SRX

 View Only
last person joined: 2 days ago 

Ask questions and share experiences about the SRX Series.
  • 1.  IDP Log actions

    Posted 07-14-2011 07:59

    Hi All,

     

      I have been playing around alot with the SRX IDP logging.  I have had it go to STRM, NSM, and used the onboard syslog.  Once thing I noticed is that the system logs the Attack that was seen but does not log the action ( dropped, allowed).  How can I see what was done to the traffic.

     

    Here is an example of an IDP log that I get.  No clue if the IDP dropped these or accepted them.  The policy is the template Web_Server policy.

     

    Jul 13 08:30:02 FW newsyslog[93646]: logfile turned over due to size>100K
    Jul 13 08:30:29  FW RT_IDP: IDP_ATTACK_LOG_EVENT: IDP: at 1310560201, ANOMALY Attack log <72.14.164.189/17136->77.28.105.200/80> for TCP protocol and service HTTP application NONE by rule 1 of rulebase IPS in policy www. attack: repeat=2, action=NONE, threat-severity=INFO, name=HTTP:AUDIT:URL, NAT <0.0.0.0:0->192.168.0.12:0>, time-elapsed=0, inbytes=0, outbytes=0, inpackets=0, outpackets=0, intf:untrust:ge-0/0/0.0->trust:vlan.3, packet-log-id: 0 and misc-message - 
    Jul 13 08:30:52  FW RT_IDP: IDP_ATTACK_LOG_EVENT: IDP: at 1310560228, ANOMALY Attack log <72.14.164.189/17136->77.28.105.200/80> for TCP protocol and service HTTP application NONE by rule 1 of rulebase IPS in policy www. attack: repeat=0, action=NONE, threat-severity=INFO, name=HTTP:AUDIT:URL, NAT <0.0.0.0:0->192.168.0.12:0>, time-elapsed=0, inbytes=0, outbytes=0, inpackets=0, outpackets=0, intf:untrust:ge-0/0/0.0->trust:vlan.3, packet-log-id: 0 and misc-message - 
    Jul 13 08:30:52  FW RT_IDP: IDP_ATTACK_LOG_EVENT: IDP: at 1310560251, ANOMALY Attack log <72.14.164.189/17136->77.28.105.200/80> for TCP protocol and service HTTP application NONE by rule 1 of rulebase IPS in policy www. attack: repeat=0, action=NONE, threat-severity=INFO,

     


    #logging
    #IDP


  • 2.  RE: IDP Log actions

     
    Posted 07-15-2011 03:09
    Is there an action to be taken on HTTP:AUDIT:URL ? From your first sentence I assume you tried some attack which is of higher severity than INFO, or just created one for test with a more interesting action, right ? 🙂


  • 3.  RE: IDP Log actions
    Best Answer

    Posted 07-15-2011 07:08

    Hi

     

    In you case, "action=NONE" means nothing was done to the traffic.

    It also could be drop, etc. Does this answer your question?



  • 4.  RE: IDP Log actions

    Posted 07-18-2011 06:39

    Smiley Mad .....I am blind.  I must have read that log 10 times and did not see the action=.  Thanks for pointing it out.