Screen OS

 View Only
last person joined: 11 months ago 

This is a legacy community with limited Juniper monitoring.
  • 1.  Deep Inspection Log Messages SYSLOG

    Posted 03-29-2013 08:04

    Hi,

     

    I've implemented Deep Inspection on a few policies on a SSG140.

    If I do a "debug idp all"on the CLI I get log returned but I don't see the log messages on my syslog server.

    I'm logging all traffic and events to syslog but IDP related messages like below do not show up;

     

    SC_KQMSG_ADD_CONTEXT: service HTTP, type HTTP_STATUS, length 22, skip true
    sc_ids_bfq_poll: expiring 212.61.xx.xx -> 212.61.xx.xx HTTP, BRUTE_SEARCH, count 1
    sc_ids_bfq_add: added 212.61.xx.xx -> 212.61.xx.xx HTTP, BRUTE_SEARCH
    _sc_http_verify_flow: (23 s2c)Content-Type: text/html
    _sc_http_verify_flow: found header 'content-type:'(13, max 33699444) in line: content-type: text/html
    SC_KQMSG_ADD_CONTEXT_FUNC: service HTTP, type 33, length 9, skip false
    _sc_http_verify_flow: (25 s2c)Server: Microsoft-IIS/7.5
    _sc_http_verify_flow: found header 'server:'(7, max 33699432) in line: server: Microsoft-IIS/7.5
    SC_KQMSG_ADD_CONTEXT_FUNC: service HTTP, type 31, length 17, skip true
    _sc_http_verify_flow: (21 s2c)X-Powered-By: ASP.NET
    _sc_http_verify_flow: Didn't find header in line: x-powered-by: ASP.NET

     

    Thanks in advance.

     

    Cheers Ray


    #IDP
    #deepinspection
    #syslog


  • 2.  RE: Deep Inspection Log Messages SYSLOG

    Posted 03-29-2013 20:13

    Hi Ray,

     

    The messages that you are looking at is nothing but a debug. This output is telling you how the device is processing the packet using the Deep Inspection feature, hence such kind of messages are limited to device itself.

     

    However, whatever are the event related entries to the same should be present on device as well as Syslog server. I would like to confirm if you are receiving such event entries on your Syslog server. If not, you can refer to following to check the settings once http://kb.juniper.net/InfoCenter/index?page=content&id=KB4759&smlogin=true

     

    If you have an doubt, please let me know

     

    Hope this helps.

     

    Regards,

     

    Arvinder



  • 3.  RE: Deep Inspection Log Messages SYSLOG

    Posted 04-02-2013 05:49

    Hi Arvinder,

     

    Thanks for your response.

    My syslog settings are correct.

    But I cannot find anything related to the particular debug message in the syslog file.

    I've done a search on "000767" or "attack" or "deep"or "BRUTE" but nothing in my syslog file.

    The only thing related to deep inspection I see is the message that the attack database has been updated and saved to flash.

     

    Regarding deep inspection settings.

    I've only configured to log attempts so my action is none.

    Could it be that nothing is logged as my action is none, is it better to use action ignore in de DPI settings on policies?

     

    Thanks, Raymond



  • 4.  RE: Deep Inspection Log Messages SYSLOG
    Best Answer

    Posted 04-02-2013 23:46

    Hi Raymond,

     

    Thank you for your reply.

     

    I would like to know is this 1st time you are experiencing this issue?

     

    There are few actions that can be configured :

     

    • None: The security device logs the event but takes no action.

    • Ignore: The security device logs the event and stops checking—or ignores—the remainder of the connection.

    • Drop Packet: The security device logs the event and drops the packet containing the attack object, but it does not sever the connection.

    • Drop: The security device logs the event and severs the connection without sending either the client or the server TCP RST packets.

    • Close Client: The security device logs the event, severs the connection, and (for TCP traffic) sends a TCP RST packet to the client.

    • Close Server: The security device logs the event, severs the connection, and (for TCP traffic) sends a TCP RST to the server.

    • Close: The security device logs the event, severs the connection, and (for TCP traffic) sends TCP RST packets to both the client and the server.

       

      Try changing the option from None to Drop/Close. I hope this should atleast log the event.

       

      Please let me know if it helps.

       

      Regards,

       

      Arvinder

       



  • 5.  RE: Deep Inspection Log Messages SYSLOG

    Posted 04-03-2013 01:40

    Hi Arvinder,

     

    Thanks.

    I was just about to change the settings when I found the following in syslog;

     

    Apr  2 22:54:22 bluemango-21.fiberspeed.claranet.nl SSG140-BLUEMANGO-P: NetScreen device_id=SSG140-  [Root]syste                                               m-error-00601: HTTP:EXPLOIT:BRUTE-SEARCH has been detected from 209.212.145.91/60209 to 212.61.x.x/80 through policy 38                                                1 times. (2013-04-02 21:54:21)

     

    so this attempt was logged to syslog.

    I will leave the settings to "none" for now.

    Thanks for your help.

     

    Cheers, Ray