SRX Services Gateway
SRX Services Gateway

IDP Log actions

‎07-14-2011 07:58 AM

Hi All,

 

  I have been playing around alot with the SRX IDP logging.  I have had it go to STRM, NSM, and used the onboard syslog.  Once thing I noticed is that the system logs the Attack that was seen but does not log the action ( dropped, allowed).  How can I see what was done to the traffic.

 

Here is an example of an IDP log that I get.  No clue if the IDP dropped these or accepted them.  The policy is the template Web_Server policy.

 

Jul 13 08:30:02 FW newsyslog[93646]: logfile turned over due to size>100K
Jul 13 08:30:29  FW RT_IDP: IDP_ATTACK_LOG_EVENT: IDP: at 1310560201, ANOMALY Attack log <72.14.164.189/17136->77.28.105.200/80> for TCP protocol and service HTTP application NONE by rule 1 of rulebase IPS in policy www. attack: repeat=2, action=NONE, threat-severity=INFO, name=HTTP:AUDIT:URL, NAT <0.0.0.0:0->192.168.0.12:0>, time-elapsed=0, inbytes=0, outbytes=0, inpackets=0, outpackets=0, intf:untrust:ge-0/0/0.0->trust:vlan.3, packet-log-id: 0 and misc-message - 
Jul 13 08:30:52  FW RT_IDP: IDP_ATTACK_LOG_EVENT: IDP: at 1310560228, ANOMALY Attack log <72.14.164.189/17136->77.28.105.200/80> for TCP protocol and service HTTP application NONE by rule 1 of rulebase IPS in policy www. attack: repeat=0, action=NONE, threat-severity=INFO, name=HTTP:AUDIT:URL, NAT <0.0.0.0:0->192.168.0.12:0>, time-elapsed=0, inbytes=0, outbytes=0, inpackets=0, outpackets=0, intf:untrust:ge-0/0/0.0->trust:vlan.3, packet-log-id: 0 and misc-message - 
Jul 13 08:30:52  FW RT_IDP: IDP_ATTACK_LOG_EVENT: IDP: at 1310560251, ANOMALY Attack log <72.14.164.189/17136->77.28.105.200/80> for TCP protocol and service HTTP application NONE by rule 1 of rulebase IPS in policy www. attack: repeat=0, action=NONE, threat-severity=INFO,

 

3 REPLIES 3
SRX Services Gateway

Re: IDP Log actions

‎07-15-2011 03:08 AM
Is there an action to be taken on HTTP:AUDIT:URL ? From your first sentence I assume you tried some attack which is of higher severity than INFO, or just created one for test with a more interesting action, right ? Smiley Happy
Regards,
Adam

(if my post helped solve your problem, mark it as accepted solution)
SRX Services Gateway
Solution
Accepted by topic author ttl_expired
‎08-26-2015 01:27 AM

Re: IDP Log actions

‎07-15-2011 07:08 AM

Hi

 

In you case, "action=NONE" means nothing was done to the traffic.

It also could be drop, etc. Does this answer your question?

Best Regards,
PK

Juniper Ambassador, Juniper Networks Certified Instructor,
JNCIE-SEC #98, JNCIE-ENT #393, JNCIE-SP #2253
Twitter: @JuniperTrain
GitHub: https://github.com/pklimai
[Juniper Authorized Education & Support in Russia]
SRX Services Gateway

Re: IDP Log actions

‎07-18-2011 06:39 AM

Smiley Mad .....I am blind.  I must have read that log 10 times and did not see the action=.  Thanks for pointing it out.