SRX Services Gateway
SRX Services Gateway

IDP Custom Attack Implementation

‎02-04-2014 01:31 PM

I am looking for some assistance with creating a custom attack and blocking traffic to a server for any type of http request
over a specific port but allow all other types of traffic on this port. My framework is below however the page still displays
and I believe I may have an issue with my signature pattern? I have tried the pattern below as well as the url however the page still displays. Any assistance would be greatly appreciated.

 

set security idp idp-policy TEST rulebase-ips rule R1 match from-zone ZONE-A
set security idp idp-policy TEST rulebase-ips rule R1 match source-address any
set security idp idp-policy TEST rulebase-ips rule R1 match to-zone ZONE-B

set security idp idp-policy TEST rulebase-ips rule R1 match destination-address 1.1.1.1/32
set security idp idp-policy TEST rulebase-ips rule R1 match application tcp_9999-9999
set security idp idp-policy TEST rulebase-ips rule R1 match attacks custom-attacks TEST_ATTACK
set security idp idp-policy TEST rulebase-ips rule R1 then action drop-connection

 

set security idp active-policy TEST

 

set security idp custom-attack TEST_ATTACK severity critical
set security idp custom-attack TEST_ATTACK attack-type signature context http-request
set security idp custom-attack TEST_ATTACK attack-type signature pattern "HEAD|GET|POST|PUT"
set security idp custom-attack TEST_ATTACK attack-type signature direction client-to-server

 

set security policies from-zone ZONE-A to-zone ZONE-B policy P1 match source-address any
set security policies from-zone ZONE-A to-zone ZONE-B policy P1 match destination-address 1.1.1.1/32
set security policies from-zone ZONE-A to-zone ZONE-B policy P1 match application tcp_9999-9999
set security policies from-zone ZONE-A to-zone ZONE-B policy P1 then permit application-services idp

 

1 REPLY 1
SRX Services Gateway

Re: IDP Custom Attack Implementation

‎02-05-2014 03:59 AM

Try removing the application definition in your IDP policy and see if that makes a difference

Ben Dale
JNCIP-ENT, JNCIP-SP, JNCIP-DC, JNCIE-SEC #63
Juniper Ambassador
Follow me @labelswitcher