Intrusion Prevention
Highlighted
Intrusion Prevention

investigating ATTACK=NULL field from Juniper IDP 1000

‎08-28-2015 02:08 AM

Hello

I'm investigating in regard to Juniper IDP syslog message which appear as it is shown in attachment(jpg format).

Headers fields are masked for privacy reason.

the attack field shows "attack="NULL" and  action="ACCEPT". The internal team of our organization investigating this issue say this is because of "SAM IDP " feature which blocks hostile activity for 30 minutes.
So, if same packets that come around this time which will generate the log (sample) shown in attachment.

Is this analysis valid. The reason I'm reasoning the explanation already got one is due to lack of references available online to back it up and secondly I'm wishing Juniper logging format be more wise and tell users instantly the reason for such log generation. Attack=Null is lot of fuzzy information and from security perspective it could be means tons of bad thing.

I'm missing something, "SAM IDP Drop" which is bit more intuitive is shown in case of NSM logs. For traffic log does the same applies?

I appreciate your analysis and feedback on this matter.

Attachments

4 REPLIES 4
Highlighted
Intrusion Prevention

Re: investigating ATTACK=NULL field from Juniper IDP 1000

‎09-01-2015 01:01 AM
any help?
Highlighted
Intrusion Prevention

Re: investigating ATTACK=NULL field from Juniper IDP 1000

‎09-14-2015 04:15 AM
Hi, There are two possibilities here; either the Device is not sending the correct information or NSM/Syslog is not interpreting correctly what is being sent from device. Let me know which OS is running on the device and is there any pattern observed while getting these messages? Cheers, Dipanshu
Highlighted
Intrusion Prevention

Re: investigating ATTACK=NULL field from Juniper IDP 1000

‎09-15-2015 02:58 AM

Thanks ,

 

The deployed version of "netscreen" is 6.3.

 

The only behaviour I can point out is that the logs for which ATTACK=NULL appears is regularly found in the logs which have been generated due to SAM IDP action rule (which blocks traffic for 30 minutes).

 

But the thing is that in payload of logs (seen on syslog server) Qradar SIEM there is no mention of "SAM IDP" anywhere.

 

 

Highlighted
Intrusion Prevention

Re: investigating ATTACK=NULL field from Juniper IDP 1000

‎09-15-2015 03:13 AM

Yes, it might be because IP Action blocks the traffic from specified source/destination for certain time period.

 

Got the following KB link which might be helpful to understand this;

 

http://kb.juniper.net/InfoCenter/index?page=content&id=KB16054&actp=search&searchid=1234135866660&sm...

 

Not sure, if the Qradar/Syslog server understand this field properly; you may check the same in the respective forum.

 

Cheers,

Dipanshu

Feedback