Screen OS

Hi,

I've implemented Deep Inspection on a few policies on a SSG140.

If I do a "debug idp all"on the CLI I get log returned but I don't see the log messages on my syslog server.

I'm logging all traffic and events to syslog but IDP related messages like below do not show up;

SC_KQMSG_ADD_CONTEXT: service HTTP, type HTTP_STATUS, length 22, skip true
sc_ids_bfq_poll: expiring 212.61.xx.xx -> 212.61.xx.xx HTTP, BRUTE_SEARCH, count 1
sc_ids_bfq_add: added 212.61.xx.xx -> 212.61.xx.xx HTTP, BRUTE_SEARCH
_sc_http_verify_flow: (23 s2c)Content-Type: text/html
_sc_http_verify_flow: found header 'content-type:'(13, max 33699444) in line: content-type: text/html
SC_KQMSG_ADD_CONTEXT_FUNC: service HTTP, type 33, length 9, skip false
_sc_http_verify_flow: (25 s2c)Server: Microsoft-IIS/7.5
_sc_http_verify_flow: found header 'server:'(7, max 33699432) in line: server: Microsoft-IIS/7.5
SC_KQMSG_ADD_CONTEXT_FUNC: service HTTP, type 31, length 17, skip true
_sc_http_verify_flow: (21 s2c)X-Powered-By: ASP.NET
_sc_http_verify_flow: Didn't find header in line: x-powered-by: ASP.NET

Thanks in advance.

Cheers Ray

Hi Ray,

The messages that you are looking at is nothing but a debug. This output is telling you how the device is processing the packet using the Deep Inspection feature, hence such kind of messages are limited to device itself.

However, whatever are the event related entries to the same should be present on device as well as Syslog server. I would like to confirm if you are receiving such event entries on your Syslog server. If not, you can refer to following to check the settings once http://kb.juniper.net/InfoCenter/index?page=content&id=KB4759&smlogin=true

If you have an doubt, please let me know

Hope this helps.

Regards,

Arvinder

Hi Arvinder,

Thanks for your response.

My syslog settings are correct.

But I cannot find anything related to the particular debug message in the syslog file.

I've done a search on "000767" or "attack" or "deep"or "BRUTE" but nothing in my syslog file.

The only thing related to deep inspection I see is the message that the attack database has been updated and saved to flash.

Regarding deep inspection settings.

I've only configured to log attempts so my action is none.

Could it be that nothing is logged as my action is none, is it better to use action ignore in de DPI settings on policies?

Thanks, Raymond

Hi Raymond,

Thank you for your reply.

I would like to know is this 1st time you are experiencing this issue?

There are few actions that can be configured :

• None: The security device logs the event but takes no action.

• Ignore: The security device logs the event and stops checking—or ignores—the remainder of the connection.

• Drop Packet: The security device logs the event and drops the packet containing the attack object, but it does not sever the connection.

• Drop: The security device logs the event and severs the connection without sending either the client or the server TCP RST packets.

• Close Client: The security device logs the event, severs the connection, and (for TCP traffic) sends a TCP RST packet to the client.

• Close Server: The security device logs the event, severs the connection, and (for TCP traffic) sends a TCP RST to the server.

• Close: The security device logs the event, severs the connection, and (for TCP traffic) sends TCP RST packets to both the client and the server.

   

  Try changing the option from None to Drop/Close. I hope this should atleast log the event.

   

  Please let me know if it helps.

   

  Regards,

   

  Arvinder

   

Hi Arvinder,

Thanks.

I was just about to change the settings when I found the following in syslog;

Apr  2 22:54:22 bluemango-21.fiberspeed.claranet.nl SSG140-BLUEMANGO-P: NetScreen device_id=SSG140-  [Root]syste                                               m-error-00601: HTTP:EXPLOIT:BRUTE-SEARCH has been detected from 209.212.145.91/60209 to 212.61.x.x/80 through policy 38                                                1 times. (2013-04-02 21:54:21)

so this attempt was logged to syslog.

I will leave the settings to "none" for now.

Thanks for your help.

Cheers, Ray