IDP

From Juniper JSRX Wiki

Jump to: navigation, search

IDP (intrusion detection and prevention), or otherwise known as IDS (intrusion detection system), is a series of signatures this look for known malicious or attack traffic traversing a device. IDP is only available on J/SRX devices with a valid IDP license to do so.

Contents

Getting started with IDP

Licensing

Before you are able to do anything with IDP, you will need to make sure you have a license for it. Here is how to view your current licenses

metacortex@KaelthasSunstrider> show system license
License usage: 
                                 Licenses     Licenses    Licenses    Expiry
  Feature name                       used    installed      needed 
  idp-sig                               0            1           0    2012-07-27 00:00:00 UTC

Licenses installed: 
  License identifier: JUNOS214457
  License version: 2
  Valid for device: JN10E7914ADE
  Features:
    idp-sig          - IDP Signature
      date-based, 2009-07-28 00:00:00 UTC - 2012-07-27 00:00:00 UTC

If Junipers Customer Care department has the serial number of your device already tied to a IDP license you can issue the following command to retrieve the license from Juniper's servers and install it.

metacortex@KaelthasSunstrider> request system license update

If you were given a plain-text license file by Customer Care or you generated it yourself on Juniper's Support Site, then you can use the following command to paste it into the terminal

metacortex@KaelthasSunstrider> request system license add terminal
[Type ^D at a new line to end input,
enter blank line between each license key]
<paste the plain-text in here>
^D
add license complete (no errors)

metacortex@KaelthasSunstrider>
  • NOTE: Make sure there is a blank line at the end of the license after you paste it in

Updating IDP

To Update IDP to the full latest version, you need an active Internet connection on the box and then you run the following commands

metacortex@KaelthasSunstrider> request security idp security-package download full-update
Will be processed in async mode. Check the status using the status checking CLI

metacortex@KaelthasSunstrider> request security idp security-package download status         
In progress:downloading file ...libidp-detector.so.tgz.v

metacortex@KaelthasSunstrider> request security idp security-package download status    
Done;Successfully downloaded from(https://services.netscreen.com/cgi-bin/index.cgi).
Version info:1591(Tue Jan 26 12:28:34 2010, Detector=10.2.140091104)

metacortex@KaelthasSunstrider> request security idp security-package install            
Will be processed in async mode. Check the status using the status checking CLI

metacortex@KaelthasSunstrider> request security idp security-package install status 
In progress:performing DB update for an xml (groups.xml)

metacortex@KaelthasSunstrider> request security idp security-package install status    
Done;Attack DB update : successful - [UpdateNumber=1591,ExportDate=Tue Jan 26 12:28:34 2010,Detector=10.2.140091104]
     Updating control-plane with new detector : successful
     Updating data-plane with new attack or detector : not performed
      due to no existing running policy found.

When you update as seen above, the package is downloaded to /var/db/idpd/sec-repository before it is installed. If downloaded using NSM, it gets stored in /var/db/idpd/nsm-download.

Configuration

Sensor Specific

In the rare case that you need to tweak the inspection properties of the SRX, you can do so here. Be careful with some of these options as it could aversely effect IPS functionality if you modify memory and queue sizes without knowing what you are doing.

[edit security idp sensor-configuration]
metacortex@KaelthasSunstrider# set ?
Possible completions:
> log                  IDP Log Configuration
> application-identification  Application identification
> flow                 Flow configuration
> re-assembler         Re-assembler configuration
> ips                  Ips configuration
> global               Global configuration
> detector             Detector Configuration
> ssl-inspection       SSL inspection

Inspection Mode

On the High End SRX's you can change the IDP Mode. There are 3 different modes you can put it in

  • Integrated Mode: Traffic is inspected by the firewall process. All traffic will be processed before being sent out egress interface. Has the possibility of impacting overall performance as the firewall process is handling both tasks.
  • Dedicated Mode: Firewalling and IPS is handled by separate processes. Traffic is processed by firewall process, again by the IDP process, and then sent back to the firewall process for egress processing. Can dedicate resources on the SPU to either Firewall or IPS.
  • Inline Tap Mode: The exact same as Dedicated Mode except the firewall process does not wait for the IDP process to finish inspecting the traffic before sending it out the egress interface. This will not stop single packet attacks but can stop attacks that span multiple packets and is faster than Dedicated Mode.

    Integrated Mode

    For Integrated Mode, you just want to make sure there is nothing under security forwarding-process application-services maximize-idp-sessions as Integrated Mode is the default mode.

    [edit]
    metacortex@KaelthasSunstrider# delete security forwarding-process application-services maximize-idp-sessions
    

    Dedicated Mode

    security {
        forwarding-process {
            application-services {
                maximize-idp-sessions {
                    weight {
                        equal;
                        firewall;
                        idp;
                    }
                }
            }
        }
    }
    
    set security forwarding-process application-services maximize-idp-sessions weight equal
    set security forwarding-process application-services maximize-idp-sessions weight firewall
    set security forwarding-process application-services maximize-idp-sessions weight idp
    
    • NOTE: You can only choose one option under weight. Equal distributes resources equally between firewall and IDP, firewall distributes resources 2/3rds to firewall and 1/3 to IDP, and idp distributes resources 2/3rds to IDP and 1/3 to firewall.

    Inline Tap Mode

    security {
        forwarding-process {
            application-services {
                maximize-idp-sessions {
                    inline-tap {
                        weight {
                            equal;
                            firewall;
                            idp;
                        }
                    }
                }
            }
        }
    }
    
    set security forwarding-process application-services maximize-idp-sessions inline-tap weight equal
    set security forwarding-process application-services maximize-idp-sessions inline-tap weight firewall
    set security forwarding-process application-services maximize-idp-sessions inline-tap weight idp
    
    • NOTE: You can only choose one option under weight. Equal distributes resources equally between firewall and IDP, firewall distributes resources 2/3rds to firewall and 1/3 to IDP, and idp distributes resources 2/3rds to IDP and 1/3 to firewall.


    Automatic Updates

    Updates happen almost daily to the attack database and it can be an administrative strain to go into each SRX every day, check if there are updates, download them, and install them. You can automate this process with this config

    security {
        idp {
            security-package {
                automatic {
                    start-time "2011-1-1.00:00:01 -0800";
                    interval 24;
                    download-timeout 10;
                    enable;
                }
            }
        }
    }
    
    set security idp security-package automatic start-time 2011-1-1.00:00:01
    set security idp security-package automatic interval 24
    set security idp security-package automatic download-timeout 10
    set security idp security-package automatic enable
    

    This config will start automatic downloads as of January 1st 2011 at 00:00:01, check every 24 hours for a new update, and install the package after 10 minutes of idle time after the download is complete.

    Custom Attack Object

    There are two different types of attack objects. The first type is a Signature that is composed of a single regex signature and the second is a Chain that is composed of multiple regex signatures that can be matched on a OR/AND or combination or OR's and AND's.

    Signature

    Single signature attack objects are really strait forward. Here we will create a signature that will create a signature that will detect Google+ traffic.

    security {
        idp {
            custom-attack Google+ {
                severity minor;
                attack-type {
                    signature {
                        context http-header-host;
                        pattern ".*\[plus\.google\.com\]";
                        direction client-to-server;
                    }
                }
            }
        }
    }
    
    set security idp custom-attack Google+ severity minor
    set security idp custom-attack Google+ attack-type signature context http-header-host
    set security idp custom-attack Google+ attack-type signature pattern ".*\[plus\.google\.com\]"
    set security idp custom-attack Google+ attack-type signature direction client-to-server
    

    Chain

    Chain signatures are a little more complex than their single signature brothers. Here we will set up a signature to detect the downloading of files with various file extensions from the ftp user anonymous.

    First thing we are going to do is set up all of the signatures to detect the file extensions

    security {
        idp {
            custom-attack FTP-installers {
                attack-type {
                    chain {
                        member DEB {
                            attack-type {
                                signature {
                                    context ftp-get-filename;
                                    pattern ".*\.\[deb\]";
                                    direction client-to-server;
                                }
                            }
                        }
                        member RPM {
                            attack-type {
                                signature {
                                    context ftp-get-filename;
                                    pattern ".*\.\[rpm\]";
                                    direction client-to-server;
                                }
                            }
                        }
                        member EXE {
                            attack-type {
                                signature {
                                    context ftp-get-filename;
                                    pattern ".*\.\[exe\]";
                                    direction client-to-server;
                                }
                            }
                        }
                        member DMG {
                            attack-type {
                                signature {
                                    context ftp-get-filename;
                                    pattern ".*\.\[dmg\]";
                                    direction client-to-server;
                                }
                            }                       
                        }
                    }
                }
            }
        }
    }
    
    set security idp custom-attack FTP-installers attack-type chain member DEB attack-type signature context ftp-get-filename
    set security idp custom-attack FTP-installers attack-type chain member DEB attack-type signature pattern ".*\.\[deb\]"
    set security idp custom-attack FTP-installers attack-type chain member DEB attack-type signature direction client-to-server
    set security idp custom-attack FTP-installers attack-type chain member RPM attack-type signature context ftp-get-filename
    set security idp custom-attack FTP-installers attack-type chain member RPM attack-type signature pattern ".*\.\[rpm\]"
    set security idp custom-attack FTP-installers attack-type chain member RPM attack-type signature direction client-to-server
    set security idp custom-attack FTP-installers attack-type chain member EXE attack-type signature context ftp-get-filename
    set security idp custom-attack FTP-installers attack-type chain member EXE attack-type signature pattern ".*\.\[exe\]"
    set security idp custom-attack FTP-installers attack-type chain member EXE attack-type signature direction client-to-server
    set security idp custom-attack FTP-installers attack-type chain member DMG attack-type signature context ftp-get-filename
    set security idp custom-attack FTP-installers attack-type chain member DMG attack-type signature pattern ".*\.\[dmg\]"
    set security idp custom-attack FTP-installers attack-type chain member DMG attack-type signature direction client-to-server
    

    As you can see in these signatures, it is detecting all .deb, .rpm, .exe, and .dmg files (case insensitive. Next we need to set up the signature to detect the anonymous user

    security {
        idp {
            custom-attack FTP-installers {
                attack-type {
                    chain {
                        member FTP-Anonymous {
                            attack-type {
                                signature {
                                    context ftp-username;
                                    pattern "^anonymous$";
                                    direction client-to-server;
                                }
                            }
                        }
                    }
                }
            }
        }
    }
    
    set security idp custom-attack FTP-installers attack-type chain member FTP-Anonymous attack-type signature context ftp-username
    set security idp custom-attack FTP-installers attack-type chain member FTP-Anonymous attack-type signature pattern "^anonymous$"
    set security idp custom-attack FTP-installers attack-type chain member FTP-Anonymous attack-type signature direction client-to-server
    

    Now that we have the signatures set up, we need to define what order they must match in and set the severity of the signature.

    security {
        idp {
            custom-attack FTP-installers {
                severity major;
                attack-type {
                    chain {
                        expression "(DEB OR RPM OR EXE OR DMG) AND FTP-Anonymous";
                    }
                }
            }
        }
    }
    
    set security idp custom-attack FTP-installers severity major
    set security idp custom-attack FTP-installers attack-type chain expression "(DEB OR RPM OR EXE OR DMG) AND FTP-Anonymous"
    

    And that is it. We now have a signature that will detect the anonymous ftp user downloading all the files with the given extensions. Here is the full config.

    security {
        idp {
            custom-attack FTP-installers {
                severity major;
                attack-type {
                    chain {
                        expression "(DEB OR RPM OR EXE OR DMG) AND FTP-Anonymous";
                        member DEB {
                            attack-type {
                                signature {
                                    context ftp-get-filename;
                                    pattern ".*\.\[deb\]";
                                    direction client-to-server;
                                }
                            }
                        }
                        member RPM {
                            attack-type {
                                signature {
                                    context ftp-get-filename;
                                    pattern ".*\.\[rpm\]";
                                    direction client-to-server;
                                }
                            }
                        }
                        member EXE {
                            attack-type {
                                signature {
                                    context ftp-get-filename;
                                    pattern ".*\.\[exe\]";
                                    direction client-to-server;
                                }
                            }
                        }
                        member DMG {
                            attack-type {
                                signature {
                                    context ftp-get-filename;
                                    pattern ".*\.\[dmg\]";
                                    direction client-to-server;
                                }
                            }                       
                        }
                        member FTP-Anonymous {
                            attack-type {
                                signature {
                                    context ftp-username;
                                    pattern "^anonymous$";
                                    direction client-to-server;
                                }
                            }
                        }
                    }
                }
            }
        }
    }
    
    set security idp custom-attack FTP-installers severity major
    set security idp custom-attack FTP-installers attack-type chain expression "(DEB OR RPM OR EXE OR DMG) AND FTP-Anonymous"
    set security idp custom-attack FTP-installers attack-type chain member DEB attack-type signature context ftp-get-filename
    set security idp custom-attack FTP-installers attack-type chain member DEB attack-type signature pattern ".*\.\[deb\]"
    set security idp custom-attack FTP-installers attack-type chain member DEB attack-type signature direction client-to-server
    set security idp custom-attack FTP-installers attack-type chain member RPM attack-type signature context ftp-get-filename
    set security idp custom-attack FTP-installers attack-type chain member RPM attack-type signature pattern ".*\.\[rpm\]"
    set security idp custom-attack FTP-installers attack-type chain member RPM attack-type signature direction client-to-server
    set security idp custom-attack FTP-installers attack-type chain member EXE attack-type signature context ftp-get-filename
    set security idp custom-attack FTP-installers attack-type chain member EXE attack-type signature pattern ".*\.\[exe\]"
    set security idp custom-attack FTP-installers attack-type chain member EXE attack-type signature direction client-to-server
    set security idp custom-attack FTP-installers attack-type chain member DMG attack-type signature context ftp-get-filename
    set security idp custom-attack FTP-installers attack-type chain member DMG attack-type signature pattern ".*\.\[dmg\]"
    set security idp custom-attack FTP-installers attack-type chain member DMG attack-type signature direction client-to-server
    set security idp custom-attack FTP-installers attack-type chain member FTP-Anonymous attack-type signature context ftp-username
    set security idp custom-attack FTP-installers attack-type chain member FTP-Anonymous attack-type signature pattern "^anonymous$"
    set security idp custom-attack FTP-installers attack-type chain member FTP-Anonymous attack-type signature direction client-to-server
    

    IPS Policy

    Currently, we can have only one active policy at a time on the SRX. The policy is basically what lists out all of the signatures/groups that are going to be used to inspect the traffic. Here we will set up a simple policy that contains our two custom signatures that we created earlier.

    security {
        idp {
            idp-policy active {
                rulebase-ips {
                    rule google+ {
                        match {
                            from-zone inside;
                            source-address any;
                            to-zone outside;
                            destination-address any;
                            application junos-http;
                            attacks {
                                custom-attacks Google+;
                            }
                        }
                        then {
                            action {
                                close-client-and-server;
                            }
                            notification {
                                log-attacks;
                            }
                        }
                    }
                    rule FTP {
                        match {
                            from-zone outside;
                            source-address any;
                            to-zone inside;
                            destination-address any;
                            application junos-ftp;
                            attacks {
                                custom-attacks FTP-installers;
                            }
                        }
                        then {
                            action {
                                close-client-and-server;
                            }
                            notification {
                                log-attacks;
                            }
                        }
                    }
                }
            }
        }
    }
    
    set security idp idp-policy active rulebase-ips rule google+ match from-zone inside
    set security idp idp-policy active rulebase-ips rule google+ match source-address any
    set security idp idp-policy active rulebase-ips rule google+ match to-zone outside
    set security idp idp-policy active rulebase-ips rule google+ match destination-address any
    set security idp idp-policy active rulebase-ips rule google+ match application junos-http
    set security idp idp-policy active rulebase-ips rule google+ match attacks custom-attacks Google+
    set security idp idp-policy active rulebase-ips rule google+ then action close-client-and-server
    set security idp idp-policy active rulebase-ips rule google+ then notification log-attacks
    set security idp idp-policy active rulebase-ips rule FTP match from-zone outside
    set security idp idp-policy active rulebase-ips rule FTP match source-address any
    set security idp idp-policy active rulebase-ips rule FTP match to-zone inside
    set security idp idp-policy active rulebase-ips rule FTP match destination-address any
    set security idp idp-policy active rulebase-ips rule FTP match application junos-ftp
    set security idp idp-policy active rulebase-ips rule FTP match attacks custom-attacks FTP-installers
    set security idp idp-policy active rulebase-ips rule FTP then action close-client-and-server
    set security idp idp-policy active rulebase-ips rule FTP then notification log-attacks
    

    Now that we have a basic policy, all we need to do is to activate the policy

    security {
        idp {
            active-policy active;
        }
    }
    
    set security idp active-policy active
    

    Exempt Rulebase

    If you come across the situation where you need to exempt a specific signature for false-positive reasons, you can do it in the exempt rulebase. It is very similar to the standard ips rulebase as you will see (except it ignores this signature instead of taking action upon it). We will set up our Google+ signature as the signature we want to exempt.

    security {
        idp {
            idp-policy active {
                rulebase-exempt {
                    rule Google+ {
                        match {
                            from-zone inside;
                            source-address any;
                            to-zone outside;
                            destination-address any;
                            attacks {               
                                custom-attacks Google+;
                            }                       
                        }                           
                    }                               
                }                                   
            }
        }
    }
    
    set security idp idp-policy active rulebase-exempt rule Google+ match from-zone inside
    set security idp idp-policy active rulebase-exempt rule Google+ match source-address any
    set security idp idp-policy active rulebase-exempt rule Google+ match to-zone outside
    set security idp idp-policy active rulebase-exempt rule Google+ match destination-address any
    set security idp idp-policy active rulebase-exempt rule Google+ match attacks custom-attacks Google+
    

    Security Policy

    Once we have the IDP policy all set up, we need to actually reference it in a security policy. This is pretty simple as you will see here

    security {
        policies {
            from-zone inside to-zone outside {
                policy outboud-http {
                    then {
                        permit {
                            application-services {
                                idp;
                            }
                        }
                    }
                }
            }
        }
    }
    
    set security policies from-zone inside to-zone outside policy outboud-http then permit application-services idp
    

    Troubleshooting

    Important Files

    • /var/db/idpd/sec-download/SignatureUpdate.xml - The entire Attack Database
    • /var/db/idpd/sec-download/groups.xml - Predefined dynamic groups
    • /var/db/idpd/sec-repository/attack.list - All attacks that have signatures in name format
    • /var/db/idpd/sec-repository/attack-group.list - List of attack groups by catigory
    • /var/db/idpd/sec-repository/application.list - List of all AppID applications and their ports

    Repairing the Attack Database

    [edit]
    metacortex@KaelthasSunstrider# run start shell 
    metacortex@KaelthasSunstrider%	cd /var/db/idpd/db/
    metacortex@KaelthasSunstrider%	rm -rfv *
    dfa_cache.d01
    dfa_cache.k01
    dfa_group_cache.d02
    dfa_group_cache.k02
    dfacache.dbd
    pcre_cache.d03
    pcre_cache.k03
    rdm.taf
    secdb.d01
    secdb.d02
    secdb.d03
    secdb.d04
    secdb.d05
    secdb.d06
    secdb.d07
    secdb.d08
    secdb.d09
    secdb.d10
    secdb.d11
    secdb.d12
    secdb.d13
    secdb.d14
    secdb.d15
    secdb.dbd
    secdb.k01
    secdb.k02
    secdb.k03
    secdb.k04
    secdb.k05
    secdb.k06
    secdb.k07
    secdb.k08
    secdb.k09
    secdb.k10
    secdb.k11
    secdb.k12
    secdb.k13
    secdb.k14
    secdb.k15
    secdb.k16
    secdb.k17
    secdb.k18
    secdb.k19
    secdb.k20
    secdb.k21
    secdb.k22
    metacortex@KaelthasSunstrider%	cd /etc/
    metacortex@KaelthasSunstrider%	sh rc.idb 
    
    Database Initialization Utility
    RDM Embedded 7 [04-Aug-2006] http://www.birdstep.com
    Copyright (c) 1992-2006 Birdstep Technology, Inc.  All Rights Reserved.
    
    secdb initialized
    
    
    Database Initialization Utility
    RDM Embedded 7 [04-Aug-2006] http://www.birdstep.com
    Copyright (c) 1992-2006 Birdstep Technology, Inc.  All Rights Reserved.
    
    dfacache initialized
    
    metacortex@KaelthasSunstrider%	exit
    exit
    
    [edit]
    metacortex@KaelthasSunstrider# run restart idp-policy 
    IDP policy daemon started, pid 12990
    
    [edit]
    metacortex@KaelthasSunstrider# run request security idp security-package download full-update                  
    Will be processed in async mode. Check the status using the status checking CLI
    
    
Personal tools