On our SRX210 I'm trying to exlude the policy HTTP:SQL:INJ:HEADER-3 from IDP. It's generating false positives and isn't recommended policy anyway.
Any clue on how to achieve this?
This is the config I'm trying (rule 0 should exlude the attack):
{primary:node0}[edit security idp idp-policy HXS_Web_Server rulebase-ips]
rule 0 {
match {
from-zone untrust;
source-address any;
to-zone trust;
destination-address [ set-webserver set-ssl ];
application default;
attacks {
predefined-attacks HTTP:SQL:INJ:HEADER-3;
}
}
then {
action {
no-action;
}
notification {
log-attacks;
}
severity warning;
}
}
rule 1 {
match {
from-zone untrust;
source-address any;
to-zone trust;
destination-address [ set-webserver set-ssl ];
application default;
attacks {
predefined-attack-groups [ "IP - Major" "IP - Critical" "TCP - Critical" "TCP - Major" ];
}
}
then {
action {
drop-packet;
}
notification {
log-attacks;
}
}
}
rule 2 {
match {
from-zone untrust;
source-address any;
to-zone trust;
destination-address [ set-webserver set-ssl ];
application default;
attacks {
predefined-attack-groups [ "FTP - Critical" "FTP - Major" "HTTP - Critical" "HTTP - Major" "SHELLCODE - Major" "SHELLCODE - Critical" ];
}
}
then {
action {
drop-packet;
}
notification {
log-attacks;
}
}
}
rule 3 {
match {
from-zone untrust;
source-address any;
to-zone trust;
destination-address [ set-webserver set-ssl ];
application default;
attacks {
predefined-attack-groups [ "FTP - Minor" "HTTP - Minor" "SHELLCODE - Minor" ];
}
}
then {
action {
no-action;
}
notification {
log-attacks;
}
}
}
However, the connections are still blocked.
#IDP