Hi All,
I have been playing around alot with the SRX IDP logging. I have had it go to STRM, NSM, and used the onboard syslog. Once thing I noticed is that the system logs the Attack that was seen but does not log the action ( dropped, allowed). How can I see what was done to the traffic.
Here is an example of an IDP log that I get. No clue if the IDP dropped these or accepted them. The policy is the template Web_Server policy.
Jul 13 08:30:02 FW newsyslog[93646]: logfile turned over due to size>100K
Jul 13 08:30:29 FW RT_IDP: IDP_ATTACK_LOG_EVENT: IDP: at 1310560201, ANOMALY Attack log <72.14.164.189/17136->77.28.105.200/80> for TCP protocol and service HTTP application NONE by rule 1 of rulebase IPS in policy www. attack: repeat=2, action=NONE, threat-severity=INFO, name=HTTP:AUDIT:URL, NAT <0.0.0.0:0->192.168.0.12:0>, time-elapsed=0, inbytes=0, outbytes=0, inpackets=0, outpackets=0, intf:untrust:ge-0/0/0.0->trust:vlan.3, packet-log-id: 0 and misc-message -
Jul 13 08:30:52 FW RT_IDP: IDP_ATTACK_LOG_EVENT: IDP: at 1310560228, ANOMALY Attack log <72.14.164.189/17136->77.28.105.200/80> for TCP protocol and service HTTP application NONE by rule 1 of rulebase IPS in policy www. attack: repeat=0, action=NONE, threat-severity=INFO, name=HTTP:AUDIT:URL, NAT <0.0.0.0:0->192.168.0.12:0>, time-elapsed=0, inbytes=0, outbytes=0, inpackets=0, outpackets=0, intf:untrust:ge-0/0/0.0->trust:vlan.3, packet-log-id: 0 and misc-message -
Jul 13 08:30:52 FW RT_IDP: IDP_ATTACK_LOG_EVENT: IDP: at 1310560251, ANOMALY Attack log <72.14.164.189/17136->77.28.105.200/80> for TCP protocol and service HTTP application NONE by rule 1 of rulebase IPS in policy www. attack: repeat=0, action=NONE, threat-severity=INFO,
#logging#IDP