how to block skype on SRX

To test how SRX blocks skype logins I have done the followings test and it worked;

1) Create a test IDP policy named My_Policy

root@ankara# show idp-policy My_Policy
rulebase-ips {
    rule 1 {
        match {
            source-address any;
            destination-address any;
            application default;
            attacks {
                predefined-attacks [ VOIP:SKYPE:LOGIN VOIP:SKYPE:PROBE-1 ];
            }
        }
        then {
            action {
                close-client;
            }
            ip-action {
                ip-block;
                target destination-address;
            }
            notification {
                log-attacks;
            }
        }
    }
}

One thing I have noticed is if you dont use ip-block as ip-action, idp triggers the close-client event but login is still successful.

2) Apply the policy as active

#set security idp idp-policy My_Policy

3) Use it in a security policy

#set security policies from-zone lan to-zone wan policy local-to-wan then permit application-services idp

4) Enable logging to see what is going on

#set system syslog file idp_log any any
#set system syslog file idp_log match RT_IDP

5) Commit the config and check policy compilation;

root@ankara> show security idp policy-commit-status
IDP policy[/var/db/idpd/bins/My_Policy.bin.gz.v] and detector[/var/db/idpd/sec-repository/installed-detector/libidp-detector.so.tgz.v] loaded successfully.
The loaded policy size is:5426 Bytes

6) Once the compilation is completed, try to login to skype and watch the logs. You must see something similar like below;

root@ankara# run show log idp_log
Dec 28 15:09:30 ankara RT_IDP: IDP_ATTACK_LOG_EVENT: IDP: at 1325084969, SIG Attack log <192.168.100.2/37731->212.187.172.78/443> for TCP protocol and service SERVICE_IDP application NONE by rule 1 of rulebase IPS in policy My_Policy. attack: repeat=0, action=CLOSE_CLIENT, threat-severity=INFO, name=VOIP:SKYPE:LOGIN, NAT <172.30.73.219:42029->0.0.0.0:0>, time-elapsed=0, inbytes=0, outbytes=0, inpackets=0, outpackets=0, intf:lan:fe-0/0/1.0->wan:fe-0/0/0.0, packet-log-id: 0 and misc-message -
Dec 28 15:09:30 ankara RT_IDP: IDP_ATTACK_LOG_EVENT: IDP: at 1325084969, TRAFFIC Attack log <192.168.100.2/37731->212.187.172.78/443> for TCP protocol and service SERVICE_NONE application NONE by rule 1 of rulebase IPS in policy My_Policy. attack: repeat=0, action=TRAFFIC_IPACTION_DROP, threat-severity=INFO, name=_, NAT <172.30.73.219:42029->0.0.0.0:0>, time-elapsed=0, inbytes=0, outbytes=0, inpackets=0, outpackets=0, intf:lan:fe-0/0/1.0->wan:fe-0/0/0.0, packet-log-id: 0 and misc-message -

7) You can also see which IP addresses are blocked;

root@ankara> show security flow ip-action
Src-Addr Src-Port Dst-Addr Dst-Port/Proto Timeout(sec) Zone Action
* * 212.8.166.35 */* never * drop
* * 213.166.51.4 */* never * drop
* * 212.187.172.78 */* never * drop

Below is my system details if you want to compare;

root@ankara> show version
Hostname: ankara
Model: srx100h
JUNOS Software Release [10.4R7.5]

root@ankara> show security idp security-package-version
Attack database version:2053(Tue Dec 27 14:15:02 2011)
Detector version :11.6.160110920
Policy template version :2053