Junos
Highlighted
Junos

Scripting IDP ip-action changes

‎12-04-2009 03:41 PM
Hello all,

I'm relatively new to junos and completely new to scripting, so forgive me if this doesn't make a lot of sense.

We're using the IDP functionality in our SRX (Junos 9.6) and we have a set of attacks that we have configured an ip-block on. Currently, we've configured a 60 second block. We'd like to be able to ramp-up the block on a per-source-ip basis if we have to consistently block a particular IP address. For example, say that an IDP rule is triggered for 1.1.1.1: we'll block 1.1.1.1 for 60 seconds. If the same rule is triggered for the same IP within a time period (5 minutes) we now want to block the IP for 10 minutes.

I've started learning about junos scripting, in particular event scripts, and I think I can build the necessary logic to detect the change (though I'll certainly listen to advice!), but I'm not sure how to handle the change to make the IDP implement a longer block. I suppose that I'll have two rules, one with a short block and one with a longer block, and that I'd have to insert the attacking IP address into the match condition somehow. The problem that I see is that I can only insert specific addresses into the match/source-address. Since I'll be dealing with both internal in Internet traffic, those lists could get awfully long. And then there's the question of how to remove the IP when it starts behaving properly again.

I suppose I could do this by putting those changes into a security policy, but I'll have to do the same thing with match/source-address there. In any case, I don't think I want to clutter up address books with long lists of attacking IP addresses. 

Does anyone have any suggestions for how to go about doing this?