SRX IDP

This post will show you how to get IDP on an SRX100H going and tested to be working.

I will be using a Trial licence which is valid for 30days.

1) GET AND INSTALL THE IDP LICENSE

a) First make sure you can ping a URL from your SRX as the download process will use name lookups.

blogger@LEFTY> ping www.juniper.net inet

PING e1824.dscb.akamaiedge.net (184.87.23.148): 56 data bytes

64 bytes from 184.87.23.148: icmp_seq=0 ttl=54 time=33.373 ms

64 bytes from 184.87.23.148: icmp_seq=1 ttl=54 time=30.299 ms

64 bytes from 184.87.23.148: icmp_seq=2 ttl=54 time=29.531 ms

^C

--- e1824.dscb.akamaiedge.net ping statistics ---

3 packets transmitted, 3 packets received, 0% packet loss

round-trip min/avg/max/stddev = 29.531/31.068/33.373/1.660 ms

If that doesn’t work, setup name servers in the config.

a) Download the trial license.

a. Login to this site with your Juniper ID.. https://www.juniper.net/lcrs/mylic.do?methodToCall=setUpTrial&family_id=1

b. Select your version of Junos, enter your serial number and click “Get Available Trials”

c. Select IDP Signature Services and click the "Generate" button to get your license key

b) Install the license

First lets look at what licenses we have for comparison purposes.

blogger@LEFTY> show system license

License usage:

                                 Licenses     Licenses    Licenses    Expiry

  Feature name                       used    installed      needed

  dynamic-vpn                           0            2           0    permanent

  ax411-wlan-ap                         0            2           0    permanent

  mem-upg                               0            1           0    permanent

Now install the new license..

blogger@LEFTY> request system license add terminal

[Type ^D at a new line to end input,

 enter blank line between each license key]

JUNOS124406 aeaqea qmifkt eobrgf auhmbu gm3aqb qcdw6n

            hphea4 ug22dm 4iubxn 3geelp 4mdjqw nmuggo

            lqub5s f4po3b vvgxjy en7z3a rzdrkc ykxrh6

            anq

JUNOS124406: successfully added

add license complete (no errors)

blogger@LEFTY> show system license

License usage:

                                 Licenses     Licenses    Licenses    Expiry

  Feature name                       used    installed      needed

  idp-sig                               0            1           0    2012-09-18 10:00:00 EST

  dynamic-vpn                           0            2           0    permanent

  ax411-wlan-ap                         0            2           0    permanent

  mem-upg                               0            1           0    permanent

Licenses installed:

  License identifier: JUNOS124406

  License version: 2

  Valid for device: AU2811AF0555

  Features:

    idp-sig          - IDP Signature

      date-based, 2012-08-19 10:00:00 EST - 2012-09-18 10:00:00 EST

2) DOWNLOAD AND INSTALL IDP ATTACK DATABASE 

a) First confirm you can reach the download server. Shouldn’t be a problem if you can ping the Juniper website as per above.

blogger@LEFTY> request security idp security-package download check-server   

Successfully retrieved from(https://services.netscreen.com/cgi-bin/index.cgi).

Version info:2176(Detector=12.6.160120404, Templates=2176)

b) Download the database

 blogger@LEFTY> request security idp security-package download                     

Will be processed in async mode. Check the status using the status checking CLI

blogger@LEFTY> request security idp security-package download status

In progress:SignatureUpdate_tmp.xml.gz                          100 % 1574759 Bytes/ 1574759 Bytes

blogger@LEFTY> request security idp security-package download status   

In progress:applications.xsd                            100 % 11566 Bytes/ 11566 Bytes

blogger@LEFTY> request security idp security-package download status   

Done;Successfully downloaded from(https://services.netscreen.com/cgi-bin/index.cgi).

Version info:2176(Wed Aug 22 11:11:04 2012, Detector=12.6.160120404)

c) Install the database

blogger@LEFTY> request security idp security-package install status

In progress:Installing AI ...

blogger@LEFTY> request security idp security-package install status   

In progress:performing DB update for an xml (SignatureUpdate.xml)

  

blogger@LEFTY> request security idp security-package install status   

Done;Attack DB update : successful - [UpdateNumber=2176,ExportDate=Wed Aug 22 11:11:04 2012,Detector=12.6.160120404]

     Updating control-plane with new detector : successful

     Updating data-plane with new attack or detector : not performed

      due to no active policy configured.
 

3) DOWNLOAD AND INSTALL IDP POLICY TEMPLATES

Strictly speaking this step is not necessary – you could build your own policies from scratch. However it is a quick and recommended way to get going especially while you are learning.

a) Download the templates

blogger@LEFTY> request security idp security-package download policy-templates   

Will be processed in async mode. Check the status using the status checking CLI

blogger@LEFTY> request security idp security-package download status             

Done;Successfully downloaded from(https://services.netscreen.com/cgi-bin/index.cgi).

Version info:2176

b) Install the templates

blogger@LEFTY> request security idp security-package install policy-templates   

Will be processed in async mode. Check the status using the status checking CLI

blogger@LEFTY> request security idp security-package install status            

Done;policy-templates has been successfully updated into internal repository

     (=>/var/db/scripts/commit/templates.xsl)!

Note that the installation of the templates created a Junos commit script – templates.xsl

It is that script that will actually put the policy templates into the config.

c) Install the script

blogger@LEFTY# set system scripts commit file templates.xsl

[edit]

blogger@LEFTY# commit

commit complete

Be patient- that commit takes some time.

Now go and have a look at your config – a little bit bigger eh!

4) ACTIVATE THE IDP SECURITY POLICY

The downloading of the templates has given us a few pre-packaged IDP rulebases to choose from. We must choose to activate one (Or make your own and activate that) and note that only one IDP rulebase can be active at one time.

Lets see a list of the policy templates we can choose from…

blogger@LEFTY> show security idp policy-templates-list

Web_Server

DMZ_Services

DNS_Service

File_Server

Getting_Started

IDP_Default

Recommended

We will go with the “Recommended” on to start with. You can simply delete the ones you don’t want to use.

Even if you go with Recommended or any of the ones from the downloaded policy templates, you can edit or delete any of the rules in those policies or add your own new rules to them as well.

a)  Activate the Recommended policy

blogger@LEFTY# set security idp active-policy Recommended

[edit]

blogger@LEFTY# commit

commit complete

b) Delete the commit script

blogger@LEFTY# delete system scripts

[edit]

blogger@LEFTY# commit

commit complete

c) Confirm the active IDP rulebase is “Recommended”

blogger@LEFTY> show security idp status

State of IDP: Default,  Up since: 2012-08-24 10:27:13 EST (01:32:35 ago)

Packets/second: 0               Peak: 0 @ 2012-08-24 11:42:22 EST

KBits/second  : 0               Peak: 0 @ 2012-08-24 11:42:22 EST

Latency (microseconds): [min: 0] [max: 0] [avg: 0]

Packet Statistics:

 [ICMP: 0] [TCP: 0] [UDP: 0] [Other: 0]

Flow Statistics:

  ICMP: [Current: 0] [Max: 0 @ 2012-08-24 11:42:22 EST]

  TCP: [Current: 0] [Max: 0 @ 2012-08-24 11:42:22 EST]

  UDP: [Current: 0] [Max: 0 @ 2012-08-24 11:42:22 EST]

  Other: [Current: 0] [Max: 0 @ 2012-08-24 11:42:22 EST]

Session Statistics:

 [ICMP: 0] [TCP: 0] [UDP: 0] [Other: 0]

  Policy Name : Recommended

  Running Detector Version : 12.6.160120404

blogger@LEFTY> show security idp policies

ID    Name                   Sessions    Memory      Detector      

 0     Recommended            0           4790846     12.6.160120404

5) APPLY IDP TO THE SECURITY RULEBASE

The IPD and security rulebases are separate. In order to get IDP actually functioning you set IDP inspection on the security rules you want. And it is the active IDP rulebase previously set above that will operate on the security rule.

Here is the default out-of-the-box rule with IDP applied on it.

blogger@LEFTY> show configuration security policies from-zone trust to-zone untrust

policy trust-to-untrust {

    match {

        source-address any;

        destination-address any;

        application any;

    }

    then {

        permit {

            application-services {

                idp;

            }

        }

    }

}

6) TEST IDP FUNCTIONALITY

Well now that we have that all installed we need to test it works.

What I want to achieve with this testing is to throw some attacks against a host and see the IDP recognize and take action against them. 

My setup for this is simple –

Target  - a Windows XP PC as a target on the untrust interface (172.19.213.50) running Abyss web server and Xlight FTP server to give Backtrack something juicy to go for!

Attacker – Backtrack 5 using the Armitage app (Which uses the Metasploit framework) on the trust interface ( 192.168.56.80)

This isn’t a Backtrack/Armitage tutorial – there is plenty of info out there for that but here is the very basic steps taken to launch the attack remembering my purpose here is not to hack the target by rather to only test to IDP is doing its thing.

a)   Start Armitage

b)    Do a quick NMAP scan of the target host so Armitage recognizes it as a target.

c)     Launch the Hail Mary attack! (See this page for info about Armitage and Hail Mary…http://www.fastandeasyhacking.com/manual)

The below table shows the SRX did intercept and recognize these  attacks. I.e it works! 

blogger@LEFTY> show security idp attack table             
IDP attack statistics:

  Attack name                                  #Hits
  HTTP:PHP:CMD-INJ                             11       
  FTP:MS-FTP:IIS-BOF                           2        
  FTP:OVERFLOW:PATH-TOO-LONG                   2        
  FTP:DOS:SOLARFTP-USER-CMD                    1        
  FTP:OVERFLOW:MUL-FTP-MKDOF                   1        
  FTP:OVERFLOW:USERNAME-2-LONG                 1        
  HTTP:EXPLOIT:ILLEGAL-HOST-CHAR               1        
  HTTP:IIS:COMMAND-EXEC-ALL                    1        
  HTTP:OVERFLOW:OVWEBHELP-BO                   1        
  HTTP:OVERFLOW:WEBDAV-JAVASYSTEM              1        
  HTTP:REAL-DESCBO                             1       

blogger@LEFTY> show security idp application-statistics   
IDP applications:
  application type                                                 packet count
 ECHO                                                                    0
 DISCARD                                                                 0
 CHARGEN                                                                 0
 FTP                                                                     209
 SSH                                                                     0
 TELNET                                                                  0
 SMTP                                                                    0
 DNS                                                                     0
 GOPHER                                                                  0
 FINGER                                                                  0
 HTTP                                                                    4033
 POP3                                                                    0
 PORTMAPPER                                                              0

With the Recommended template that action is always recommended as well so how can we know what it really did for a specific attack. Lets get some more info about the first attack on the list.

blogger@LEFTY> show security idp attack description HTTP:PHP:CMD-INJ

Description: This signature detects Web downloads containing a potentially dangerous PHP script. A malicious site can exploit a known vulnerability in multiple

             PHP applications and execute arbitrary PHP commands on the victim's server.

That’s cool to get that info from the cli about the nature of the attack.

blogger@LEFTY> show security idp attack detail HTTP:PHP:CMD-INJ       

Display Name: HTTP: PHP Command Injection

Severity: Major

Category: HTTP

Recommended: true

Recommended Action: Drop

Type: chain

False Positives: frequently

Service: HTTP

So the action was drop.

7) EXEMPT RULEBASE

Each IPS ruleset can have an associated exempt rulebase. That is a rulebase for traffic you do not want the IDP engine to take action on. Lets test that by creating an exempt rule that wont take any action on FTP traffic.

Here is the exempt rule…

blogger@LEFTY> show configuration security idp idp-policy Recommended rulebase-exempt

rule exempt_ftp {

    match {

        from-zone trust;

        source-address any;

        to-zone untrust;

        destination-address any;

        attacks {

            predefined-attack-groups "FTP - All";

        }

    }

}

Now we will clear the attack table and application statistics and run the attacks again.

blogger@LEFTY> clear security idp attack table

blogger@LEFTY> clear security idp application-statistics

Here is the results…

blogger@LEFTY> show security idp attack table                                            

IDP attack statistics:

  Attack name                                  #Hits

  HTTP:PHP:CMD-INJ                             11        

  HTTP:EXPLOIT:ILLEGAL-HOST-CHAR               1         

  HTTP:IIS:COMMAND-EXEC-ALL                    1          

  HTTP:OVERFLOW:OVWEBHELP-BO                   1         

  HTTP:OVERFLOW:WEBDAV-JAVASYSTEM              1         

  HTTP:REAL-DESCBO                             1         

  HTTP:SQL:INJ:CHAR-ENCODE                     1         

Note that FTP doesn’t show up now with the exempt rulebase in action

blogger@LEFTY> show security idp application-statistics                                 

IDP applications:

  application type                                                 packet count

 ECHO                                                                    0

 DISCARD                                                                 0

 CHARGEN                                                                 0

 FTP                                                                     215

 SSH                                                                     0

 TELNET                                                                  0

 SMTP                                                                    0

 DNS                                                                     0

 GOPHER                                                                  0

 FINGER                                                                  0

 HTTP                                                                    2713

 POP3                                                                    0

 PORTMAPPER                                                              0

Even though its not taking action againt the FTP attacks the IDP engine is still seeing and considering the FTP traffic as it can still be seen in the application statistics. 

8) LOGGING IDP

Lets try and find a list of possible Syslog messages relating to IDP…

blogger@LEFTY> help syslog | match IDP

CHASSISD_CB_READ                 chassisd could not read midplane EEPROM

CHASSISD_I2C_MIDPLANE_CORRUPT    Midplane I2C ID EEPROM was corrupted

IDP_APPDDOS_APP_ATTACK_EVENT     IDP: DDOS attack on application

IDP_APPDDOS_APP_ATTACK_EVENT_LS  IDP: DDOS attack on application

IDP_APPDDOS_APP_STATE_EVENT      IDP: DDOS application state transition event

IDP_APPDDOS_APP_STATE_EVENT_LS   IDP: DDOS application state transition event

IDP_ATTACK_LOG_EVENT             IDP attack log

IDP_ATTACK_LOG_EVENT_LS          IDP attack log

IDP_COMMIT_COMPLETED             IDP policy commit completed

IDP_COMMIT_FAILED                IDP commit exited with failure

IDP_DAEMON_INIT_FAILED           Failed to initialize IDP daemon

IDP_IGNORED_IPV6_ADDRESSES       IDP ingnores IPv6 addresses

IDP_INTERNAL_ERROR               IDP daemon encountered an internal error.

IDP_POLICY_COMPILATION_FAILED    IDP policy compilation failed

IDP_POLICY_LOAD_FAILED           Failed to load an IDP policy

IDP_POLICY_LOAD_SUCCEEDED        IDP policy loaded successfully

IDP_POLICY_UNLOAD_FAILED         Failed to unload an IDP policy

IDP_POLICY_UNLOAD_SUCCEEDED      IDP policy unloaded successfully

IDP_SCHEDULEDUPDATE_START_FAILED Failed to start scheduled update

IDP_SCHEDULED_UPDATE_STARTED     Scheduled update has started

IDP_SECURITY_INSTALL_RESULT      IDP security package install result

IDP_SESSION_LOG_EVENT            IDP session event log

IDP_SESSION_LOG_EVENT_LS         IDP session event log

IDP_SIGNATURE_LICENSE_EXPIRED    IDP signature update license key has expired

From the descriptions looks like we will want to log to match the string “IDP_ATTACK_LOG_EVENT”

I want to send the IDP attack logs to a remote syslog (Splunk  in this case – free for 500MB of logging data a day!)

Here is the config under system/syslog for that…

host 192.168.56.50 {

    any any;

    match IDP_ATTACK_LOG_EVENT;

    source-address 10.10.10.5;

}

And here is the result in from the Splunk search screen

Note the action on the second entry equals none. Thereby showing that not all the Recommended policy actions will be dropped.

Finally note that in order for those log messages to show up the syslog (Or local log if you did it that way) each IDP rule that you want to log must have the notification log-attacks set.

blogger@LEFTY> show configuration security idp idp-policy Recommended rulebase-ips rule 1

/* This rule is designed to protect your networks against important TCP/IP attacks. */

match {

    from-zone any;

    source-address any;

    to-zone any;

    destination-address any;

    application default;

    attacks {

        predefined-attack-groups [ "[Recommended]IP - Critical" "[Recommended]IP - Minor" "[Recommended]IP - Major" "[Recommended]TCP - Critical" "[Recommended]TCP - Minor" "[Recommended]TCP - Major" ];

    }

}

then {

    action {

        recommended;

    }

    notification {

        log-attacks;

    }

}

9) AUTOMATIC UPDATES

The SRX can, like any other similar device, automatically update it’s IDP signatures. Lets set that up and test it.

a) Specify the URL to use.

blogger@LEFTY# set security idp security-package url https://services.netscreen.com/cgi-bin/index.cgi

[edit]

blogger@LEFTY# commit

commit complete

b) Create a schedule for the automatic downloads.

blogger@LEFTY# set security idp security-package automatic interval ?

Possible completions:

  <interval>           Interval (24..336 hours)

[edit]

blogger@LEFTY# set security idp security-package automatic interval 24 ?

Possible completions:

  <[Enter]>            Execute this command

+ apply-groups         Groups from which to inherit configuration data

+ apply-groups-except  Don't inherit configuration data from these groups

  enable               Enable

  start-time           Start time (YYYY-MM-DD.HH:MM:SS)

  |                    Pipe through a command

[edit]

blogger@LEFTY# set security idp security-package automatic interval 24 start-time 2012-08-24.15:45:00

[edit]

blogger@LEFTY# set security idp security-package automatic enable

[edit]

blogger@LEFTY# commit

commit complete

Lets also create a specific file to log these updates.

Here is the config under system/syslog for that…

file IDP_OPERATIONS {

            any any;

            match IDP_SCHEDULE;

            archive size 500k files 3 world-readable;

        }

I’ve set the auto update to happen in a few minutes after all the above was done.

After the allotted time we check the log file to see what happened with the auto update.

blogger@LEFTY> show log IDP_OPERATIONS

Aug 24 15:45:55  LEFTY idpd[1653]: IDP_SCHEDULEDUPDATE_START_FAILED: Failed to start scheduled update(error:Done;No newer version available or other error. For detail, see (/var/tmp//sec-download/SignatureUpdate_tmp.xml) !)

Lets check that file…

blogger@LEFTY> file show /var/tmp//sec-download/SignatureUpdate_tmp.xml

<?xml version="1.0" encoding="UTF-8"?>

<SignatureUpdateErrors>

<XMLVersion>1.0.0</XMLVersion>

<Errors>

<Error code="206">

<Display>The from value passed is the same as the to value passed</Display>

</Error>

</Errors>

</SignatureUpdateErrors>

So we have the latest  version. That’s why it didn’t download.

Our version ..

blogger@LEFTY> show security idp security-package-version         

  Attack database version:2176(Wed Aug 22 11:11:04 2012)

  Detector version :12.6.160120404

  Policy template version :2176

Latest online version..

blogger@LEFTY> request security idp security-package download check-server

Successfully retrieved from(https://services.netscreen.com/cgi-bin/index.cgi).

Version info:2176(Detector=12.6.160120404, Templates=2176)

Yep..the same

----------------

That concludes this introduction to IDP on the SRX.

This has just touched the surface and there is a lot more you can do and configure on this topics such as creating your own signatures and using IP ACTIONs.

Model: srx100h

JUNOS Software Release [12.1R3.5]