Screen OS

Hi guys,

I want to use DI to prevent brute-force attack on http and https. but according to this documentation:

http://www.juniper.net/techpubs/software/screenos/screenos6.2.0/ce_v4.pdf (page 152)

HTTPS is not supported. Is there a workaround for this?

My output of get attack HIGH:HTTP:ANOM is showing me:

device-> get attack HIGH:HTTP:ANOM
GROUP "HIGH:HTTP:ANOM" is pre-defined. It has the following members
ID       Name                                     Type      Defined
 1050287 HTTP:OVERFLOW:HEADER                     anomaly   pre-defined
 1050289 HTTP:OVERFLOW:INV-CHUNK-LEN              anomaly   pre-defined
 1050290 HTTP:OVERFLOW:CHUNK-OVERFLOW             anomaly   pre-defined
 1050291 HTTP:OVERFLOW:CONTENT-OVERFLOW           anomaly   pre-defined
 1050292 HTTP:OVERFLOW:URL-OVERFLOW               anomaly   pre-defined
 1050250 HTTP:INVALID:INVLD-AUTH-CHAR             anomaly   pre-defined
 1050251 HTTP:INVALID:INVLD-AUTH-LEN              anomaly   pre-defined
 1053971 HTTP:EXPLOIT:BRUTE-SEARCH                anomaly   pre-defined

So i dont see TTP:EXPLOIT:BRUTE-FORCE as i see in page ( 152)

I assume HTTP:EXPLOIT:BRUTE-SEARCH is not the same as (HTTP Brute Force Login Attemp) failed_logins/ HTTP:EXPLOIT:BRUTE-FORCE

Will this work?

Thx in advance

Unfortunately, no you cannot inspect https on ScreenOS.  The reason is that the stream is encrypted.  So in order to inspect this you would have to have a certificate and decryption occur on the firewall so that the stream can be inspected.  This feature requires lots of processing and is not availabe in ScreenOS.

You can look at the ddos features in the zone screens to mitigate brute force attacks.  These do not require any inspection because the are based on the behaviour of the attacker.  These are outlined in the same volume of the Concepts and Examples guide that you linked in chapter 3.

In this scenario destination and source based limitied should help.

Hi spuluka,

thx for your reply. i will test it.
can you tell me why i'm not seeing HTTP:EXPLOIT:BRUTE-FORCE in my device-> get attack HIGH: HTTP:ANOM output as i see in the documentation? is this a idp attack group only?

thx in advance

This should be a member of this predefined group.

Is you ScreenOS 6.3 and are the signature updates running successfully?

Hi spuluka,

yeah i'm using 6.3 and sinatures are scheduled to run everyday:

device-> get attack db

Attack database Version: 2341 (05Feb2014:18:51:30)
Number of Attacks: 705, Number of Groups: 98
Attack database Server: https://services.netscreen.com/restricted/sigupdates
Automatic Operation: Update
Schedule for automatic Operation: daily 00:00
Signature pack currently in use: Baseline-ScreenOS 5.3 - 6.3
Signature pack configured: Baseline Deep Inspection Pack
Signature update proxy: OFF

device-> get attack HIGH:HTTP:ANOM
GROUP "HIGH:HTTP: ANOM" is pre-defined. It has the following members
ID       Name                                     Type      Defined
 1050287 HTTP: OVERFLOW:HEADER                     anomaly   pre-defined
 1050289 HTTP: OVERFLOW:INV-CHUNK-LEN              anomaly   pre-defined
 1050290 HTTP: OVERFLOW:CHUNK-OVERFLOW             anomaly   pre-defined
 1050291 HTTP: OVERFLOW:CONTENT-OVERFLOW           anomaly   pre-defined
 1050292 HTTP: OVERFLOW:URL-OVERFLOW               anomaly   pre-defined
 1050250 HTTP: INVALID:INVLD-AUTH-CHAR             anomaly   pre-defined
 1050251 HTTP: INVALID:INVLD-AUTH-LEN              anomaly   pre-defined
 1053971 HTTP: EXPLOIT:BRUTE-SEARCH                anomaly   pre-defined

I guess either the group membership changed or this is a bug that should be reported through JTAC.

I notice that kb28323 released in December allows parameter adjustment for this exploit.  Perhaps this is the reason it has to be handled separately now, but that is just a guess.

http://kb.juniper.net/InfoCenter/index?page=content&id=KB28323

Can you add the exploit directly separate from the group.

Hi spuluka,

thx again.

have a nice day 🙂