SRX Services Gateway
SRX Services Gateway

How to bypass some attack database list?

‎02-11-2018 12:47 AM

Hi all,

 

Currently on my IDP, im use Recommended policy template. May i know how i can make exception IDP block some attack especially attacj as per BOLD highlated?

 

 

{primary:node0}
test@srx5800> show security idp attack table
node0:
--------------------------------------------------------------------------
IDP attack statistics:

  Attack name                                  #Hits
  HTTP:REQERR:NULL-IN-HEADER                   14120
  HTTP:XSS:HTML-SCRIPT-IN-POST                 13723
  HTTP:XSS:NOVELL-ZENWORKS-XSS                 947
  HTTPSmiley Very HappyIR:HTTP-REFERER-HDR                    404
  HTTPSmiley TongueHPSmiley TongueHPMYADMINSmiley FrustratedETUP-SCAN               134
  HTTP:APACHESmiley FrustratedTRUTS2-MAL-HYD-RCE              111
  HTTP:APACHESmiley FrustratedTRUTS-URL-DOS                   39


{primary:node0}
test@srx5800> show configuration security idp idp-policy Recommended
/* This legacy template policy covers most current vulnerabilities.  This template is supported on all platforms, including Branch devices with 1G of memory. */
rulebase-ips {
    rule TCP/IP {
        /* This rule is designed to protect your networks against important TCP/IP attacks. */
        match {
            from-zone any;
            source-address any;
            to-zone any;
            destination-address any;
            application default;
            attacks {
                predefined-attack-groups [ "[Recommended]IP - Critical" "[Recommended]IP - Minor" "[Recommended]IP - Major" "[Recommended]TCP - Critical" "[Recommended]TCP - Minor" "[Recommended]TCP - Major" ];
            }
        }
        then {
            action {
                recommended;
            }
            notification {
                log-attacks;
            }
        }
    }
    rule ICMP {
        /* This rule is designed to protect your network against  important ICMP attacks. */
        match {
            from-zone any;
            source-address any;
            to-zone any;
            destination-address any;
            application default;
            attacks {
                predefined-attack-groups [ "[Recommended]ICMP - Major" "[Recommended]ICMP - Minor" ];
            }
        }
        then {
            action {
                recommended;
            }
            notification {
                log-attacks;
            }
        }
    }
    rule HTTP {
        /* This rule is designed to protect your network against  important HTTP attacks. */
        match {
            from-zone any;
            source-address any;
            to-zone any;
            destination-address any;
            application default;
            attacks {
                predefined-attack-groups [ "[Recommended]HTTP - Critical" "[Recommended]HTTP - Major" "[Recommended]HTTP - Minor" ];
            }
        }
        then {
            action {
                recommended;
            }
            notification {
                log-attacks;
            }
        }
    }
    rule SMTP {
        /* This rule is designed to protect your network against  important SMTP attacks. */
        match {
            from-zone any;
            source-address any;
            to-zone any;
            destination-address any;
            application default;
            attacks {
                predefined-attack-groups [ "[Recommended]SMTP - Critical" "[Recommended]SMTP - Major" "[Recommended]SMTP - Minor" ];
            }
        }
        then {
            action {
                recommended;
            }
            notification {
                log-attacks;
            }
        }
    }
    rule DNS {
        /* This rule is designed to protect your network against important DNS attacks. */
        match {
            from-zone any;
            source-address any;
            to-zone any;
            destination-address any;
            application default;
            attacks {
                predefined-attack-groups [ "[Recommended]DNS - Critical" "[Recommended]DNS - Minor" "[Recommended]DNS - Major" ];
            }
        }
        then {
            action {
                recommended;
            }
            notification {
                log-attacks;
            }
        }
    }
    rule FTP {
        /* This rule is designed to protect your network against important FTP attacks. */
        match {
            from-zone any;
            source-address any;
            to-zone any;
            destination-address any;
            application default;
            attacks {
                predefined-attack-groups [ "[Recommended]FTP - Critical" "[Recommended]FTP - Minor" "[Recommended]FTP - Major" ];
            }
        }
        then {
            action {
                recommended;
            }
            notification {
                log-attacks;
            }
        }
    }
    rule POP3 {
        /* This rule is designed to protect your network against important POP3 attacks. */
        match {
            from-zone any;
            source-address any;
            to-zone any;
            destination-address any;
            application default;
            attacks {
                predefined-attack-groups [ "[Recommended]POP3 - Critical" "[Recommended]POP3 - Minor" "[Recommended]POP3 - Major" ];
            }
        }
        then {
            action {
                recommended;
            }
            notification {
                log-attacks;
            }
        }
    }
    rule IMAP {
        /* This rule is designed to protect your network against important IMAP attacks. */
        match {
            from-zone any;
            source-address any;
            to-zone any;
            destination-address any;
            application default;
            attacks {
                predefined-attack-groups [ "[Recommended]IMAP - Critical" "[Recommended]IMAP - Major" ];
            }
        }
        then {
            action {
                recommended;
            }
            notification {
                log-attacks;
            }
        }
    }
    rule Malware {
        /* This rule is designed to protect your network against common internet malware. */
        match {
            from-zone any;
            source-address any;
            to-zone any;
            destination-address any;
            application default;
            attacks {
                predefined-attack-groups [ "[Recommended]TROJAN - Critical" "[Recommended]TROJAN - Major" "[Recommended]TROJAN - Minor" "[Recommended]VIRUS - Critical" "[Recommended]VIRUS - Major" "[Recommended]VIRUS - Minor" "[Recommended]WORM - Critical" "[Recommended]WORM - Major" "[Recommended]WORM - Minor" ];
            }
        }
        then {
            action {
                recommended;
            }
            notification {
                log-attacks;
            }
        }
    }

 

Thanks and appreciate any help.

1 REPLY 1
SRX Services Gateway

Re: How to bypass some attack database list?

‎02-11-2018 07:16 PM

Hi all,

 

 

Problem solved.

 

Thanks