SRX Services Gateway
Reply
Contributor
ziamohdkhan
Posts: 29
Registered: ‎03-30-2010
0

Screen Traffic Log

Hi,

 

Below is output from Screen log (RT_IDS) which i configured on SRX650. Some logs are with protocol ID( Marked In RED) and some traffice without protocol ID. What is the reason behind this that some have Protocol ID and some dosen't have and type of protocol used in the flow with ID 1 & 2.

 

Screen Traffic Logs:

Mar 17 08:32:05 deviceA RT_IDS: RT_SCREEN_ICMP: ICMP fragment! source: 172.31.11.94, destination: 10.1.4.200, zone name: trust, interface name: reth1.0, action: alarm-without-drop
Mar 17 08:32:05 deviceA RT_IDS: RT_SCREEN_IP: Fragmented traffic! source: 172.31.11.94, destination: 10.1.4.200, protocol-id: 1, zone name: trust, interface name: reth1.0, action: alarm-without-drop
Mar 17 08:32:14 deviceA RT_IDS: RT_SCREEN_IP: IP spoofing! source: 172.31.11.250, destination: 224.0.0.9, protocol-id: 2, zone name: trust, interface name: reth1.0, action: alarm-without-drop
Mar 17 08:32:30 deviceA RT_IDS: RT_SCREEN_UDP: UDP sweep! source: 10.10.1.38:55678, destination: 192.36.148.17:53, zone name: dmz, interface name: reth2.0, action: alarm-without-drop

 

Regards,

Zia khan

Distinguished Expert
dfex
Posts: 706
Registered: ‎04-17-2008
0

Re: Screen Traffic Log

Hi Zia,

 

Whenever you trigger an IP-based screen, the protocol number is included to help identify the traffic causing the match.  The other two entries in that output are protocol-specific screens so they already identify the protcol - eg: the first entry is an ICMP fragment (protocol 1) and the second is a UDP sweep (protocol 17).

 

I'd even guess that the first two log entries are both referencing the same packet - first it is picked up by your "icmp fragment" screen, then it also triggers the "ip block-frag" screen.

 

Hope this helps

Ben Dale
JNCIP-ENT, JNCIS-SP, JNCIE-SEC #63
Juniper Ambassador
Follow me @labelswitcher
Contributor
ziamohdkhan
Posts: 29
Registered: ‎03-30-2010
0

Re: Screen Traffic Log

Better..!!

 

But as you see logs

 

1. In logs below there is no protocol ID for UDP Sweep. As you mentioned it protocol id is 17. 17 is UDP protocol ID.

 

2. 224.0.0.9 protocol-id 2 is rip traffic and whenever i configure the screen option for UDP Sweep without alarm drop it it blocking RIP traffic. i configured the threshold value upto 20000. is this value not enough.

 

Mean screening is blocking most of the litigmate traffic with normal behaviour in production environment.

 

Regds-Zia

 

Distinguished Expert
dfex
Posts: 706
Registered: ‎04-17-2008
0

Re: Screen Traffic Log

1. Yes - the reason there is no protocol ID listed is because the screen that is triggering is ONLY for UDP traffic, so there is no reason to identify it by IP protocol.

 

2. It is not UDP Sweep that is triggering the screen, it is IP Spoofing.  Is reth1.0 in the 172.31.11.x subnet?  Do you have host-inbound-traffic protocol rip configured?

Ben Dale
JNCIP-ENT, JNCIS-SP, JNCIE-SEC #63
Juniper Ambassador
Follow me @labelswitcher
Contributor
ziamohdkhan
Posts: 29
Registered: ‎03-30-2010
0

Re: Screen Traffic Log

Hi,

 

Yes, Host-inbound-traffic is configured for the trust interface where rip is running and working fine.

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.