Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 3 Current »







code
Lab7 IPS:



SD: Device / Device Discovery 



SD: Configure / IPS Policy / Templates  workspace.


Create/Modify the IPS/IDP Policy:
SD: Configure / IPS Policy / Policies  workspace.
>> remove rule
>> modify a rule ( Add signature )
>> Assign a device
>> Update the vSRX1


!!!! IDP policy name is different SD Vs SRX:
SRX: show security idp policies
SRX: show configuration security idp idp-policy Space-IPS-Policy | display set


Create/Apply the IPS/IDP policy in the SD: Firewall Policy / SRX: Security Policy
SD: Configure / Firewall Policy / Policies  workspace.
>> create policy
>> add Rules to this Policy

SD: Monitor / IDP / Attacks 
>> show all attacks, description

SRX: show configuration security policies
SRX: show security policies 

show security idp attack table
show security idp attack detail FTP:USER:ROOT

show security idp counters action
show security idp counters ips 
show security idp counters packets
show security idp counters flow

show log messages | match IDP_ATTACK 

Part 6:
Modify IPS Policy
SD: Configure / IPS Policy / Policies  workspace.
>> Select the Policy
>> Create exception rule



[edit security idp]
lab@vSRX-1# show | display set    
set security idp idp-policy Space-IPS-Policy rulebase-ips rule Recommended-1 description "This rule is designed to protect your networks against important TCP/IP attacks."
set security idp idp-policy Space-IPS-Policy rulebase-ips rule Recommended-1 match attacks predefined-attack-groups "[Recommended]IP - Critical"
set security idp idp-policy Space-IPS-Policy rulebase-ips rule Recommended-1 match attacks predefined-attack-groups "[Recommended]IP - Major"
set security idp idp-policy Space-IPS-Policy rulebase-ips rule Recommended-1 match attacks predefined-attack-groups "[Recommended]IP - Minor"
set security idp idp-policy Space-IPS-Policy rulebase-ips rule Recommended-1 match attacks predefined-attack-groups "[Recommended]TCP - Critical"
set security idp idp-policy Space-IPS-Policy rulebase-ips rule Recommended-1 match attacks predefined-attack-groups "[Recommended]TCP - Major"
set security idp idp-policy Space-IPS-Policy rulebase-ips rule Recommended-1 match attacks predefined-attack-groups "[Recommended]TCP - Minor"
set security idp idp-policy Space-IPS-Policy rulebase-ips rule Recommended-1 then action recommended
set security idp idp-policy Space-IPS-Policy rulebase-ips rule Recommended-1 then notification log-attacks
set security idp idp-policy Space-IPS-Policy rulebase-ips rule Recommended-2 description "This rule is designed to protect your network against  important ICMP attacks."
set security idp idp-policy Space-IPS-Policy rulebase-ips rule Recommended-2 match attacks predefined-attack-groups "[Recommended]ICMP - Major"
set security idp idp-policy Space-IPS-Policy rulebase-ips rule Recommended-2 match attacks predefined-attack-groups "[Recommended]ICMP - Minor"
set security idp idp-policy Space-IPS-Policy rulebase-ips rule Recommended-2 then action recommended
set security idp idp-policy Space-IPS-Policy rulebase-ips rule Recommended-2 then notification log-attacks
set security idp idp-policy Space-IPS-Policy rulebase-ips rule Recommended-3 description "This rule is designed to protect your network against  important HTTP attacks."
set security idp idp-policy Space-IPS-Policy rulebase-ips rule Recommended-3 match attacks predefined-attack-groups "[Recommended]HTTP - Critical"
set security idp idp-policy Space-IPS-Policy rulebase-ips rule Recommended-3 match attacks predefined-attack-groups "[Recommended]HTTP - Major"
set security idp idp-policy Space-IPS-Policy rulebase-ips rule Recommended-3 match attacks predefined-attack-groups "[Recommended]HTTP - Minor"
set security idp idp-policy Space-IPS-Policy rulebase-ips rule Recommended-3 then action recommended
set security idp idp-policy Space-IPS-Policy rulebase-ips rule Recommended-3 then notification log-attacks
set security idp idp-policy Space-IPS-Policy rulebase-ips rule Recommended-5 description "This rule is designed to protect your network against  important DNS attacks."
set security idp idp-policy Space-IPS-Policy rulebase-ips rule Recommended-5 match attacks predefined-attack-groups "[Recommended]DNS - Critical"
set security idp idp-policy Space-IPS-Policy rulebase-ips rule Recommended-5 match attacks predefined-attack-groups "[Recommended]DNS - Major"
set security idp idp-policy Space-IPS-Policy rulebase-ips rule Recommended-5 match attacks predefined-attack-groups "[Recommended]DNS - Minor"
set security idp idp-policy Space-IPS-Policy rulebase-ips rule Recommended-5 then action recommended
set security idp idp-policy Space-IPS-Policy rulebase-ips rule Recommended-5 then notification log-attacks
set security idp idp-policy Space-IPS-Policy rulebase-ips rule Recommended-6 description "This rule is designed to protect your network against  important FTP attacks."
set security idp idp-policy Space-IPS-Policy rulebase-ips rule Recommended-6 match attacks predefined-attacks FTP:PASSWORD:PLUS
set security idp idp-policy Space-IPS-Policy rulebase-ips rule Recommended-6 match attacks predefined-attacks FTP:USER:ROOT
set security idp idp-policy Space-IPS-Policy rulebase-ips rule Recommended-6 match attacks predefined-attack-groups "[Recommended]FTP - Critical"
set security idp idp-policy Space-IPS-Policy rulebase-ips rule Recommended-6 match attacks predefined-attack-groups "[Recommended]FTP - Major"
set security idp idp-policy Space-IPS-Policy rulebase-ips rule Recommended-6 match attacks predefined-attack-groups "[Recommended]FTP - Minor"
set security idp idp-policy Space-IPS-Policy rulebase-ips rule Recommended-6 then action recommended
set security idp idp-policy Space-IPS-Policy rulebase-ips rule Recommended-6 then notification log-attacks
set security idp idp-policy Space-IPS-Policy rulebase-ips rule Recommended-9 description "This rule is designed to protect your network against common internet malware."
set security idp idp-policy Space-IPS-Policy rulebase-ips rule Recommended-9 match attacks predefined-attack-groups "[Recommended]TROJAN - Critical"
set security idp idp-policy Space-IPS-Policy rulebase-ips rule Recommended-9 match attacks predefined-attack-groups "[Recommended]TROJAN - Major"
set security idp idp-policy Space-IPS-Policy rulebase-ips rule Recommended-9 match attacks predefined-attack-groups "[Recommended]TROJAN - Minor"
set security idp idp-policy Space-IPS-Policy rulebase-ips rule Recommended-9 match attacks predefined-attack-groups "[Recommended]VIRUS - Critical"
set security idp idp-policy Space-IPS-Policy rulebase-ips rule Recommended-9 match attacks predefined-attack-groups "[Recommended]VIRUS - Major"
set security idp idp-policy Space-IPS-Policy rulebase-ips rule Recommended-9 match attacks predefined-attack-groups "[Recommended]VIRUS - Minor"
set security idp idp-policy Space-IPS-Policy rulebase-ips rule Recommended-9 match attacks predefined-attack-groups "[Recommended]WORM - Critical"
set security idp idp-policy Space-IPS-Policy rulebase-ips rule Recommended-9 match attacks predefined-attack-groups "[Recommended]WORM - Major"
set security idp idp-policy Space-IPS-Policy rulebase-ips rule Recommended-9 match attacks predefined-attack-groups "[Recommended]WORM - Minor"
set security idp idp-policy Space-IPS-Policy rulebase-ips rule Recommended-9 then action recommended
set security idp idp-policy Space-IPS-Policy rulebase-ips rule Recommended-9 then notification log-attacks

set security idp idp-policy Space-IPS-Policy rulebase-exempt rule IPS-Pol-1-1 description vsrx_pol
set security idp idp-policy Space-IPS-Policy rulebase-exempt rule IPS-Pol-1-1 match attacks predefined-attacks FTP:PASSWORD:PLUS
set security idp active-policy Space-IPS-Policy


lab@vSRX-1> show configuration security policies | display set 
set security policies global policy IPS-PW match source-address any
set security policies global policy IPS-PW match destination-address any
set security policies global policy IPS-PW match application any
set security policies global policy IPS-PW then permit application-services idp



Part 7:

SRX: monitor start messages | match IDP_ATTACK


On the client:
sudo /usr/sbin/tcpdump -i eth1 port 21 -nnvvXX | egrep “root|denied”
sudo usr/bin/tcpdump -i eth1 tcp port 21 -X









  • No labels