Category Archives: idp_ips

Updating attack database of srx cluster node1

When you have an SRX cluster and you need to update/install idp attack database on the second node,
you will realize that it isn’t done automatically (before 12.1 release) You can update/install the active node but not the other. The work around to do this is to manually copy attack DB files to the second node and install. Here is how we do it;

Copy the attack DB files to the 2nd node;

Install the new files on the 2nd node;

After a while once the compilation finishes, you will have a similar output like my cluster;

Sending IDP and traffic logs to a syslog server in SRX

If you want to forward your IDP and traffic session logs to a syslog server, here is how we can do it;

1) First inside the security policy we should set that we want to log session initiations e.g;

Continue reading

how to block skype on SRX

To test how SRX blocks skype logins I have done the followings test and it worked;

1) Create a test IDP policy named My_Policy

One thing I have noticed is if you dont use ip-block as ip-action, idp triggers the close-client event but login is still successful.

Continue reading

How to uninstall IDP module in SRX

I would like to share my experiment on uninstalling of IDP module on an SRX100 device. Please take this as a test case and use it at your own discretion as I just test a manual removal of files and re-installed IDP module.

1) First disable IDP process

2) Delete everything related to idp in the configuration

3) And commit the changes

4) Below are the list of files related to IDP

5) I have removed all of these files along with sec-download and nsm-download content.

6) Reboot the box. If you dont´t reboot the box, you will still have something related to old IDP policy.

After all of these I re-installed IDP as described in my other post and I have got it working.
I have received a temporary error during my installation attempt like below;
opening file(/var/db/idpd/sec-download/sub-download/SignatureUpdate.xml) failed;No such file or directory
But after a few attempts it resolved:) maybe I had done a mistake.

Good luck!

How to write SRX IDP Custom Attack/Signature

Here is a sample configuration of a custom attack configuration on SRX. It is very basic and does only block URLs having *.exe in path and sends a RST back to the client. My regex might not be %100 correct but it has no purpose rather than showing a simple configuration;

1) Configure custom attack

2) Either create a new rule or attach this attack to an existing rule. I created a new rule under active idp-policy which is Recommended

3) Make sure active policy is Recommended and applied to a policy

4) Once ready send a test http request

Because we receive a RST sent by SRX, we see this “connection reset by peer” message.

Last but not least, when you change idp policy, there is a compilation process that needs to be completed. Till then, you will still be using the previous policy. To check compilation process run;

As it can be seen policy is still being compiled. Lets try once again;

Now the compilation is completed and you can see the new policy in effect.

5) What if we want to enforce some rules after this attack is detected?
For example: we want to block rest of the connection for 60 secs
Here is the new rule with the new “ip-action” settings;

If you want to see the rule in action;

From output you can see that connection has been dropped for 60 secs in total and 55 secs left to permit the connection once again.

How to enable IDP on SRX

If you want to enable IDP on an SRX device, you have to issue certain number of commands which I list step by step from scratch;

1) Install license first if it hasn’t been installed yet. You can see if it is installed or not via “show system license installed” if this command doesn’t give any ouput, get your license from Juniper and follow the steps below. (Bold italic text is my sample license)

Continue reading