03-17-2012 12:42 AM
Below is output from Screen log (RT_IDS) which i configured on SRX650. Some logs are with protocol ID( Marked In RED) and some traffice without protocol ID. What is the reason behind this that some have Protocol ID and some dosen't have and type of protocol used in the flow with ID 1 & 2.
Screen Traffic Logs:
Mar 17 08:32:05 deviceA RT_IDS: RT_SCREEN_ICMP: ICMP fragment! source: 172.31.11.94, destination: 10.1.4.200, zone name: trust, interface name: reth1.0, action: alarm-without-drop
Mar 17 08:32:05 deviceA RT_IDS: RT_SCREEN_IP: Fragmented traffic! source: 172.31.11.94, destination: 10.1.4.200, protocol-id: 1, zone name: trust, interface name: reth1.0, action: alarm-without-drop
Mar 17 08:32:14 deviceA RT_IDS: RT_SCREEN_IP: IP spoofing! source: 172.31.11.250, destination: 188.8.131.52, protocol-id: 2, zone name: trust, interface name: reth1.0, action: alarm-without-drop
Mar 17 08:32:30 deviceA RT_IDS: RT_SCREEN_UDP: UDP sweep! source: 10.10.1.38:55678, destination: 184.108.40.206:53, zone name: dmz, interface name: reth2.0, action: alarm-without-drop
03-17-2012 02:36 AM
Whenever you trigger an IP-based screen, the protocol number is included to help identify the traffic causing the match. The other two entries in that output are protocol-specific screens so they already identify the protcol - eg: the first entry is an ICMP fragment (protocol 1) and the second is a UDP sweep (protocol 17).
I'd even guess that the first two log entries are both referencing the same packet - first it is picked up by your "icmp fragment" screen, then it also triggers the "ip block-frag" screen.
Hope this helps
03-17-2012 03:27 AM
But as you see logs
1. In logs below there is no protocol ID for UDP Sweep. As you mentioned it protocol id is 17. 17 is UDP protocol ID.
2. 220.127.116.11 protocol-id 2 is rip traffic and whenever i configure the screen option for UDP Sweep without alarm drop it it blocking RIP traffic. i configured the threshold value upto 20000. is this value not enough.
Mean screening is blocking most of the litigmate traffic with normal behaviour in production environment.
03-17-2012 06:24 PM
1. Yes - the reason there is no protocol ID listed is because the screen that is triggering is ONLY for UDP traffic, so there is no reason to identify it by IP protocol.
2. It is not UDP Sweep that is triggering the screen, it is IP Spoofing. Is reth1.0 in the 172.31.11.x subnet? Do you have host-inbound-traffic protocol rip configured?