SRX Services Gateway
Showing results for 
Search instead for 
Do you mean 
Reply
Trusted Contributor
Posts: 915
Registered: ‎08-10-2010
0 Kudos
Accepted Solution

what actualy action done by IDP when the action is "recommended"?

Hi all,

 

When we use idp template "Recomended" then in the template will show the action "recommended". May i know what actually action done by "recommended"? Is it just bypass or block or etc.

 

Another question if add new rule on existing template then is it enough to commit only so the idp template will apply with new rule that i just add? Or i need to delete template and apply template back same as first time we apply the idp template?

 

 

[edit security idp idp-policy Recommended]
test@vSRX-LAB# show
/* This legacy template policy covers most current vulnerabilities.  This template is supported on all platforms, including Branch devices with 1G of memory. */
rulebase-ips {
    rule TCP/IP {
        /* This rule is designed to protect your networks against important TCP/IP attacks. */
        match {
            from-zone any;
            source-address any;
            to-zone any;
            destination-address any;
            application default;
            attacks {
                predefined-attack-groups [ "[Recommended]IP - Critical" "[Recommended]IP - Minor" "[Recommended]IP - Major" "[Recommended]TCP - Critical" "[Recommended]TCP - Minor" "[Recommended]TCP - Major" ];
            }
        }
        then {
            action {
                recommended;
            }
            notification {
                log-attacks;
            }
        }
    }
rule Block-Torrent {
        description "Torrent Blocker";
        match {
            from-zone any;
            source-address any;
            to-zone any;
            destination-address any;
            application default;
            attacks {
                predefined-attack-groups "P2P - All";
            }
        }
        then {
            action {
                drop-connection;
            }
            notification {
                log-attacks;
            }
        }
    }
}

 

Thanks and appreciate any feedback

Contributor
Posts: 28
Registered: ‎11-30-2016
0 Kudos

Re: what actualy action done by IDP when the action is "recommended"?

Hello, kronicklez!

 

Recommended will take the predefined action set by Juniper depending on the object. Here is some more information.

 

Recommended
All predefined attack objects have a default action associated with them. This is the action that Juniper Networks recommends when that attack is detected.
Note: This action is supported only for IPS rulebases.

Source

 

Helpful commands:

show security flow ip-action

show security idp status

Raymond Beaudoin
@synackray
Trusted Contributor
Posts: 915
Registered: ‎08-10-2010
0 Kudos

Re: what actualy action done by IDP when the action is "recommended"?

Hi synackray,

 

 

Using the command that u provide still not display what action that take by "recommended".

 

 

Appreciate any expert feedback regarding the action "recommend" in default template IDP .

 

 

Thanks

Contributor
Posts: 28
Registered: ‎11-30-2016

Re: what actualy action done by IDP when the action is "recommended"?

[ Edited ]

Hi, sorry I should have given more detail. Please see below. The key is you must understand this is controlled at an attack object level, not the attack groups. Each individual object may have a different recommended action. Therefore, you want to see what's inside of the predefined attack groups and then review the individual attack objects.

 

[SRX] How to view the IDP attacks that are listed under a pre-defined attack group

Understanding Predefined IDP Attack Objects and Object Groups

 

Run the following commands to check the details and description of an attack:

For example, HTTP:LINUX:REDHAT-ACCEPT-LANG:
[edit]
root@srx> show security idp attack detail HTTP:LINUX:REDHAT-ACCEPT-LANG 
Display Name: HTTP: Red Hat Directory Server Accept-Language HTTP Header Parsing Buffer Overflow
Severity: Major
Category: HTTP
Recommended: true
Recommended Action: Drop
Type: chain
False Positives: unknown
Service: HTTP

[edit]
root@srx> show security idp attack description HTTP:LINUX:REDHAT-ACCEPT-LANG

Source

Raymond Beaudoin
@synackray
Trusted Contributor
Posts: 915
Registered: ‎08-10-2010
0 Kudos

Re: what actualy action done by IDP when the action is "recommended"?

Hi synackray/all,

 

 

 

Sorry, i'm still cannot get it how to see what action taken done by "recommended" on idp policy template "Recommended". Is there any actual command that can see the action taken by "recommended"?

 

Thanks and appreciate any additional input/advise.

Distinguished Expert
Posts: 1,951
Registered: ‎06-06-2011
0 Kudos

Re: what actualy action done by IDP when the action is "recommended"?

 

 snackray gave you the answer. There will be one of several recommended action by Juniper.

Snackray gave you answer. The out put shows the recommended action
https://www.juniper.net/documentation/en_US/junos12.1x44/topics/reference/configuration-statement/se...
Syntax
recommended-action (close | close-client | close-server | drop | drop-packet | ignore | none);
Hierarchy Level
[edit security idp custom-attack attack-name]


Description
When the security device detects an attack, it performs the specified action.

Options
The seven actions are as follows, from most to least severe:

close—Reset the client and the server.
close-client—Reset the client.
close-server—Reset the server.
drop—Drop the particular packet and all subsequent packets of the flow.
drop-packet—Drop the particular packet of the flow.
ignore—Do not inspect any further packets.
none—Do not perform any action.

root@srx> show security idp attack detail HTTP:LINUX:REDHAT-ACCEPT-LANG 
Display Name: HTTP: Red Hat Directory Server Accept-Language HTTP Header Parsing Buffer Overflow
Severity: Major
Category: HTTP
Recommended: true
Recommended Action: Drop
Type: chain
False Positives: unknown
Service: HTTP

 

[KUDOS PLEASE! If you think I earned it!
If this solution worked for you please flag my post as an "Accepted Solution" so others can benefit..]
Trusted Contributor
Posts: 915
Registered: ‎08-10-2010
0 Kudos

Re: what actualy action done by IDP when the action is "recommended"?

Hi lyndidon,

 

Thanks for the url. Based on the url so it means the "recomend" action will use sequence action (close | close-client | close-server | drop | drop-packet | ignore | none) right?

 

 

Please correct me if i wrong intepretation that url.

 

 

Thanks

Highlighted
Distinguished Expert
Posts: 1,951
Registered: ‎06-06-2011
0 Kudos

Re: what actualy action done by IDP when the action is "recommended"?

The recommended action is what Juniper recommends. The link shows it is one of those actions that can be taken. It does not mean that is  the order. Juniper can recommend any one of those actions. the "|" symbol simply says it is one of those actions that can be taken.

[KUDOS PLEASE! If you think I earned it!
If this solution worked for you please flag my post as an "Accepted Solution" so others can benefit..]
Distinguished Expert
Posts: 1,951
Registered: ‎06-06-2011
0 Kudos

Re: what actualy action done by IDP when the action is "recommended"?

Just to followup and answer the second question you asked: "Another question if add new rule on existing template then is it enough to commit only so the idp template will apply with new rule that i just add? Or i need to delete template and apply template back same as first time we apply the idp template?"

 

No need to delete the template and reapply- I think you mean the point where you specify which template will be made active. Once the template is made active, any modification you make will be applied once you commit the configuration. Similar to if you created a firewall filter and keep adding terms, once the filter has been applied, no need to delete and reapply it, the terms you added will be evaluated.

[KUDOS PLEASE! If you think I earned it!
If this solution worked for you please flag my post as an "Accepted Solution" so others can benefit..]