Juniper SRX Series by Rob Cameron, Brad Woodberg

We already discussed the packet flow on the SRX when it comes to session setup, steady state processing, and session close. Now let’s focus in more depth on what happens to packet processing in terms of the IPS. It is important to remember that for the high-end SRX, a session is always anchored to a single SPU for the duration of its lifetime. The same holds true in the case of IPS. IPS is always going to be inspected on the same SPU as that of the firewall flow. Unlike previous generations of Juniper IDP platforms and many other vendors’ products, the SRX does not require special hardware to perform its IPS processing. Instead, all IPS services are processed in the SPU itself. If additional IPS processing power is required, the administrator need only add additional SPUs.

The SRX IPS functionality is tightly tied to its firewall functionality.

Figure 13-6 illustrates a high-level flow chart of how packet processing operates in the SRX with regard to the different services. Note that IPS is one of the last things to be processed in the services chain. That means if the traffic is not permitted by a firewall policy (which must also reference it to be inspected by IPS), the traffic never hits the IPS engine. This is intentional, because you don’t want to burden the IPS with inspecting traffic that is ultimately going to be dropped by some other mechanism anyway.

Figure 13-6. First path packet processing

One of the great things about the SRX IPS implementation is that it offers a great deal of granularity. Unlike many other vendors’ implementations, the SRX allows you to enable IPS processing on a firewall rule-by-rule basis, rather than just turning on inspection across the board. This means traffic that is not marked by a firewall rule to be processed by IPS completely bypasses the IPS. Traffic that is marked for IPS processing is then handed off to the IPS engine.

As mentioned, all IPS-bound traffic must be processed by the stateful firewall flow engine first (known as flowd). For now, suffice it to say that if the IPS engine needs to process traffic, the traffic will be handed off after the firewall has completed its processing (and only for permitted traffic). Within the IPS engine there are several stages of processing, as illustrated in Figure 13-7.

Figure 13-7. IPS processing flow chart

IPS processing on the SRX can be broken down into eight general stages of processing:

One theme in IPS processing that reoccurs throughout this chapter (and in other references) is the notion of client-to-server versus server-to-client traffic. There are typically two directions of traffic flow in modern client/server applications (with the exception of, say, multicast, which is primarily the multicast server sending to the clients). The client is always considered the device that initiates the connection (the source) and the server is the device that is accepting the connection (the destination). This is true even if the client is uploading data to the server.

This is important to know as an IPS administrator, and it’s very important for creating custom attack objects. With that explanation, let’s explore the significance of client-to-server versus server-to-client attacks:

Traditionally, there are a few different modes for deploying an IPS in the network. In the past, often an IPS was a device that sat transparently in the network, simply inspecting traffic as it passed through. Another option was that you could use sniffer mode, which passively listened for out-of-band attacks from the network traffic. This is typically accomplished via SPAN port or network tap. Rarely was an IPS deployed in routed mode, although some standalone IPS systems support that.

The SRX is a different story, because it is a full-featured router, firewall, and IPS device that can serve all of these needs.

To aid in the accuracy and performance of IPS inspection, the SRX uses a concept called contexts to match an attack in the specific place where it occurs in the application protocol. This helps to ensure that performance is optimized by not searching for attacks where they would not occur, and it limits false positives. There could be many contexts within a single message. The SRX supports about 600 contexts at the time of this writing. Here is an example of an HTTP header message and the associated values and contexts (in bold, not found in the actual message) in that message:

GET /index.html Http1.1 http-get-url
Host: www.company.com http-header-host
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg http-header-accept
Accept-Language: en http-header-accept-language
Accept-Encoding: gzip, deflate http-header-content-encoding
User-Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 4.0)http-header-user-agent

Juniper maintains documentation that describes all of the different contexts and their associated function. You can find the documentation by searching the Juniper Support Knowledge Base.

Juniper provides predefined attack objects (both protocol anomaly and signatures) individually and in predefined groups to customers who have active licenses. The predefined attack objects cannot be edited for the most part; however, you can use these as a basis for creating custom attack objects. At the time of this writing, there are more than 9,000 predefined attack objects, and the number is growing every day as new threats emerge. Another feature of Juniper predefined attack objects is that customers can view the actual patterns that are used for signature-based attack objects. Many other vendors keep their signatures closed, which affects customers because they cannot view how the IPS is matching patterns (particularly with pattern matching). Juniper keeps only some signatures closed, if they are providing protection prior to when the vendor has a chance to patch the vulnerability, to ensure that the protection is not going to impact the community.

In addition to the vast number of predefined attack objects that are provided as part of the IPS license, you also have a great deal of control over creating your own signature-based attack objects in the SRX. Additionally, you can create custom objects for application identification on the SRX so that you can identify not only custom attacks, but also custom applications. We covered this in greater detail in the section Attack Object Types.

Two types of custom attack groups can be configured in the SRX: static attack groups and dynamic attack groups. The primary difference is that static attack groups are exactly that: you must manually add or remove any attacks into this group. The only thing that will change is if an attack object itself is changed as part of an update, and then its contents will be updated; otherwise, the group does not change. Dynamic attack groups give you the ability to define filters that select which attacks are added into the attack group. The filters can be complex and can consist of multiple factors to identify attack objects to be selected for the dynamic attack group.

Multiple severity levels are used to define the impact an attack can have on a system.

A common question that many IPS administrators have concerns what impact different signatures have on the performance of their IPS (or in this case, the SRX). There is no simple answer to this question, in part because the impact that individual signatures have is not linear and based on the number of signatures, as some signatures have more of a performance impact than others. Generally speaking, the signatures that perform “context”-based matching are going to be the most efficient, as they only perform inspection based on specific locations of protocols; these would be followed by stream signatures, which inspect the entire stream up to a certain limit (e.g., 1 Kb). Signatures that inspect the entire stream for the duration of the session will generally have the worst performance. Juniper attempts to take the guesswork out of signature performance by classifying the signatures with the greatest impact on performance as being low-performing. These signatures are placed under the MISC category and also have a field called Performance. You can filter on the Performance values in dynamic attack groups, or just avoid the MISC signatures wherever possible.

It is important to understand that when you add signatures into the policy, regardless of whether you are permitting, blocking, or exempting them, you are performing inspection first and then determining what to do once an attack is found. For instance, the traffic is examined by the detector engine, and then it is examined again after a signature is matched based on what has been compiled into the policy. After a signature has been matched, the SRX will do a policy lookup to determine what the action should be for the respective traffic (based on the rulebase). This is the case regardless of the action or of whether it is exempted in the policy. The key takeaway is that by having a signature anywhere in the policy, you are going to take a performance hit for traffic matching that protocol. If you do not add an attack object into the policy, it will not be compiled into the policy, and therefore it won’t impact performance. As mentioned earlier, attack objects don’t all have the same performance impacts. Some signatures require more pattern matching than others, resulting in more computational cycles being spent on packet processing.

Understanding the performance impacts of the signatures is not meant to discourage you from deploying a sensible policy, but rather to empower you to understand how policies are impacted by their contents. When performance is the primary concern, you should craft your policy to only the essential attack objects that are necessary to inspect the traffic and provide adequate coverage. Rather than deploying a broad policy, you should create a policy that is very specific in the attack objects that are included. You can do this by using both static and dynamic attack object groups to select the signatures that should be added based on the components of the traffic itself. If your concerns are more focused on coverage rather than security, you can deploy a policy that has broader protection, but also signatures that are meant to provide protection or visibility for the traffic. As we progress through this chapter, we explore the mechanisms to configure and tune an effective policy for the SRX.

The IPS functionality in the SRX is composed of rulebases. Each rulebase consists of rules that define what traffic to match, and then what action to take on that traffic. At the time of this writing, three rulebases are part of the SRX IPS policy:

Each rule has match criteria to identify which traffic will have a particular action applied to it. There are several components of the match criteria, many of which are also present in the firewall policy. These criteria are not redundant, as the firewall policy identifies what traffic is to be sent to the IPS engine, and then the IPS engine applies IPS inspection based on the contents of that traffic. The following criteria are evaluated as part of the different rulebases:

On an IPS rule-by-rule basis, you can define what actions should be taken when the appropriate criteria are matched in the IPS engine. You can enforce two types of actions on the traffic: IPS actions and IP actions.

IPS actions perform an action on the offending traffic, whereas IP actions can take action on future sessions (e.g., preventing them). They are exclusive of each other, so you can configure one or the other, but it usually makes sense to configure IPS actions if you are using IP actions for a session. Additionally, you can configure logging and packet capture on a rule-by-rule basis.

The following lists define the IPS and IP actions available for the SRX. Note that these are available for the IPS rulebase, as the Exempt rulebase simply defines scenarios for which no action, logging, or attack counters should be triggered when an attack is matched.

Packet logging

The IPS packet logging feature is supported on the high-end SRX and is in beta for the SRX branch at the time of writing this book. The PCAPs are not stored locally, but rather are exported via DMI on the data plane to a PCAP receiver. Today, the STRM supports acting as a PCAP receiver that can integrate the IPS attack logs with the PCAP data for local viewing or for downloading for a packet viewing tool like Wireshark (see Figure 13-8).

Figure 13-8. STRM PCAP capture/viewer/download

The packet capture feature is flexible. You can configure it on an IPS rule-by-rule basis, and also define how many packets both before and after the attack should be included. You do need to exercise some caution when enabling packet captures. When packet captures are enabled, you can log packets both prior to and following the attack. To accommodate the capture before an attack functionality, the SRX must buffer packets in all flows prior so it does take some additional memory and processing cycles. Capturing packets after an attack is much more straightforward and has less of an impact. On top of that, if you are logging lots of attacks, you must also send the packet captures externally. For all of these reasons, packet logging should be strictly applied, and not applied across the board with all attacks. Besides the ability to apply packet captures on an IPS rule-by-rule basis, there are also a few parameters that you can configure.

Host

This is the host that receives the PCAP information. You also define the UDP port that will be used to send the data. This configuration is required.

Source-Address

This is part of the configuration for sending the PCAP information to the logging host. This IP address is arbitrary, and you do not have to have it be the IP address of the SRX, but typically it’s a best practice to do so.

Max Sessions

You can configure a percentage value (1 percent to 100 percent) of sessions that are tracked with packet logs. This is an important way to limit how many sessions are processed for resource purposes.

Total-Memory

You can define the percentage of memory that can be allocated to the packet capture feature.

Policy Configuration

Within an IPS security policy, you can define how the packets should be logged on the SRX. Within the rule, you can define the following values (which should be used with care to ensure that memory is not overused for buffering and processing the packets):

Pre-Attack

You can capture from 1 to 255 packets before an attack is triggered. This is accomplished by buffering all packets for the session up to the number of packets logged for the pre-attack limit for that particular rule.

Post-Attack

You can log from 0 to 255 packets after an attack occurs. Note that if the attack triggers a drop or close connection, there might not be any more packets in the attack.

Post-Attack-Timeout

When an attack is triggered, the SRX might not know how many packets will follow the attack (e.g., if you configure 20 packets to be logged after the attack, the SRX will not send the PCAP until it has all 20 packets). To ensure that the SRX does not hold on to the packets indefinitely, you configure a Post-Attack-Timeout to define how long the SRX should wait while holding on to the packets before sending them out.

Configuring packet logging in the STRM

To configure packet logging in the STRM, you need to be running a 2012 or later version of the STRM software. The configuration is quite simple in the STRM interface; you merely need to add the SRX device with packet capture enabled and respectively set this configuration on the SRX itself. Once the STRM is configured for the SRX, you can view the attack objects in log entries that contain it.

1. Go to the Admin tab, and in the Data Source section, click Log Sources.

2. Specify a name and IP address.

3. For the Log Source Type, select Juniper SRX.

4. For the Protocol, you must select PCAP Syslog Combination.

5. Specify the Log Source Identifier (can be an IP address).

6. Specify the port that the STRM should be listening for this traffic on.

On the SRX itself, you would configure the PCAP settings to point to the STRM under the IDP sensor configuration. For instance, if our STRM is listening on 192.168.1.20 on port 5000, and the SRX should send traffic from 192.168.1.1, then our configuration would look like this:

[edit]
root@srx3600n0# set security idp sensor-configuration packet-log host 192.168.1.20 port 5000

 [edit]
root@srx3600n0# set security idp sensor-configuration packet-log source-address 192.168.1.1

[edit]
root@srx3600n0# show security idp sensor-configuration
packet-log {
    source-address 192.168.1.1;
    host {
        192.168.1.20;
        port 5000;
    }
}

Then IPS PCAP is enabled on an IDP rule-by-rule basis in the action criteria.

[edit]
root@srx3600n0# set security idp idp-policy IDP rulebase-ips rule 1 then notification packet-log ?
Possible completions:
  <[Enter]>            Execute this command
+ apply-groups         Groups from which to inherit configuration data
+ apply-groups-except  Don't inherit configuration data from these groups
  post-attack          No of packets to capture after attack (0..255)
  post-attack-timeout  Timeout (seconds) after attack before stopping packet capture (0..1800)
  pre-attack           No of packets to capture before attack (1..255)
  |                    Pipe through a command

Figure 13-9 shows the STRM interface, which allows you to view and download the PCAPs collected from the SRX IPS function.

Figure 13-9. Viewing IPS PCAP data in the STRM

Terminal Match is somewhat of a legacy feature that arose from the earlier days of the standalone IDP to make it function similar to a firewall. By default, for IPS processing (both standalone IDP and SRX), even after a match is made for an attack, the rulebase continues to process that traffic to see if any other rules match. The IPS will always take the most stringent action (e.g., drop connection if a rule with Drop-Connection and No-Action is matched), but some customers might want to restrict this even further. By enabling Terminal Match, the IPS rulebase acts more like a firewall, in that once it finds a rule that matches the to-/from-zones, source IP, destination IP, and application, it will do whatever that rule says if the attack is detected; if not, it will not process that traffic any further. Generally, you should not use Terminal Match, especially with No-Action rules, because it can cause you to overlook potentially malicious traffic. Use this feature with caution unless you really know what you’re doing.

The attack database contains all of the attack objects (both signature- and protocol anomaly-based) and is provided by the Juniper Security Team. New updates are typically posted daily, although sometimes there might not be a new exploit (which isn’t already covered by existing signatures). When the attack database is downloaded, it contains the full attack database in a compressed form. If the attack database is downloaded directly to the SRX, it is stored in /var/db/idpd/sec-download for staging. If it is downloaded from the NSM, it is stored in /var/db/idpd/nsm-download. The /var/db/idpd/sec-repository folder contains the attack, groups, applications, and detector engine files.

You can perform two types of updates for attack objects.

A standard update downloads the complete attack database to the SRX. You can automate this process so that it occurs at predefined intervals, or you can manually trigger it at your leisure.

Full updates include both the attack database and the latest detector engine. Typically, detector engine updates are released once per quarter, and attack databases are released daily (if there are updates to attack objects). Detector engine updates will provide bug fixes for the detector engine, new inspection capabilities, and new support for different application decoding.

Application objects are used by the AppSecure features along with IPS. Per Chapter 12, you can either download these objects by themselves or as part of the IPS download package. Starting in Junos 11.4, the application objects are not stored in the SRX configuration file, but rather their own database similar to how the IPS stores its attack objects.

The detector engine is a module run by the IPS process on the SRX to execute protocol anomaly protection as well as signature-based pattern matching. Detector engine updates are released quarterly, and provide new protocol decoding capabilities, enhancements to protocol anomaly protection, and bug fixes. The detector engine is not installed by default with a signature update; rather, you must trigger a manual “full update” to download the detector engine and install it. The SRX allows for two detector engines to be installed concurrently when an update is applied so that all new sessions use the new detector engine, whereas the old sessions will still be processed by the previous detector engine. When all sessions from the old detector engine are closed, the original detector engine is removed. The installation of the new detector engine does not have any performance impact because of this graceful installation process. Just like the signature updates, you can sign up for notifications when new detector engines are available. The notifications also include release notes that detail all of the new features, addressed issues, and known limitations for that detector engine.

To assist administrators with new IPS installations, Juniper provides several different predefined policies that administrators can download and install. Although these are helpful to understand the basic mechanics of the IPS policies, every environment is going to be different, with different applications and different administrative goals. Best practice therefore recommends creating a customized policy for true enforcement.

The good news is that this chapter details how to deploy and tune an IPS policy effectively, minimizing false positives and providing real security. But in the meantime, you might want to take a look at the policy templates for examples. The policy templates are updated informally by the Juniper Security Team, so you need to check the version numbers for new policy templates.

Updates can be scheduled to automatically download and optionally install attack object updates, which include application object updates. When attack updates are scheduled, you can define the interval and schedule for when they should be downloaded, along with whether the SRX should install the new version. Of course, if you are using a central management system such as NSM or Junos Space, you can also trigger installations automatically from there.

A static attack group is essentially a group to which you manually add attack objects and groups (both predefined and custom) that will not add members during attack updates. If attack objects are modified as part of an attack update, they are updated in the group; if they are deleted, they are removed from the group. No new attack objects are added to this group, however. Static groups are very useful if you want strict control over adding new attacks into attack groups during signature updates to ensure that you don’t cause unexpected results with new attack objects. The only things you need to define for static groups are the members that are added to this group.

Dynamic attack groups provide administrators with a powerful ability to adjust to new threats when new attack objects are downloaded from Juniper. Whereas static attack groups allow you to create groups that don’t automatically change with signature attack updates, dynamic attack groups do change. And they have very intelligent controls for defining what should be added or removed with attack updates. Dynamic attack groups use filters to define the attributes of attack objects that would select them to be implemented in the group. Additionally, you can override members in the groups to exclude them if need be.

You can use filter categories to select the attacks for the group. When you define multiple filters, they essentially form a logical AND between filters. For instance, if you define Category=HTTP and Severity=Critical, only attacks that are of that category and severity are present in this group. When new attacks are downloaded, if they fit this criteria they are added to the group. Here’s more detail on filter fields you can dial:

The key here is that attack objects can have multiple members (known as complex attack objects). If you have an attack object with just one member, the direction is very simple: it’s whatever direction the attack object specifies. But what about when you have an object with multiple members that have different directions (e.g., Member 1 is client-to-server and Member 2 is server-to-client)? In these cases, we support the use of an “Expression” that specifies if the SRX should apply AND logic or the default OR logic when it comes to selecting the direction for attacks. We’ll explore this a bit more later in the chapter.

Our first example shows the basic configuration and download of attack objects and how to install them prior to actually configuring a security policy. The steps in this example are as follows:

root@srx3600n0> show security idp security-package-version
  Attack database version:2229(Thu Feb 04 00:23:03 2013 UTC)
  Detector version :12.6.140121210
  Policy template version :N/A

root@srx3600n0> request security idp security-package download
Will be processed in async mode. Check the status using the status checking CLI

root@srx3600n0> request security idp security-package download status
Done;Successfully downloaded from(https://services.netscreen.com/cgi-bin/index.cgi).
Version info:2230(Mon Feb  4 19:40:12 2013 UTC, Detector=12.6.140121210)

root@srx3600n0> request security idp security-package install
Will be processed in async mode. Check the status using the status checking CLI

root@srx3600n0> request security idp security-package install status
In progress:Installing AI ...

root@srx3600n0> request security idp security-package install status
In progress:performing DB update for an xml (SignatureUpdate.xml)

root@srx3600n0> request security idp security-package install status
Done;Attack DB update : successful - [UpdateNumber=2230,ExportDate=Mon Feb  4 19:40:12 2013 UTC,Detector=12.6.140121210]
     Updating control-plane with new detector : successful
     Updating data-plane with new attack or detector : sucessful

It’s important to understand that compiling and applying an IPS policy can take some time, depending on the number of attack objects and the size of the policy. Starting with Junos 12.1, the SRX leverages a smarter compilation engine along with caching compiled information so that the compilation process takes much less time. The compilation process is conducted asynchronously, meaning that the SRX will start the process but it won’t hold up your CLI, web, or SD session, but instead will allow you to check back later on the status.

{primary:node1}
root@SRX100HM> request security idp security-package download status
node1:
------------------------------------------------------------------
Done;Successfully downloaded from(https://services.netscreen.com/cgi-bin/index.cgi)
and synchronized to backup.
Version info:2233(Thu Feb 14 00:23:07 2013 UTC, Detector=12.6.160121210)

Although updating the SRX manually is a powerful way to inspect the new signatures before actually deploying them, it does require much more administrative dedication to keep signatures updated. You can configure the SRX to automatically update itself at an interval of your choosing to ensure that the SRX has up-to-date signatures without administrative intervention. This example demonstrates how to configure this functionality with the following objectives.

Enable automatic downloads to start May 7 at midnight, and attempt to download every 24 hours if there is an update. If the update stalls for more than five minutes, after a new version has been downloaded the SRX should install it.

{primary:node0}[edit]
root@SRX5800-1# edit security idp security-package

{primary:node0}[edit security idp security-package]
root@SRX5800-1# set install automatic start-time 05-07.00:00 interval 24 enable

Junos Space also offers another good option for graphically viewing and operating the download process (see Figure 13-10). You can download the attack objects locally to Space and then push them out to the firewalls (including firewalls that don’t have Internet connections). You can also schedule updates for download and installation through Space along with seeing what contents of the attack download have changed.

Figure 13-10. Junos Space and IPS signature downloads and updates

At the time of this writing, Juniper was still enhancing the CLI and J-Web to make them more usable for viewing predefined IPS objects (attacks, groups, applications, etc.). The exception is NSM, which has these laid out nicely in a table. Until then, all of the information is available on the SRX. You just need to know where to look.

At the time of writing this book, the best way to view the IPS attack objects is really through Security Design, which has a very nice interface for viewing the objects. On box you can leverage the show security idp attack detail <attack-name> command to view the contents of an individual attack, but it does not provide the complete information today. If you are working with an on-box implementation, it is really best to drop down to the shell to view this information. Additionally, you can view the object information on the Juniper Security Portal. Let’s take a look at what you can do on box and in Junos Space.

root@srx3600n0> show security idp attack detail HTTP:XSS:NAGIOS-XI-ALERT-CLOUD
Display Name: HTTP: Nagios XI Alert Cloud Cross-Site Scripting
Severity: Major
Category: HTTP
Recommended: true
Recommended Action: Drop
Type: chain
False Positives: unknown
Service: HTTP

This command can be used to get a high-level output of the command. If you need more information like patterns and you are operating on box then you can drop down to the command line and view the output in the SignatureUpdate.xml file.

root@srx3600n0> file show /var/db/idpd/sec-download/SignatureUpdate.xml
/NAGIOS
        <Name>HTTP:XSS:NAGIOS-XI-ALERT-CLOUD</Name>
        <DisplayName>HTTP: Nagios XI Alert Cloud Cross-Site Scripting</DisplayName>
        <Severity>Major</Severity>
        <Category>HTTP</Category>
        <Keywords>Alert Cloud Cross-Site Nagios Scripting XI</Keywords>
        <Recommended>true</Recommended>
        <RecommendedAction>Drop</RecommendedAction>
        <Description>This signature detects attempts to exploit a cross-site scripting vulnerability in the Nagios XI Alert Cloud. An attacker can leverage this issue to execute arbitrary script code in the
browser of an unsuspecting user in the context of the affected site</Description>
        <Tags>
          <Tag>
            <Name>severity</Name>
            <Value>Major</Value>
          </Tag>
          <Tag>
            <Name>itw</Name>
          </Tag>
          <Tag>
            <Name>category</Name>
            <Value>HTTP</Value>
          </Tag>
        </Tags>
        <Attacks>
          <Attack>
            <Type>chain</Type>
            <ExportID>1</ExportID>
            <FalsePositives>unknown</FalsePositives>
            <Performance>0</Performance>
            <Service>HTTP</Service>
            <Scope>transaction</Scope>
            <TimeBinding>
              <Scope>none</Scope>
              <Count>1</Count>
            </TimeBinding>
            <Order>no</Order>
            <Reset>no</Reset>
            <Hidden>false</Hidden>
            <Members>
              <Attack>
                <Member>m01</Member>
                <Type>Signature</Type>
                <Direction>CTS</Direction>
                <Flow>control</Flow>
                <Shellcode>no</Shellcode>
                <Context>http-url-parsed</Context>
                <Negate>false</Negate>
                <Pattern><![CDATA[.*\[/nagiosxi/includes/components/alertcloud/index\.php\]]]></Pattern>
                <Regex/>
              </Attack>
              <Attack>
                <Member>m02</Member>
                <Type>Signature</Type>
                <Direction>CTS</Direction>
                <Flow>control</Flow>
                <Shellcode>no</Shellcode>
                <Context>http-variable-parsed</Context>
                <Negate>false</Negate>
                <Pattern><![CDATA[.*=.*}.*]]></Pattern>
                <Regex/>
              </Attack>
            </Members>
            <Versions>
              <Version>idp-srx11.4</Version>
            </Versions>
          </Attack>
        </Attacks>
        <Direction>
          <Value>CTS</Value>
        </Direction>
        <FalsePositives>
          <Value>unknown</Value>
        </FalsePositives>
        <Performance>
          <Value>0</Value>
        </Performance>
        <Service>
          <Value>HTTP</Value>
        </Service>
        <Type>
          <Value>Signature</Value>
        </Type>
      </Entry>
      <Entry>

In terms of viewing the parameters that make up a group and the members of the group if you are doing this on device, your best bet is also to use the command line.

root@srx3600n0> file show /var/db/idpd/sec-download/groups.xml
/HTTP - Major
      <Name>HTTP - Major</Name>
      <Type>dynamic</Type>
      <Filters>
        <Filter>
          <Field>Category</Field>
          <Values>
            <Value>HTTP</Value>
          </Values>
        </Filter>
        <Filter>
          <Expression>And</Expression>
          <Field>Direction</Field>
          <Values>
            <Value>cts</Value>
            <Value>!stc</Value>
            <Value>!any</Value>
          </Values>
        </Filter>
        <Filter>
          <Field>Performance</Field>
          <Values>
            <Value>0</Value>
            <Value>1</Value>
            <Value>5</Value>
          </Values>
        </Filter>
        <Filter>
          <Field>Severity</Field>
          <Values>
            <Value>Major</Value>
          </Values>
        </Filter>
      </Filters>
    </Group>
    <Group>

In the preceding output, we can see the makeout of the HTTP – Major group. We can see the filters that are being applied, and what’s important here is that we can use the same filters ourselves in our policy. The filters include the Severity=Major, Direction is “Client to Server” AND “Not Server to Client” AND “NOT Any” (which we explain in the dynamic group direction filter; this essentially means any attack object with members only in the client-to-server direction, none in the server-to-client direction, and none in the Any direction), and finally the Performance is anything that is 0/1/5, which corresponds to anything that isn’t slow.

Finally, let’s look at how to determine what members are resolved from dynamic and static groups. The easiest way is to look in the compiled policy itself. So, in this case, our Policy is called Recommended, and we want to see the contents of the Recommended-All Group.

root@srx3600n0> show configuration security idp dynamic-attack-group Recommended-All
filters {
    direction {
        values [ client-to-server exclude-any exclude-server-to-client ];
    }
    recommended;
}

root@srx3600n0> file show /var/db/idpd/sets/Recommended.set
/Recommended-All
        :Recommended-All (Recommended-All
                 :type (group)
                 :group (
                         :members (
                                 : ("APP:ADOBE-CF-DIR-TRAV")
                                 : ("APP:AGENTX-RECEIVE-INT-OF")
                                 : ("APP:AGENTX-RECEIVE-OF")
                                 : ("APP:AVAYA-CCRWEBCLIENT-RCE")
                                 : ("APP:BULLETPROOF-FTP-BPS-BOF")
                                 : ("APP:CA:ARCSRV:GWT-INFO-DISC")
                                 : ("APP:CA:ARCSRV:RPC-TAPE-ENG")
                                 : ("APP:CHKPOINT-FW-INFO-DISC")
                                 : ("APP:CISCO:CNS-NETWORK-DOS")
                                 : ("APP:CISCO:REGISTRAR-AUTH-BYPASS")
                                 : ("APP:CITRIX:AG-CMD-INJ")
                                 : ("APP:CITRIX:META-IMA-AUTH")
                                 : ("APP:CITRIX:PROVISIONING-OPCODE")
                                 : ("APP:CITRIX:PROVISIONINGSERV-)
##Output Abridged##

Figures 13-11 and 13-12 are screenshots of the Junos Space Security Design interface, which is a much better interface for navigating objects, group membership, and so forth if you have access to it.

Figure 13-11. Viewing IPS attack objects in Junos Space

Figure 13-12. Viewing an individual attack object’s contents in Junos Space

Unless you are going to use predefined attack groups, or the attack objects themselves, you should find yourself configuring static and dynamic attack groups prior to defining the policies. Defining these groups is quite simple, especially when you are familiar with the predefined attack object groups and attacks. This example shows how to configure the following groups:

{primary:node0}[edit]
root@SRX5800-1# edit security idp custom-attack-group Aurora

{primary:node0}[edit security idp custom-attack Aurora]
root@SRX5800-1#set group-members [ HTTP:STC:SCRIPT:UNI-SHELLCODEHTTP:STC:SCRIPT:FUNC-REASSIGN ]

{primary:node0}[edit security idp custom-attack Aurora]
root@SRX5800-1# show
group-members [ HTTP:STC:SCRIPT:UNI-SHELLCODE HTTP:STC:SCRIPT:FUNC-REASSIGN ];

{primary:node0}[edit security idp custom-attack-group Aurora]
root@SRX5800-1# up

{primary:node0}[edit security idp]
root@SRX5800-1# edit custom-attack-group Protect-FTP

{primary:node0}[edit security idp custom-attack-group Protect-FTP]
root@SRX5800-1# set group-members [ "FTP - Critical" "FTP - Major""FTP - Minor" ]

{primary:node0}[edit security idp custom-attack-group Protect-FTP]
root@SRX5800-1# show
group-members [ "FTP - Critical" "FTP - Major" "FTP - Minor" ];

{primary:node0}[edit security idp custom-attack-group Protect-FTP]
root@SRX5800-1# up

{primary:node0}[edit security idp]
root@SRX5800-1# edit dynamic-attack-group Malicious-Activity

{primary:node0}[edit security idp dynamic-attack-group Malicious-Activity]
root@SRX5800-1# set filters severity values [ critical major minor ]

{primary:node0}[edit security idp dynamic-attack-group Malicious-Activity]
root@SRX5800-1# set category values [ SHELLCODE VIRUS WORMS SPYWARE TROJAN]

{primary:node0}[edit security idp dynamic-attack-group Malicious-Activity]
root@SRX5800-1# show
filters {
  severity {
    values [ critical major minor ];
  }
  category {
    values [ SHELLCODE VIRUS WORMS SPYWARE TROJAN ];
  }
}

{primary:node0}[edit security idp dynamic-attack-group Malicious-Activity]
root@SRX5800-1# up

{primary:node0}[edit security idp]
root@SRX5800-1# edit dynamic-attack-group Protect-Internal-Clients

{primary:node0}[edit security idp dynamic-attack-group Protect-Internal-Clients]
root@SRX5800-1# set filters direction values server-to-client

{primary:node0}[edit security idp dynamic-attack-group Protect-Internal-Clients]
root@SRX5800-1# set filters severity values [ critical major minor ]

{primary:node0}[edit security idp dynamic-attack-group Protect-Internal-Clients]
root@SRX5800-1# show
filters {
  direction {
    values server-to-client;
  }
  severity {
    values [ critical major minor ];
  }
}

{primary:node0}[edit security idp dynamic-attack-group Protect-Internal-Clients]
root@SRX5800-1# top

{primary:node0}[edit]
root@SRX5800-1# commit
node0:
configuration check succeeds
node1:
commit complete
node0:
commit complete

The one significant thing to note in this example is regarding the “direction” value of our Protect-Internal-Clients group. We defined this as server-to-client, but this will contain members with both server-to-client and client-to-server/any directions because we didn’t leverage the AND logic to limit it to only server-to-client members.

Before you can actually perform any inspection, you must define an IPS rulebase, apply it as the active IPS policy (at this time only one IPS policy can be active at a time), and reference this policy in the SRX security policy (firewall) rulebase. Although you could use a predefined policy template for your rulebase, you are going to create your own, because it’s much more fun.

In this example, you will do the following:

{primary:node0}[edit]
root@SRX5800-1# edit security idp idp-policy Protect-Everything rulebase-ips

{primary:node0}[edit security idp idp-policy Protect-Everything rulebase-ips]
root@SRX5800-1# set rule Static-Groups match from-zone untrust to-zone trustsource-address any destination-address any application default attacks custom-attack-groups [ Aurora Protect-FTP ]

{primary:node0}[edit security idp idp-policy Protect-Everything rulebase-ips]
root@SRX5800-1# set rule Static-Groups then action drop-connection

{primary:node0}[edit security idp idp-policy Protect-Everything rulebase-ips]
root@SRX5800-1# set rule Static-Groups then notification log-attacks

{primary:node0}[edit security idp idp-policy Protect-Everything rulebase-ips]
root@SRX5800-1# show
rule Static-Groups {
  match {
    from-zone untrust;
    source-address any;
    to-zone trust;
    destination-address any;
    application default;
    attacks {
      custom-attack-groups [ Aurora Protect-FTP ];
    }
  }
  then {
    action {
      drop-connection;
    }
    notification {
      log-attacks;
    }
  }
}

{primary:node0}[edit security idp idp-policy Protect-Everything rulebase-ips]
root@SRX5800-1# set rule Dynamic-Groups match from-zone untrust to-zone trustsource-address any destination-address any application default attacks dynamic-attack-groups [ Malicious-Activity Protect-Internal-Clients ]

{primary:node0}[edit security idp idp-policy Protect-Everything rulebase-ips]
root@SRX5800-1# set rule Dynamic-Groups then action close-client-and-server

{primary:node0}[edit security idp idp-policy Protect-Everything rulebase-ips]
root@SRX5800-1# set rule Dynamic-Groups then ip-action ip-block log target source-address timeout 120

{primary:node0}[edit security idp idp-policy Protect-Everything rulebase-ips]
root@SRX5800-1# set rule Dynamic-Groups then notification log-attacks

{primary:node0}[edit security idp idp-policy Protect-Everything rulebase-ips]
root@SRX5800-1# show rule Dynamic-Groups
match {
  from-zone untrust;
  source-address any;
  to-zone trust;
  destination-address any;
  application default;
  attacks {
    dynamic-attack-groups [ Malicious-Activity Protect-Internal-Clients ];
  }
}
then {
  action {
    close-client-and-server;
  }
  ip-action {
    ip-block;
    target source-address;
    log;
    timeout 120;
  }
  notification {
    log-attacks;
  }
}

{primary:node0}[edit security idp idp-policy Protect-Everything rulebase-ips]
root@SRX5800-1# up 2

{primary:node0}[edit security idp]
root@SRX5800-1# set active-policy Protect-Everything


{primary:node0}[edit security idp]
root@SRX5800-1# show active-policy
active-policy Protect-Everything;

{primary:node0}[edit security idp]
root@SRX5800-1# top

{primary:node0}[edit]
root@SRX5800-1# edit security policies from-zone untrust to-zone trust

{primary:node0}[edit security policies from-zone untrust to-zone trust]
root@SRX5800-1# set policy Inspect-IPS match source-address any destination-address any application any

{primary:node0}[edit security policies from-zone untrust to-zone trust]
root@SRX5800-1# set policy Inspect-IPS then permit application-services idp

{primary:node0}[edit security policies from-zone untrust to-zone trust]
root@SRX5800-1# set policy Inspect-IPS then log session-close

{primary:node0}[edit security policies from-zone untrust to-zone trust]
root@SRX5800-1# show
policy Inspect-IPS {
  match {
    source-address any;
    destination-address any;
    application any;
  }
  then {
    permit {
      application-services {
        idp;
      }
    }
    log {
      session-close;
    }
  }
}

{primary:node0}[edit security policies from-zone untrust to-zone trust]
root@SRX5800-1# top

{primary:node0}[edit]
root@SRX5800-1# commit
node0:
configuration check succeeds
node1:
commit complete
node0:
commit complete

A lot is going on in this example. You have configured your IPS policy and rules, and configured the IPS to assign the active policy and associated firewall rules to send traffic to the IPS engine. Without these steps, the traffic would never be sent to the IPS. One important thing to note is that when you apply this in your environment, it might take some time to compile and apply the IPS policy. It all happens automatically, and no traffic will be disrupted. The best thing to do is to check the output of the show security idp status command to see if your active policy (in our case, Protect-Everything) has been applied and is active.

Even with the best of intentions, you might find yourself in an IPS scenario where you have unexpectedly blocked legitimate traffic. For instance, if you are running protocol anomaly protection and you have mistaken some nonstandard application behavior that is not really malicious as an attack, it will be dropped according to your policy. To help make a clean IPS rulebase, with simple yet granular overrides, Juniper employs the Exempt rulebase to ensure that we can easily ignore certain scenarios, and at the same time not ignore inspection for the entire connection. In this example, you’ll handle the following scenario.

After applying the IPS policy in the last example, some users are complaining that they are not able to access the web server. It turns out that their machines are infected with the FunWebProducts spyware, which adds a toolbar in Internet Explorer applications. It is more of a nuisance than actual malicious software, so you don’t want to block your customers from accessing your web server at 172.31.100.60. Create an Exempt policy to not block this attack from the Internet to the 172.31.100.60 web server with the FunWebProducts attack object.

{primary:node0}[edit]
root@SRX5800-1# set security zones security-zone trust address-book address Web-Server-172.31.100.60/32 172.31.100.60/32

{primary:node0}[edit security zones security-zone trust address-book]
root@SRX5800-1# show
address Web-Server-172.31.100.60/32 172.31.100.60/32;

{primary:node0}[edit]
root@SRX5800-1# edit security idp idp-policy Protect-Everything rulebase-exempt

{primary:node0}[edit security idp idp-policy Protect-Everything rulebase-exempt]
root@SRX5800-1# set rule FunWebProducts match from-zone untrust to-zone trust source-address any destination-address Web-Server-172.31.100.60/32 attacks predefined-attacks SPYWARE:BH:FUNWEBPRODUCTS

{primary:node0}[edit security idp idp-policy Protect-Everything rulebase-exempt]
root@SRX5800-1# show
rule FunWebProducts {
  match {
    from-zone untrust;
    source-address any;
    to-zone trust;
    destination-address Web-Server-172.31.100.60/32;
    attacks {
      predefined-attacks SPYWARE:BH:FUNWEBPRODUCTS;
    }
  }
}

{primary:node0}[edit security policies from-zone untrust to-zone trust]
root@SRX5800-1# top

{primary:node0}[edit]
root@SRX5800-1# commit
node0:
configuration check succeeds
node1:
commit complete
node0:
commit complete

[edit]
root@srx3600n0# set security idp sensor-configuration detector protocol-name http tunable-name sc_http_compress_inflating tunable-value 1

[edit]
root@srx3600n0# set security idp sensor-configuration detector protocol-name http tunable-name sc_http_c2s_file_decode tunable-value 1

[edit]
root@srx3600n0# set security idp sensor-configuration detector protocol-name http tunable-name sc_http_s2c_file_decode tunable-value 1

[edit]
root@srx3600n0# show security idp sensor-configuration
detector {
    protocol-name HTTP {
        tunable-name sc_http_compress_inflating {
            tunable-value 1;
        }
        tunable-name sc_http_c2s_file_decode {
            tunable-value 1;
        }
        tunable-name sc_http_s2c_file_decode {
            tunable-value 1;
        }
        tunable-name sc_http_html_parse_opt {
            tunable-value 1;
        }
        tunable-name sc_http_max_request_parameters {
            tunable-value 1000;
        }
        tunable-name sc_http_skip_contents_1 {
            tunable-value 1024;
        }

You do have the option of deploying interfaces in sniffer mode rather than a full-blown inline mode (see Figure 13-13). You can do this as part of an initial deployment or on a more permanent basis. This configuration can be leveraged on an interface-by-interface basis so you don’t need to choose all or nothing. Unfortunately, you do have to jump through a few hoops to pull off sniffer mode on the SRX today, at the time of writing this book. Essentially, you put the desired interface into sniffer mode, with that interface in its own VR zone so that you can manipulate the traffic to go back out of that interface. Because the traffic will be off a mirror port or network tap you will need to hardcode the route and static ARP of the next hop so the system doesn’t try to resolve it. It will take a few steps, but once it’s up and running you should be good to go.

Figure 13-13. SRX sniffer mode

Let’s configure an example where we put interface ge-0/0/0 into promiscuous mode in a VR called Sniffer, a Zone called Sniffer. Be sure to create a default route to next hop 192.168.1.254, which is on the same interface with a fake static ARP entry as well.

##Config Interface
[edit]
root@srx3600n0# set interfaces ge-0/0/0 promiscuous-mode

[edit]
root@srx3600n0# set interfaces ge-0/0/0 unit 0 family inet address 192.168.1.1/24 arp 192.168.1.254 mac 00:00:01:01:01:01

##Config Custom VR
[edit]
root@srx3600n0# set routing-instances Sniffer instance-type virtual-router

[edit]
root@srx3600n0# set routing-instances Sniffer interface ge-0/0/0.0

[edit]
root@srx3600n0# set routing-instances Sniffer routing-options static route 0.0.0.0/0 next-hop 192.168.1.254

##Zone Config
[edit]
root@srx3600n0# set security zones security-zone Sniffer interfaces ge-0/0/0.0

##Define Policy

[edit]
root@srx3600n0# set security policies from-zone Sniffer to-zone Sniffer policy 1 match source-address any destination-address any application any

[edit]
root@srx3600n0# set security policies from-zone Sniffer to-zone Sniffer policy 1 then permit application-services idp

[edit]
root@srx3600n0# set security policies from-zone Sniffer to-zone Sniffer policy 1 then log session-close

Looking at this example, there are a few things that we need to call out. First, besides putting the physical interface in its own VR zone and creating the policy that references IPS, the interesting thing is the use of the static route that points back out the same interface. Of course, because the traffic is off a mirrored SPAN port, the traffic will never be received back on the real network, but this tricks the SRX into completing the data path processing by sending it back out. We need to also make a fake ARP entry because the SRX will not be able to resolve the next hop because this is a mirrored segment, and without the ARP entry the SRX will not be able to forward the traffic.

Technically, you can also accomplish this with Level 2 mode (without the need for promiscuous mode as that’s for Level 3 mode only). In Level 2 mode, the SRX will forward the traffic similar to a switch so it doesn’t care about the destination MAC or IP address of the packet so long as the switching table has a MAC address for the destination frame.

Starting in Junos 12.1, the SRX gives you support in the Junos command line to clear the download files and the cache files on the filesystem. Prior to this version, you would need to drop to the OS shell and simply remove the files. We show both methods here. With Junos 12.1+, there is support for deleting the download and cache files.

{primary:node1}
root@SRX100HM> request security idp storage-cleanup downloaded-files
node0:
--------------------------------------------------------------------------
Successfully deleted downloaded secdb files

node1:
--------------------------------------------------------------------------
Successfully deleted downloaded secdb files

{primary:node1}
root@SRX100HM> request security idp storage-cleanup cache-files
node0:
--------------------------------------------------------------------------
Successfully deleted cache files

node1:
--------------------------------------------------------------------------
Successfully deleted cache files

Prior to Junos 12.1, you could do this manually.

{primary:node1}
root@SRX100HM> start shell
root@SRX100HM% rm -rf /var/db/idpd/sec-download/*
root@SRX100HM% rm -rf /var/db/idpd/db/*
root@SRX100HM% cli
{primary:node1}
root@SRX100HM> restart idp-policy
IDP policy daemon started, pid 48044