=1
    get_int_groupby.php?id=1
    get_int_having.php?id=1
    get_int_img.php?id=1
    get_int_inline.php?id=SELECT+name+FROM+users

    ------------------------------
    Avil Tauro
    ------------------------------