How to write SRX IDP Custom Attack/Signature

Here is a sample configuration of a custom attack configuration on SRX. It is very basic and does only block URLs having *.exe in path and sends a RST back to the client. My regex might not be %100 correct but it has no purpose rather than showing a simple configuration;

1) Configure custom attack

[edit security idp]
root@srx1# show custom-attack block-exe
recommended-action close-client;
severity major;
attack-type {
    signature {
        context http-url-parsed;
        pattern ".*\.\[exe\]";
        direction client-to-server;
    }
}

2) Either create a new rule or attach this attack to an existing rule. I created a new rule under active idp-policy which is Recommended

[edit security idp]
root@srx1# show idp-policy Recommended rulebase-ips rule 10
match {
    from-zone attacker;
    source-address any;
    to-zone victim;
    destination-address victim1;
    application default;
    attacks {
        custom-attacks block-exe;
    }
}
then {
    action {
        recommended;
    }
}

3) Make sure active policy is Recommended and applied to a policy

[edit security idp]
root@srx1# show active-policy
active-policy Recommended;
[edit]
root@srx1# show security policies from-zone attacker to-zone victim
policy attacker-to-victim {
    match {
        source-address attacker1;
        destination-address victim1;
        application any;
    }
    then {
        permit {
            application-services {
                                  idp;
            }
        }
    }
}

4) Once ready send a test http request

--2011-09-22 21:34:53--  (try: 2)  http://victim/html.exe
Connecting to victim|10.1.1.2|:80... connected.
HTTP request sent, awaiting response... Read error (Connection reset by peer) in headers.
Retrying.

--2011-09-22 21:34:55--  (try: 3)  http://victim/html.exe
Connecting to victim|10.1.1.2|:80... connected.
HTTP request sent, awaiting response... Read error (Connection reset by peer) in headers.
Retrying.

Because we receive a RST sent by SRX, we see this “connection reset by peer” message.

Last but not least, when you change idp policy, there is a compilation process that needs to be completed. Till then, you will still be using the previous policy. To check compilation process run;

[edit]
root@srx1# run show security idp policy-commit-status
 Compiling policy...

As it can be seen policy is still being compiled. Lets try once again;

[edit]
root@srx1# run show security idp policy-commit-status
 IDP policy[/var/db/idpd/bins/Recommended.bin.gz.v] and detector[/var/db/idpd/sec-repository/installed-detector/libidp-detector.so.tgz.v] loaded successfully.
 The loaded policy size is:3493926 Bytes

Now the compilation is completed and you can see the new policy in effect.

5) What if we want to enforce some rules after this attack is detected?
For example: we want to block rest of the connection for 60 secs
Here is the new rule with the new “ip-action” settings;

[edit security idp idp-policy Recommended rulebase-ips rule 10]
root@srx1# show
match {
    from-zone attacker;
    source-address any;
    to-zone victim;
    destination-address victim1;
    application default;
    attacks {
        custom-attacks block-exe;
    }
}
then {
    action {
        recommended;
    }
    ip-action {
      ip-block;
      target source-address;
      timeout 60;
    }
}

If you want to see the rule in action;

[edit security idp idp-policy Recommended rulebase-ips]
root@srx1# run show security flow ip-action
Src-Addr        Src-Port Dst-Addr        Dst-Port/Proto Timeout(sec) Zone       Action
10.2.2.2        *        *               */*            55/60        *          drop

From output you can see that connection has been dropped for 60 secs in total and 55 secs left to permit the connection once again.

About: rtoodtoo

Worked for more than 10 years as a Network/Support Engineer and also interested in Python, Linux, Security and SD-WAN, currently living in the Netherlands and works as a Network Support Engineer. // JNCIE-SEC #223 / RHCE / PCNSE


8 thoughts on “How to write SRX IDP Custom Attack/Signature”

  1. Your pattern has more match than is necessary, to be honest. Every URL starts with /, so looking for it is a bit unnecessary. Putting a dot-star before it equally so.

    Furthermore, the pattern in its current state is case-sensitive, and would miss files with .EXE, .eXe, .ExE and so on. A more suitable DFA pattern would be:

    .*.[exe]

    The escaped open and close brackets denote the range of case-insensitivity.

    Finally, for URL path inspection, a better context would be the http-get-url-parsed or just http-url-parsed – this context parses any encoding tricks (such as “%2e%65%78%65” which is one way of many to encode “.exe”).

    Doing the parsed context + making it case-insensitive increase the signature’s effectiveness significantly by making it evasion-resistant. Dropping the extraneous dot-star slash check reduces DFA states by ~28%, increasing performance.

    SRX also has a feature called “Application Intelligence” (AI), which detects services/applications regardless of their default ports. By specifying the application, however, you’ve actually disabled AI and forced the signature to only be inspected on the SRX’s default pre-defined application port for HTTP, which is TCP/80.

    In order to maximize detection, we need to leverage AI. To do so, the correct application binding value should be “default” rather than “junos-http”. This tells the SRX to select applications the rule is looking for based on the signatures’ service contexts used in that rule (in this case, http-*) and then leverages AI to find those applications on any port.

  2. Thanks Bryan and Dave for your valuable feedback, I have corrected my mistakes. I hope it looks better now.

  3. can you inport snort rules straight into a juniper IPS or is there some kind of conversion that needs to take place using a tool or something?

  4. Hi can you help me..i have SRX 1400 at client site, IDP/IPS both license are there. I want to block facebook. Can i create a signature based policy for http or https traffic comes for facebook. can anybody tell me or give me some particular hint about this configuration using regular expression?please mail me the solution at jaishan.kashyap@gmail.com

Leave a Reply to Dave Killion Cancel reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.