SRX

Hi

Chain attacks are simply not working for me. After trying some examples of my own I gave up and used this one on Juniper website with little modifications

http://www.juniper.net/techpubs/en_US/junos12.1/topics/example/security-idp-chain-attack-configuring.html

But its still not working .. here are my configs:


# show security idp idp-policy idpengine                                                  
rulebase-ips {
    rule 1 {
        match {
            from-zone any;
            source-address any;
            to-zone any;
            destination-address any;
            application junos-ftp;
            attacks {
                custom-attacks ftpchain;
            }
        }
        then {
            action {
                close-client-and-server;
            }
            notification {
                log-attacks;
            }
        }
    }
}


show security idp custom-attack ftpchain                                                                          
severity info;
attack-type {
    chain {
        protocol-binding {
            application ftp;
        }
        scope session;
        order;
        member m1 {
            attack-type {
                signature {
                    context ftp-banner;
                    pattern .*microsoft.*;
                    direction server-to-client;
                }
            }
        }
        member m2 {
            attack-type {
                signature {
                    context ftp-username;
                    pattern .*anonymous.*;
                    direction client-to-server;
                }
            }
        }
        member m3 {
            attack-type {
                anomaly {
                    test LOGIN_FAILED;
                    direction any;
                }
            }
        }
    }
}


run show security idp status
State of IDP: Default,  Up since: 2013-11-15 12:46:50 EST (1w6d 23:19 ago)

Packets/second: 3               Peak: 568 @ 2013-11-28 14:17:25 EST
KBits/second  : 5               Peak: 2103 @ 2013-11-20 13:14:32 EST
Latency (microseconds): [min: 0] [max: 0] [avg: 0]

Packet Statistics:
 [ICMP: 0] [TCP: 69646] [UDP: 102] [Other: 0]

Flow Statistics:
  ICMP: [Current: 0] [Max: 0 @ 2013-11-20 11:45:05 EST]
  TCP: [Current: 4] [Max: 278 @ 2013-11-28 12:03:39 EST]
  UDP: [Current: 0] [Max: 44 @ 2013-11-27 13:22:22 EST]
  Other: [Current: 0] [Max: 0 @ 2013-11-20 11:45:05 EST]

Session Statistics:
 [ICMP: 0] [TCP: 2] [UDP: 0] [Other: 0]
  Policy Name : idpengine
  Running Detector Version : 12.6.160131122


Security policy matching is also fine....where as this simple example works great


# show security idp custom-attack ftp-user
severity critical;
attack-type {
    signature {
        context ftp-username;
        pattern anonymous;
        direction client-to-server;
    }
}

I am using 11.4 on SRX boxes... any ideas?

Thanks
Kashif

Hi Kashif,

Try changing your first regex to:

pattern ".*[microsoft].*"

The default banner from the Microsoft FTP server uses a capital M which your regex will miss.  Encasing the string in square brackets will match any combination of upper or lower case.

Is there any reason in the second one that you aren't using just

pattern anonymous

 like the example?  Your current regex is going to match on things like thisisananonymoususer possibly for no reason (such a user would not exist on your FTP server) - it would be much less taxing to make it a simple match - the third member of your chain will then catch the failed login and still match your policy.

Thanks for the reply and suggestions Ben

I modified both the things which you mentioned, still not working.

None of the member is triggering the IDP action.

For the sake of checking traffic flow, enabled the other idp-policy refrencing non-chain attack .. works fine

confused now.

What if you remove all the members from your chain except the anonymous login member (M3), and make it the same as the example code (eg: no wildcards).

This should isolate if the problem is the chaining segment, or one of your group members.

Thanks Ben for Help

Finally was able to solve this.

First thing which I was not aware of , was the fact that chain attack work in AND fashion if not expressoin defined.. stupid of me.

Second when i tried .*[microsoft].* and turned on traceoptions I saw an error in compiling..

Dec 3 12:25:26 idpd_need_policy_compile:712 Active policy path /var/db/idpd/sets/idpengine.set
Dec 3 12:25:26 Active Policy (idpengine) rule base configuration is changed so need to recompile active policy
Dec 3 12:25:26 Compiling policy idpengine....
Dec 3 12:25:26 Apply policy configuration, policy ops bitmask = 41
Dec 3 12:25:26 Starting policy(idpengine) compile with compress; dfa compile flags(0x000000f1)...
Dec 3 12:25:26 Failed to optimize rulebase idp.

Dec 3 12:25:26 idpd_policy_compile_no_fork:3620:(input && idpd_pc_compile(input, output, policy)): Policy compilation failed, errno 2: No such file or directory
Dec 3 12:25:26 ...Failed
Dec 3 12:25:26 idpd_config_read:2103:(idpd_policy_config_apply(pname, NULL, IDP_POLICY_OP_COMPILE | IDP_POLICY_OP_PACKAGE)):
Dec 3 12:25:26 Returning from commit mode, status = 0
Dec 3 12:25:26 [get_secupdate_cb_status] state = 0x1
Dec 3 12:25:26 Got signal SIGCHLD....

So I modified .*microsoft.* to .*Microsoft.*  and checked with anonymous login .. it worked .. both conditions matched and connection was droped..

read more about regular expressions and used .*\[microsoft\].* to cater upper/lower case .. worked successfully..

I also tried pattern for ftp-user "^anonymous$" .. which is supposed to match this exaclty in a string .. but it did not work..looking more into it

Ciao

kashif

Also Chain attak requires you to have more than one member , else Junos throws an error...

Great - glad you got it sorted!

Make sure you set your answer to Mark as Answer so others can find this in the future