Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

external-header-nav
keyboard_arrow_up
Intrusion Detection and Prevention

Step 2: Up and Running

date_range 22-Jun-23

Let’s activate the predefined policy template named Recommended.

  1. Set the default policy to Recommended.
    content_copy zoom_out_map
    [edit]
    user@host# set security idp default-policy Recommended
  2. Confirm the Recommended policy is enabled on your device.
    content_copy zoom_out_map
    [edit]
    user@host# show security idp default-policy
    content_copy zoom_out_map
    default-policy Recommended;
    

Enable an IDP Action in a Policy

You can configure attack objects and groups as match conditions in IDP policy rules. In this example, we show you how to create a policy rule and enable the predefined attack group “HTTP-Critical” in a policy. The “HTTP-critical” attack group defines actions to take for HTTP traffic from the untrust zone to the trust zone. When this attack group is enabled, IDP tells the device to check for “HTTP-Critical” attacks and then take the action defined in the policy (which is probably to drop the traffic).

  1. Create an IDP policy rule.
    content_copy zoom_out_map
    [edit]
    user@host# set security idp idp-policy http rulebase-ips rule 1 match from-zone untrust
    user@host# set security idp idp-policy http rulebase-ips rule 1 match to-zone trust
    user@host# set security idp idp-policy http rulebase-ips rule 1 match application junos-http
    user@host# set security idp idp-policy http rulebase-ips rule 1 match attacks predefined-attack-groups "HTTP - Critical"
    user@host# set security idp idp-policy http rulebase-ips rule 1 then action recommended
    user@host# set security idp idp-policy http rulebase-ips rule 1 then notification log-attacks
  2. Commit the changes.
    content_copy zoom_out_map
    user@host#commit
  3. Apply the IDP policy.
    content_copy zoom_out_map
    [edit]
    user@host# set security policies from-zone untrust to-zone trust policy policy-2 match source-address any
    user@host# set security policies from-zone untrust to-zone trust policy policy-2 match destination-address any
    user@host# set security policies from-zone untrust to-zone trust policy policy-2 match application junos-http
    user@host# set security policies from-zone untrust to-zone trust policy policy-2 then permit application-services idp-policy http
  4. Commit the changes.
    content_copy zoom_out_map
    user@host# commit
  5. Verify that HTTP-Critical is enabled in the policy.
    content_copy zoom_out_map
    user@host# show security policies policy-name policy-1 detail
    content_copy zoom_out_map
    user@host# show security idp idp-policy http 
    rulebase-ips {
        rule 1 {
            match {
                from-zone untrust;
                to-zone trust;
                application junos-http;
                attacks {
                    predefined-attack-groups "HTTP - Critical";
                }
            }
            then {
                action {
                    recommended;
                }
                notification {
                    log-attacks;
                }
            }
        }
    }
    
    user@host# show security policies from-zone untrust to-zone trust policy policy-2        
    match {
        source-address any;
        destination-address any;
        application junos-http;
    }
    then {
        permit {
            application-services {
                idp-policy http;
            }
        }
    }
    

    The sample output confirms that the “HTTP-critical” attack group is enabled for the policy.

View Predefined Attacks and Attack Groups in an IDP Policy

The IDP attack database stores thousands of attack objects. To make them easier to manage, attack objects are organized into attack groups. An attack group contains two or more types of attack objects.

Use the show security idp attack attack-list policy policy-name command to view the attacks available in a IDP policy template or IDP policy. If an IDP policy contains an attack that belongs to several attack groups, the IDP policy command output will display the redundant attack names.

View a List of Detected Attacks

content_copy zoom_out_map
user@host> show security idp attack table
content_copy zoom_out_map
## Displays attack table (attack hits are aggregated across all SPUs)

user@host> show security idp attack table
IDP attack statistics:
Attack name                    #Hits
TROJAN:SUBSEVEN:SCAN            1303
APP:CA:ARCSRV:DISCOVERY-OF      1301
SCADA:DNP3:NON-DNP3             1301
TCP:C2S:AMBIG:C2S-SYN-DATA      1300
SCADA:MODBUS:NON-MODBUS         1299
OS:LINUXX86:NTPDX-OF             975
NETBIOS:WINS:REPLICATION-PTR     944
RPC:RPC.STATD:STATD-FMT-STR2     154
DOS:NETDEV:CISCO-PIM              16
DOS:NETDEV:CISCO-SUNND            16
SCADA:MODBUS:SLAVE-ID              7
SCADA:MODBUS:READ-ID               6 
arrow_backward Step 1 Step 3 arrow_forward
external-footer-nav