AJSEC Lab7 IPS Rulebase
Jean-luc KRIKER
Owned by Jean-luc KRIKER
code Expand source
Lab7 IPS: SD: Device / Device Discovery SD: Configure / IPS Policy / Templates workspace. Create/Modify the IPS/IDP Policy: SD: Configure / IPS Policy / Policies workspace. >> remove rule >> modify a rule ( Add signature ) >> Assign a device >> Update the vSRX1 !!!! IDP policy name is different SD Vs SRX: SRX: show security idp policies SRX: show configuration security idp idp-policy Space-IPS-Policy | display set Create/Apply the IPS/IDP policy in the SD: Firewall Policy / SRX: Security Policy SD: Configure / Firewall Policy / Policies workspace. >> create policy >> add Rules to this Policy SD: Monitor / IDP / Attacks >> show all attacks, description SRX: show configuration security policies SRX: show security policies show security idp attack table show security idp attack detail FTP:USER:ROOT show security idp counters action show security idp counters ips show security idp counters packets show security idp counters flow show log messages | match IDP_ATTACK Part 6: Modify IPS Policy SD: Configure / IPS Policy / Policies workspace. >> Select the Policy >> Create exception rule [edit security idp] lab@vSRX-1# show | display set set security idp idp-policy Space-IPS-Policy rulebase-ips rule Recommended-1 description "This rule is designed to protect your networks against important TCP/IP attacks." set security idp idp-policy Space-IPS-Policy rulebase-ips rule Recommended-1 match attacks predefined-attack-groups "[Recommended]IP - Critical" set security idp idp-policy Space-IPS-Policy rulebase-ips rule Recommended-1 match attacks predefined-attack-groups "[Recommended]IP - Major" set security idp idp-policy Space-IPS-Policy rulebase-ips rule Recommended-1 match attacks predefined-attack-groups "[Recommended]IP - Minor" set security idp idp-policy Space-IPS-Policy rulebase-ips rule Recommended-1 match attacks predefined-attack-groups "[Recommended]TCP - Critical" set security idp idp-policy Space-IPS-Policy rulebase-ips rule Recommended-1 match attacks predefined-attack-groups "[Recommended]TCP - Major" set security idp idp-policy Space-IPS-Policy rulebase-ips rule Recommended-1 match attacks predefined-attack-groups "[Recommended]TCP - Minor" set security idp idp-policy Space-IPS-Policy rulebase-ips rule Recommended-1 then action recommended set security idp idp-policy Space-IPS-Policy rulebase-ips rule Recommended-1 then notification log-attacks set security idp idp-policy Space-IPS-Policy rulebase-ips rule Recommended-2 description "This rule is designed to protect your network against important ICMP attacks." set security idp idp-policy Space-IPS-Policy rulebase-ips rule Recommended-2 match attacks predefined-attack-groups "[Recommended]ICMP - Major" set security idp idp-policy Space-IPS-Policy rulebase-ips rule Recommended-2 match attacks predefined-attack-groups "[Recommended]ICMP - Minor" set security idp idp-policy Space-IPS-Policy rulebase-ips rule Recommended-2 then action recommended set security idp idp-policy Space-IPS-Policy rulebase-ips rule Recommended-2 then notification log-attacks set security idp idp-policy Space-IPS-Policy rulebase-ips rule Recommended-3 description "This rule is designed to protect your network against important HTTP attacks." set security idp idp-policy Space-IPS-Policy rulebase-ips rule Recommended-3 match attacks predefined-attack-groups "[Recommended]HTTP - Critical" set security idp idp-policy Space-IPS-Policy rulebase-ips rule Recommended-3 match attacks predefined-attack-groups "[Recommended]HTTP - Major" set security idp idp-policy Space-IPS-Policy rulebase-ips rule Recommended-3 match attacks predefined-attack-groups "[Recommended]HTTP - Minor" set security idp idp-policy Space-IPS-Policy rulebase-ips rule Recommended-3 then action recommended set security idp idp-policy Space-IPS-Policy rulebase-ips rule Recommended-3 then notification log-attacks set security idp idp-policy Space-IPS-Policy rulebase-ips rule Recommended-5 description "This rule is designed to protect your network against important DNS attacks." set security idp idp-policy Space-IPS-Policy rulebase-ips rule Recommended-5 match attacks predefined-attack-groups "[Recommended]DNS - Critical" set security idp idp-policy Space-IPS-Policy rulebase-ips rule Recommended-5 match attacks predefined-attack-groups "[Recommended]DNS - Major" set security idp idp-policy Space-IPS-Policy rulebase-ips rule Recommended-5 match attacks predefined-attack-groups "[Recommended]DNS - Minor" set security idp idp-policy Space-IPS-Policy rulebase-ips rule Recommended-5 then action recommended set security idp idp-policy Space-IPS-Policy rulebase-ips rule Recommended-5 then notification log-attacks set security idp idp-policy Space-IPS-Policy rulebase-ips rule Recommended-6 description "This rule is designed to protect your network against important FTP attacks." set security idp idp-policy Space-IPS-Policy rulebase-ips rule Recommended-6 match attacks predefined-attacks FTP:PASSWORD:PLUS set security idp idp-policy Space-IPS-Policy rulebase-ips rule Recommended-6 match attacks predefined-attacks FTP:USER:ROOT set security idp idp-policy Space-IPS-Policy rulebase-ips rule Recommended-6 match attacks predefined-attack-groups "[Recommended]FTP - Critical" set security idp idp-policy Space-IPS-Policy rulebase-ips rule Recommended-6 match attacks predefined-attack-groups "[Recommended]FTP - Major" set security idp idp-policy Space-IPS-Policy rulebase-ips rule Recommended-6 match attacks predefined-attack-groups "[Recommended]FTP - Minor" set security idp idp-policy Space-IPS-Policy rulebase-ips rule Recommended-6 then action recommended set security idp idp-policy Space-IPS-Policy rulebase-ips rule Recommended-6 then notification log-attacks set security idp idp-policy Space-IPS-Policy rulebase-ips rule Recommended-9 description "This rule is designed to protect your network against common internet malware." set security idp idp-policy Space-IPS-Policy rulebase-ips rule Recommended-9 match attacks predefined-attack-groups "[Recommended]TROJAN - Critical" set security idp idp-policy Space-IPS-Policy rulebase-ips rule Recommended-9 match attacks predefined-attack-groups "[Recommended]TROJAN - Major" set security idp idp-policy Space-IPS-Policy rulebase-ips rule Recommended-9 match attacks predefined-attack-groups "[Recommended]TROJAN - Minor" set security idp idp-policy Space-IPS-Policy rulebase-ips rule Recommended-9 match attacks predefined-attack-groups "[Recommended]VIRUS - Critical" set security idp idp-policy Space-IPS-Policy rulebase-ips rule Recommended-9 match attacks predefined-attack-groups "[Recommended]VIRUS - Major" set security idp idp-policy Space-IPS-Policy rulebase-ips rule Recommended-9 match attacks predefined-attack-groups "[Recommended]VIRUS - Minor" set security idp idp-policy Space-IPS-Policy rulebase-ips rule Recommended-9 match attacks predefined-attack-groups "[Recommended]WORM - Critical" set security idp idp-policy Space-IPS-Policy rulebase-ips rule Recommended-9 match attacks predefined-attack-groups "[Recommended]WORM - Major" set security idp idp-policy Space-IPS-Policy rulebase-ips rule Recommended-9 match attacks predefined-attack-groups "[Recommended]WORM - Minor" set security idp idp-policy Space-IPS-Policy rulebase-ips rule Recommended-9 then action recommended set security idp idp-policy Space-IPS-Policy rulebase-ips rule Recommended-9 then notification log-attacks set security idp idp-policy Space-IPS-Policy rulebase-exempt rule IPS-Pol-1-1 description vsrx_pol set security idp idp-policy Space-IPS-Policy rulebase-exempt rule IPS-Pol-1-1 match attacks predefined-attacks FTP:PASSWORD:PLUS set security idp active-policy Space-IPS-Policy lab@vSRX-1> show configuration security policies | display set set security policies global policy IPS-PW match source-address any set security policies global policy IPS-PW match destination-address any set security policies global policy IPS-PW match application any set security policies global policy IPS-PW then permit application-services idp Part 7: SRX: monitor start messages | match IDP_ATTACK On the client: sudo /usr/sbin/tcpdump -i eth1 port 21 -nnvvXX | egrep “root|denied” sudo usr/bin/tcpdump -i eth1 tcp port 21 -X | |
|
