下载idp特征库、策略模板
request security idp security-package download full-update
request security idp security-package download policy-templates
request security idp security-package download status
安装idp特征库、策略模板
request security idp security-package install
request security idp security-package install policy-templates
request security idp security-package install status
加载策略模板
configure
set system scripts commit file templates.xsl
commit and-quit
删除配置模板脚本导入的命令
configure
delete system scripts commit file templates.xsl
commit and-quit
自定义一个攻击(用户使用用户名cisco登陆FTP则认为是攻击)
set security idp custom-attack ftp-attack recommended-action close
set security idp custom-attack ftp-attack severity critical
set security idp custom-attack ftp-attack attack-type signature context ftp-username
set security idp custom-attack ftp-attack attack-type signature pattern "\[cisco\]"
set security idp custom-attack ftp-attack attack-type signature direction any
-
-------------------------------------------------------------------------------
添加需要的IDP规则
Add the in this case I added it to the Recommended template, and inserted rule 0 before rule 1:
set security idp idp-policy ftp-attack-policy rulebase-ips rule 0 match from-zone Internal
set security idp idp-policy ftp-attack-policy rulebase-ips rule 0 match source-address any
set security idp idp-policy ftp-attack-policy rulebase-ips rule 0 match to-zone Internet
set security idp idp-policy ftp-attack-policy rulebase-ips rule 0 match destination-address any
set security idp idp-policy ftp-attack-policy rulebase-ips rule 0 match application default
session下载set security idp idp-policy ftp-attack-policy rulebase-ips rule 0 match attacks custom-attacks ftp-attack
set security idp idp-policy ftp-attack-policy rulebase-ips rule 0 then action close-client-and-server
set security idp idp-policy ftp-attack-policy rulebase-ips rule 0 then notification log-attacks 发生攻击时发送日志到syslog
set security idp idp-policy ftp-attack-policy rulebase-ips rule 0 then severity critical
set security idp active-policy ftp-attack-policy
set system syslog host 192.168.118.1 user info
set system syslog host 192.168.118.1 match RT_IDP
--------------------------------------------------------------------------------
在指定的security policy里启用IDP(注意policy的match部分要能匹配到攻击流量)
set security policies from-zone Internal to-zone Internet policy All_Internal_Internet match source-address any
set security policies from-zone Internal to-zone Internet policy All_Internal_Internet match destination-address any
set security policies from-zone Internal to-zone Internet policy All_Internal_Internet match application any
set security policies from-zone Internal to-zone Internet policy All_Inter
nal_Internet then permit application-services idp
--------------------------------------------------------------------------------
提交配置后,通过ftp登陆测试,其他在ftp服务器上定义的正确的用户名都可以正常登陆,但以用户名cisco登陆则会被srx断开。
C:\>ftp 192.168.118.1
Connected to 192.168.118.1.
220 3Com 3CDaemon FTP 服务器版本 2.0
User (192.168.118.1:(none)): cisco
Connection closed by remote host.
检查attack table
lab@x47> show security idp attack table
IDP attack statistics:
Attack name #Hits
ftp-attack 1
查看idp计数器,可以看到被idp策略匹配到的会话数,
lab@x47> show security idp counters flow
IDP counters:
IDP counter type Value
Fast-path packets 32
Slow-path packets 17
Session construction failed 0
Session limit reached 0
Session inspection depth reached 0
Memory limit reached 0
Not a new session 0
Invalid index at ageout 0
Packet logging 0
Policy cache hits 0
Policy cache misses 17
Maximum flow hash collisions 0
Flow hash collisions 0
Gates added 0
Gate matches 0
Sessions deleted 17
Sessions aged-out 0
Sessions in-use while aged-out 0
TCP flows marked dead on RST/FIN 1
Policy init failed 0
Number of times Sessions exceed high mark 0
Number of times Sessions drop below low mark 0
Memory of Sessions exceeds high mark 0
Memory of Sessions drops below low mark 0
SM Sessions encountered memory failures 0
SM Packets on sessions with memory failures 0
Sessions constructed 17
SM Sessions ignored
15
SM Sessions dropped 0
SM Sessions interested 17
SM Sessions not interested 584
SM Sessions interest error 0
Sessions destructed 17
SM Session Create 2
SM Packet Process 32
SM ftp data session ignored by idp 0
SM Session close 2
SM Client-to-server packets 17
SM Server-to-client packets 15
SM Client-to-server L7 bytes 72
SM Server-to-client L7 bytes 189
Client-to-server flows ignored 0
Server-to-client flows ignored 0
Both directions flows ignored 1
Fail-over sessions dropped 0
Sessions dropped due to no policy 0
IDP Stream Sessions dropped due to memory failure 0
IDP Stream Sessions ignored due to memory failure 0
IDP Stream Sessions closed due to memory failure 0
IDP Stream Sessions accepted 0
IDP Stream Sessions constructed 0
IDP Stream Sessions destructed 0
IDP Stream Move Data 0
IDP Stream Sessions ignored on JSF SSL Event 0
IDP Stream Sessions not processed for no matching rules 0
IDP Stream stbuf dropped 0
IDP Stream stbuf reinjected 0
Busy pkts from stream plugin 0
Busy pkts from pkt plugin 0
bad kpp 0
Lsys policy id lookup failed sessions 0
Busy packets 0
Busy packet Errors 0
Dropped queued packets (async mode) 0
Dropped queued packets failed(async mode) 0
Reinjected packets (async mode) 0
Reinjected packets failed(async mode)
0
AI saved processed packet 0
busy packet count incremented 0
busy packet count decremented 0
session destructed in pme 0
session destruct set in pme 0
kq op hold 0
kq op drop 0
kq op route 0
kq op continue 30
kq op error 0
kq op stop 0
PME wait not set 0
PME wait set 0
PME KQ run not called 0
发生攻击后,发送到syslog服务器的日志
Sep 01 11:04:52 192.168.118.165 Sep 1 03:04:49 x47 RT_IDP: IDP_ATTACK_LOG_EVENT: IDP: at 1409569489, SIG Attack log <192.168.10.188/1360->192.168.118.1/21> for TCP protocol and service SERVICE_IDP application NONE by rule 1 of rulebase IPS in policy ftp-attack-policy. attack: repeat=0, action=CLOSE, threat-severity=CRITICAL, name=ftp-attack, NAT <192.168.118.165:5926->0.0.0.0:0>, time-elapsed=0, inbytes=0, outbytes=0, inpackets=0, outpackets=0, intf:Internal:ge-0/0/1.0->Internet:ge-0/0/0.0, packet-log-id: 0, alert=no and misc-message -
发表评论