IDP Security Packet Capture
An IDP sensor configuration defines the device specifications for the packet capture.
For more information, see the following topics:
Understanding Security Packet Capture
Viewing packets that precede and follow an attack helps you determine the purpose and extent of an attempted attack, whether an attack was successful, and if any network damage was caused by an attack. Packet analysis also aids in defining attack signatures to minimize false positives.
If packet capture is enabled when an attack is logged, a specified number of packets before and after the attack can be captured for the session. When all packets have been collected, they are transmitted in Device Management Interface (DMI) to a host device for offline analysis.
A notification option in the IDP policy rule enables packet capture when a rule match occurs. The option further defines the number of packets to be captured and the duration of packet capture for the associated session.
An IDP sensor configuration defines the device specifications for the packet capture. Options for this command determine the memory to be allocated for packet capture, and the source and host devices between which the packet capture object will be transmitted.
A show command displays packet capture counters that provide details
about the progress, success, and failure of packet capture activity on the device.
Support for packet capture is available only once on each session.
When packet capturing is configured with an improved pre-attack configuration parameter value, the resource usage increases proportionally and might affect the performance of your device.
Encryption support for IDP Packet Capture
Starting in Junos OS Release 22.1R1, you can enable a secure SSL or TLS connection and send encrypted IDP packet capture log to the packet capture receiver. To establish the SSL or TLS connection, you must specify the SSL initiation profile name that you want to use in the IDP packet log configuration. The SRX Series Firewall is the SSL or TLS client and the packet capture receiver is the SSL or TLS server.
IDP uses a secure SSL or TLS connection to send the IDP packet logs to the configured host for all sessions (encrypted and non-encrypted) within a logical system or a tenant system, if encryption support is enabled in the packet log configuration. Once the packet logs are sent to the packet capture receiver, the SSL connection is closed.
Previously, when encrypted traffic is sent for inspection then IDP recieves decrypted traffic using SSL proxy and inspects this traffic for attack detection. If an attack was detected and packet log was configured, then decrypted packets were sent as part of packet log to the configured host through UDP traffic. This transmission of packet-log without encryption is not secured, especially when packet-log captured is for encrypted traffic.
When encryption support is enabled, SSL profile must be configured in each logical system separately. The IDP sensor configuration performed in root logical system for transport parameters cannot be used for the other logical systems or tenant systems.
The SSL or TLS connection for IDP packet logs is established as follows:
-
When packet logging process starts, if there is no SSL or TLS connection to the host, then a new SSL connection is established for sending the packet logs.
-
During packet log transmission, if there is an existing SSL or TLS connection,then the same connection is reused.
-
When packet logging stops, captured packets are sent over the established SSL or TLS connection.
- When there is a busy SSL or TLS packet transmission session and if there is a new packet log request from the host, then those packet logs are pushed back and sent only when the existing SSL session is completed.
The packet log configuration of IDP now supports the SSL profile name configuration. You can use this updated packet log configuration to establish a secure SSL connection for IDP packet logs.
The updated IDP packet log commands with SSL configuration are:
set security idp sensor-configuration packet-log ssl-profile-name < profile-name>- For sessions within a logical system-
set logical system logical system name security idp sensor-configuration packet-log ssl-profile-name < profile-name> -
For sessions within a tenant system-
set tenants tenant name security idp sensor-configuration packet-log ssl-profile-name < profile-name>
The profile name mentioned in these commands must be configured in the SSL initiation profile configuration. SSL initiation profile configuration performs the required SSL certificates and SSL handshake operations to establish a secure connection. SSL versions are chosen based on the SSL initiation configuration.
If SSL profile name is not configured in SSL initiation profile configuration, then the following message is displayed Referenced SSL initiation profile is not defined.
To view the new packet log counters, use the show security idp counters
packet-log command.
Benefits
-
Provides privacy and security of data using SSL and TLS keys and certificates encryption mechanism.
-
Allows support for streaming potential private information to shared entities in a network.
Support for IDP On-Box Packet Capture
When an attack occurs, packets are captured using the IDP packet logging feature and the attack behavior is analyzed offline. Sometimes, a log collector device such as the Security Director is not available for offline collection of the captured packets. In such cases, starting in Junos OS Release 23.1R1, the captured packets can now be stored locally on the SRX Series Firewall and details can be viewed on the user interface or J-Web.
The existing IDP packet log configurations are used as usual, and you can use the
commands to set the packet-log for the IDP rule. You can use the set
security idp sensor-configuration packet-log local-storage command to
store the captured packets on the device.
If you use this configuration, there is no change in sending the packet-log to the off-box host or collector if the details are configured for the host.
The captured traffic is stored at /var/log/pcap/idp/. The name of the PCAP file is based on the time stamp, attack log ID, and the trigger packet number.
You can restrict the number of PCAP files that are created by using the log rotation facility that is provided. Use the following configuration to limit the number of PCAP files that should be created in /var/log/pcap/idp:
set
security idp sensor-configuration packet-log local-storage max-files
<1..5000>
The default value is 500.
The following configuration is used to set the limit for the maximum disk space to be used to store the PCAP files.
set
security idp sensor-configuration packet-log local-storage storage-limit
<1048576...4294967296>
The default value is 100M and the minimum is 1M.
Counters indicate the on-box capture statistics. New counters are added to the existing packet-log counters. You can view details of the packet-log counters using the following command:
user@host>
show security idp counters packet-log
IDP counters: Total packets sent for local packet capture 0 Total sessions enabled for local packet capture 0 Sessions currently enabled for local packet capture 0 Packets currently captured for local enabled sessions 0 Packet clone failures for local capture 0 Total failures sending packets captured to RE 0
A flag is now set on the existing session-close syslog when an on-box packet capture file is generated for this session. The third-last parameter in the following example (128 - feature stats for the session) indicates this. The following is an example:
RT_FLOW: RT_FLOW_SESSION_CLOSE: session closed TCP FIN:
4.0.0.1/44508->6.0.0.2/80 0x0 junos-http 4.0.0.1/44508->6.0.0.2/80 0x0 N/A N/A
N/A N/A 6 1 trust untrust 22 7(420) 6(3879) 2 HTTP UNKNOWN N/A(N/A) ge-0/0/2.0
No Web N/A 4 Can Leak Information;Supports File Transfer;Prone to Misuse;Known
Vulnerabilities;Carrier of Malware;Capable of Tunneling; NA 0
0.0.0.0/0->0.0.0.0/0 NA NA N/A N/A Off root 128 N/A
N/A
The following are the other useful commands:
-
Use
delete security idp sensor-configuration packet-log local-storageand commit to delete the configuration and commit to disable on-box logging. -
Use the clear counter command,
clear security idp counters packet-logto remove the on-box capture details. -
Use
request security idp storage-cleanup packet-captureto clear all the captured files.
See Also
Example: Configuring Security Packet Capture
This example shows how to configure the security packet capture.
Requirements
Before you begin, configure network interfaces.
Overview
In this example, you configure a packet capture for rule 1 of policy pol0. The rule specifies that, if an attack occurs, 1 packets before the attack and 3 packets after the attack will be captured, and that the post-attack capture should time out after 60 seconds. The sensor configuration is modified to allocate 5 percent of available memory and 15 percent of the IDP sessions to packet capture. When the packet capture object is prepared, it is transmitted from device 10.56.97.3 to port 5 on device 10.24.45.7.
Configuration
Procedure
CLI Quick Configuration
To quickly configure this example, copy the
following commands, paste them into a text file, remove any line breaks,
change any details necessary to match your network configuration,
and then copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration
mode.
set security idp idp-policy pol0 rulebase-ips rule 1 then notification packet-log pre-attack 1 post-attack 3 post-attack-timeout 60 set security idp sensor-configuration packet-log total-memory 5 max-sessions 15 source-address 10.56.97.3 host 10.24.45.7 port 5 set security idp sensor-configuration log suppression disable set security idp idp-policy pol0 rulebase-ips rule 1 match attacks predefined-attack-groups "TELNET-Critical" set security idp idp-policy pol0 rulebase-ips rule 1 then action drop-packet
Step-by-Step Procedure
The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the CLI User Guide.
To configure the security packet capture:
-
Create an IDP policy.
[edit] user@host# edit security idp idp-policy pol0
-
Associate a rulebase with the policy.
[edit edit security idp idp-policy pol0] user@host# edit rulebase-ips
-
Add rules to the rulebase.
[edit edit security idp idp-policy pol0 rulebase-ips] user@host# edit rule 1
-
Specify notification, define the size and timing constraints for each packet capture.
[edit security idp idp-policy pol0 rulebase-ips rule 1 ] user@host# set then notification packet-log pre-attack 1 post-attack 3 post-attack-timeout 60
-
Define an attack as match criteria.
[edit security idp idp-policy pol0 rulebase-ips rule 1] user@host# set match attacks predefined-attack-groups "TELNET-Critical"
-
Specify an action for the rule.
[edit security idp idp-policy pol0 rulebase-ips rule 1] user@host#set then action drop-packet
-
Enable the security idp sensor-configuration.
[edit] user@host# edit security idp sensor-configuration
-
(Optional) Disable security idp sensor-configuration log suppression.
[edit] user@host# set security idp sensor-configuration log suppression disable
Note:When IDP log suppression is enabled (which is the default behaviour), during incidents of high volume or repetitive attacks matching a single signature, a packet capture (PCAP) may not be generated by the SRX Series Firewall and forwarded to the collector. It is recommended to disable IDP log suppression if you require PCAP records for each attack.
-
Allocate the device resources to be used for packet capture.
[edit security idp sensor-configuration] user@host# set packet-log total-memory 5 max-sessions 15
-
Identify the source and host devices for transmitting the packet-capture object.
[edit security idp sensor-configuration] user@host# set packet-log source-address 10.56.97.3 host 10.24.45.7 port 5
- Enable secured SSL or TLS connection to encrypt the IDP packet log sent
to the configured host (PCAP
reciever).
[edit security idp sensor-configuration] user@host# set packet-log ssl-profile-name ssl3
[edit](Logical Systems) user@host# set logical system LS1 security idp sensor-configuration packet-log ssl-profile-name ssl3
[edit(Tenant Systems) user@host# set tenants TS1 security idp sensor-configuration packet-log ssl-profile-name ssl3
SSL profile name mentioned above should be configured in the SSL initiation profile configuration. All the SSL and TLS versions supported by SSL initiation configuration are supported for this IDP packet log SSL or TLS connection. You can choose only the SSL or TLS version configured in the SSL initiation configuration.
Run the user@host# show services ssl initiation | display set to view the SSL profile name configured in the SSL initiation and use the required SSL or TLS version.
Results
From configuration mode, confirm your configuration
by entering the show security idp command. If the output
does not display the intended configuration, repeat the configuration
instructions in this example to correct it.
[edit] user@host# show security idp
idp-policy pol0 {
rulebase-ips {
rule 1 {
match {
attacks {
predefined-attack-groups TELNET-Critical;
}
}
then {
action {
drop-packet;
}
notification {
packet-log {
pre-attack 1;
post-attack 3;
post-attack-timeout 60;
}
}
}
}
}
}
sensor-configuration {
log {
suppression {
disable;
}
}
packet-log {
total-memory {
5;
}
max-sessions {
15;
}
source-address 10.56.97.3;
host {
10.24.45.7;
port 5;
}
##
## Warning: Referenced SSL initiation profile is not defined
##
ssl-profile-name ssl3;
}
}If you are done configuring the device, enter commit from configuration mode.
Verification
Confirm that the configuration is working properly.
Verifying Security Packet Capture
Purpose
Verify security packet capture.
Action
From operational mode, enter the show security
idp counters packet-log command.
user@host> show security idp counters packet-log
IDP counters: Value Total packets captured since packet capture was activated 0 Total sessions enabled since packet capture was activated 0 Sessions currently enabled for packet capture 0 Packets currently captured for enabled sessions 0 Packet clone failures 0 Session log object failures 0 Session packet log object failures 0 Sessions skipped because session limit exceeded 0 Packets skipped because packet limit exceeded 0 Packets skipped because total memory limit exceeded 0
Example: Configure Packet Capture for Datapath Debugging
This example shows how to configure packet capture to monitor traffic that passes through the device. Packet capture then dumps the packets into a PCAP file format that can be later examined by the tcpdump utility.
Requirements
Before you begin, see Debugging the Data Path (CLI Procedure).
Overview
A filter is defined to filter traffic; then an action profile
is applied to the filtered traffic. The action profile specifies a
variety of actions on the processing unit. One of the supported actions
is packet dump, which sends the packet to the Routing Engine and stores
it in proprietary form to be read using the show security datapath-debug
capture command.
Configuration
Procedure
CLI Quick Configuration
To quickly configure this example, copy the
following commands, paste them into a text file, remove any line breaks,
change any details necessary to match your network configuration,
copy and paste the commands into the CLI at the [edit] hierarchy
level, and then enter commit from configuration mode.
set security datapath-debug capture-file my-capture set security datapath-debug capture-file format pcap set security datapath-debug capture-file size 1m set security datapath-debug capture-file files 5 set security datapath-debug maximum-capture-size 400 set security datapath-debug action-profile do-capture event np-ingress packet-dump set security datapath-debug packet-filter my-filter action-profile do-capture set security datapath-debug packet-filter my-filter source-prefix 1.2.3.4/32
Step-by-Step Procedure
The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Modein the Junos OS CLI User Guide.
To configure packet capture:
Edit the security datapath-debug option for the multiple processing units along the packet-processing path:
[edit] user@host# edit security datapath-debug
Enable the capture file, the file format, the file size, and the number of files. Size number limits the size of the capture file. After the limit size is reached, if the file number is specified, then the capture file will be rotated to filename x, where x is auto-incremented until it reaches the specified index and then returns to zero. If no files index is specified, the packets will be discarded after the size limit is reached. The default size is 512 kilobytes.
[edit security datapath-debug] user@host# set capture-file my-capture format pcap size 1m files 5 [edit security datapath-debug] user@host# set maximum-capture-size 400
Enable action profile and set the event. Set the action profile as do-capture and the event type as np-ingress:
[edit security datapath-debug] user@host# edit action-profile do-capture [edit security datapath-debug action-profile do-capture] user@host# edit event np-ingress
Enable packet dump for the action profile:
[edit security datapath-debug action-profile do-capture event np-ingress] user@host# set packet-dump
Enable packet filter, action, and filter options. The packet filter is set to my-filter, the action profile is set to do-capture, and filter option is set to source-prefix 1.2.3.4/32.
[edit security datapath-debug] user@host# set security datapath-debug packet-filter my-filter action-profile do-capture
[edit security datapath-debug] user@host# set security datapath-debug packet-filter my-filter source-prefix 1.2.3.4/32
Results
From configuration mode, confirm your configuration by entering the show security
datapath-debug command. If the output does not display the
intended configuration, repeat the configuration instructions in this
example to correct it.
security {
datapath-debug {
capture-file {
my-capture
format pcap
size 1m
files 5;
}
}
maximum-capture-size 100;
action-profile do-capture {
event np-ingress {
packet-dump
}
}
packet-filter my-filter {
source-prefix 1.2.3.4/32
action-profile do-capture
}
}
If you are done configuring the device, enter commit from configuration mode.
Verification
Confirm that the configuration is working properly.
- Verifying Packet Capture
- Verifying Data Path Debugging Capture
- Verifying Data Path Debugging Counter
Verifying Packet Capture
Purpose
Verify if the packet capture is working.
Action
From operational mode, enter the request security
datapath-debug capture start command to start packet capture
and enter the request security datapath-debug capture stop command to stop packet capture.
To view the results, from CLI operational mode, access the local UNIX shell and navigate to the directory /var/log/my-capture. The result can be read by using the tcpdump utility.
Verifying Data Path Debugging Capture
Purpose
Verify the details of data path debugging capture file.
Action
From operational mode, enter the show security datapath-debug capture command.
user@host>show security datapath-debug capture
When you are done troubleshooting, make sure to remove or deactivate all the traceoptions configurations (not limited to flow traceoptions) and the complete security datapath-debug configuration stanza. If any debugging configurations remain active, they will continue to use the device's CPU and memory resources.
Verifying Data Path Debugging Counter
Purpose
Verify the details of the data path debugging counter.
Action
From operational mode, enter the show security datapath-debug counter command.
IDP Security Packet Logging for Logical Systems and Tenant Systems
Starting in Junos OS Release 21.3R1, you can capture IDP security packet logs for logical systems and tenant systems. With packet capture enabled on your security device, you can also specify a number of post-attack or pre-attack packets to capture. After you configure packet capture on your security device, the device collects the captured information and stores it as a packet capture (.pcap) file at the logical systems and tenant systems level.
When you configure IDP security packet logs for logical systems and tenant systems, your configuration looks as the following sample:
IDP Packet Logging Sample Configuration
[edit logical-systems LSYS-1]
user@host# show
security {
idp {
sensor-configuration {
packet-log {
threshold-logging-interval 2;
source-address 192.168.0.0;
host {
172.16.0.0;
port 2050;
}
}
}
}
}
Route and Reachability
You can specify packet logging sensors at the logical systems and tenant systems level to store the captured packets on a destination device (PCAP receiver). To send and store the captured packets, you must add the IP address of the destination device in your logical systems and tenant systems configuration. Otherwise, the device uses the IP address of the device configured at the root logical systems and tenant systems level to send the captured packet. In this case, captured packets are not stored at the logical systems and tenant systems level.
If your root logical systems and tenant systems do not include the IP address of the destination device, the security device fails to send the captured packet to the destination.
You can use the show security idp counters packet log logical-system <logical-system-name> command and check the option Packet log host route lookup failures field to see the number of times the security device did not send captured packets because of missing route details.