IDP Utility for Packet Capture
The IDP utility for packet capture is a specialized tool on SRX Series Firewalls that captures, manages, and allows analysis of packet data related to IDP events.
The packet capture utility is used to analyze packet capture files that record network traffic. The IDP Utility allows network administrators to examine these packet capture files to identify potential security threats or anomalies within network traffic.
Use Feature Explorer to confirm platform and release support for specific features.
Review the Platform-Specific Packet Capture Behavior section for notes related to your platform.
Packet Capture
Packet capture in IDP on Juniper Networks SRX Series Firewalls is a feature that captures and analyzes network traffic to detect and prevent security threats.
The CLI support is provided to display and clear contexts and the associated data only for the packet capture traffic, which improves the IDP validation process.
You can run the packet capture utility in either inet mode or transparent mode to generate protocol contexts. You should run the command line packet capture feeder utility tool from the UNIX shell prompt (%).
A packet capture feeder utility uses a pair of source and destination IPv4 addresses available in the traffic interfaces where the packets are to be fed. The packet capture feeder utility also uses the IPV4 addresses configured for the interfaces through which these PCAPs are injected. Once the PCAPs are fed to these interfaces, a list of contexts associated with the PCAPs and the data are matched for the context. The context, hits, and associated data will be displayed only for traffic that is generated by the packet capture feeder. Live traffic statistics will not be captured. While feeding packets, make sure to feed the packets to the subnet IP of the interface. If you feed packets to the interface IP, IDP security processing might not detect the contexts. You can use all other subnet IP addresses, except for the interface IP.
Before you run new PCAPs through packet capture feeder utility tool, clear the existing contexts and data by using the following clear contexts commands:
[edit security] user@host> clear security idp attack context user@host> clear security flow session interface <intf1> user@host> clear security flow session interface <intf2> user@host> clear security flow session idp user@host> clear security idp attack table
Sample command used for Inet mode packet capture feeder:
% pcapfeed –verbose --interface-ip1 5.0.0.13 --interface-ip2 15.0.0.14 --pcap-ip1 6.0.0.1 --pcap-ip2 7.0.0.1 --interface1 ge-0/0/6 --interface2 ge-0/0/7 --pcap /var/tmp/http.pcap
Or
% pcapfeed –quiet --interface-ip1 5.0.0.13 --interface-ip2 15.0.0.14 --pcap-ip1 6.0.0.1 --pcap-ip2 7.0.0.1 --interface1 ge-0/0/6 --interface2 ge-0/0/7 --pcap /var/tmp/http.pcap
Sample command used for transparent mode packet capture feeder:
% pcapfeed –verbose –transparent --pcap-ip1 6.0.0.1 --pcap-ip2 7.0.0.1 --interface1 ge-0/0/6 --interface2 ge-0/0/7 --pcap /var/tmp/http.pcap
Or
% pcapfeed –quiet –transparent --pcap-ip1 6.0.0.1 --pcap-ip2 7.0.0.1 --interface1 ge-0/0/6 --interface2 ge-0/0/7 --pcap /var/tmp/http.pcap
Table 1 defines the PCAP feeder tool fields from the above provided sample outputs.
Fields |
Description |
pcap --quiet |
Suppresses logs from appearing in the console |
pcap --verbose |
Enables logs to appear in the console |
interface-ip1 |
IP address of the first interface for feeding packet capture packets |
interface-ip2 |
IP address of the other interface for feeding packet capture packets |
pcap-ip1 |
IP address seen in the packet capture |
pcap-ip2 |
Another IP address seen in the packet capture |
interface1 |
Interface 1 in SRX Series Firewall |
interface2 |
Interface 1 in SRX Series Firewall |
Packet capture feeder does not support:
IPv6
Multiple channel protocols such as FTP
Example: Configure Packet Capture Feeder
This example explains how to run the packet capture (PCAP) feeder in inet mode to generate protocol contexts.
Requirements
Before you begin:
Configure network interfaces.
Overview
To run the PCAP feeder with a relevant IDP policy to get the associated protocol contexts. In this example, PCAPs are fed using pcap-ip1 6.0.0.1 and pcap-ip2 7.0.0.1 in quiet mode.
Configuration
Procedure
CLI Quick Configuration
To quickly configure this example, copy the
following commands, paste them into a text file, remove any line breaks,
change any details necessary to match your network configuration,
and then copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration
mode.
set security idp idp-policy idppolicy rulebase-ips rule 1 match from-zone any set security idp idp-policy idppolicy rulebase-ips rule 1 match source-address any set security idp idp-policy idppolicy rulebase-ips rule 1 match to-zone any set security idp idp-policy idppolicy rulebase-ips rule 1 match destination-address any set security idp idp-policy idppolicy rulebase-ips rule 1 match application default set security idp idp-policy idppolicy rulebase-ips rule 1 match attacks predefined-attack-groups “HTTP - All” set security idp idp-policy idppolicy rulebase-ips rule 1 then action close-client-and-server set security idp idp-policy idppolicy rulebase-ips rule 1 then notification log-attacks set security forwarding-options family inet6 mode flow-based set security policies from-zone trust to-zone untrust policy 1 match source-address any set security policies from-zone trust to-zone untrust policy 1 match destination-address any set security policies from-zone trust to-zone untrust policy 1 match application any set security policies from-zone trust to-zone untrust policy 1 then permit application-services idp-policy idppolicy set security policies from-zone untrust to-zone trust policy 1 match source-address any set security policies from-zone untrust to-zone trust policy 1 match destination-address any set security policies from-zone untrust to-zone trust policy 1 match application any set security policies from-zone untrust to-zone trust policy 1 then permit application-services idp-policy idppolicy set security zones security-zone untrust host-inbound-traffic system-services all set security zones security-zone untrust host-inbound-traffic protocols all set security zones security-zone untrust interfaces ge-0/0/0.0 set security zones security-zone untrust application-tracking set security zones security-zone trust host-inbound-traffic system-services all set security zones security-zone trust host-inbound-traffic protocols all set security zones security-zone trust interfaces ge-0/0/2.0 set interfaces ge-0/0/0 unit 0 family inet address 10.0.0.15/24 set interfaces ge-0/0/2 unit 0 family inet address 10.0.0.16/24
Step-by-Step Procedure
The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the CLI User Guide.
To create an application and associate it with an IDP policy:
Create a policy by assigning a meaningful name to it, associate a rulebase with the policy , add rules to the rulebase, and define match criteria for the rule.
[edit security] user@host#set idp idp-policy idppolicy rulebase-ips rule 1 match from-zone any user@host#set idp idp-policy idppolicy rulebase-ips rule 1 match source-address any user@host#set idp idp-policy idppolicy rulebase-ips rule 1 match to-zone any user@host#set idp idp-policy idppolicy rulebase-ips rule 1 match destination-address any user@host#set idp idp-policy idppolicy rulebase-ips rule 1 match application default user@host#set idp idp-policy idppolicy rulebase-ips rule 1 match attacks predefined-attack-groups “HTTP - All” user@host#set idp idp-policy idppolicy rulebase-ips rule 1 then action close-client-and-server user@host#set idp idp-policy idppolicy rulebase-ips rule 1 then notification log-attacks user@host#set forwarding-options family inet6 mode flow-based
Configure policies.
[edit security] user@host#set policies from-zone trust to-zone untrust policy 1 match source-address any user@host#set policies from-zone trust to-zone untrust policy 1 match destination-address any user@host#set policies from-zone trust to-zone untrust policy 1 match application any user@host#set policies from-zone trust to-zone untrust policy 1 then permit application-services idp-policy idppolicy user@host#set policies from-zone untrust to-zone trust policy 1 match source-address any user@host#set policies from-zone untrust to-zone trust policy 1 match destination-address any user@host#set policies from-zone untrust to-zone trust policy 1 match application any user@host#set policies from-zone untrust to-zone trust policy 1 then permit application-services idp-policy idppolicy
Configure zones and assign interfaces.
[edit security] user@host# set zones security-zone untrust host-inbound-traffic system-services all user@host# set zones security-zone untrust host-inbound-traffic protocols all user@host# set zones security-zone untrust interfaces ge-0/0/0.0 user@host# set zones security-zone untrust application-tracking user@host# set zones security-zone trust host-inbound-traffic system-services all user@host# set zones security-zone trust host-inbound-traffic protocols all user@host# set zones security-zone trust interfaces ge-0/0/2.0
Configure forwarding interfaces.
[edit] user@host# set interfaces ge-0/0/0 unit 0 family inet address 10.0.0.15/24 user@host# set interfaces ge-0/0/2 unit 0 family inet address 10.0.0.16/24
Results
From configuration mode, confirm your configuration
by entering the show security idp and show applications commands. If the output does not display the intended configuration,
repeat the configuration instructions in this example to correct it.
[edit]
user@host# show security idp
idp-policy idppolicy {
rulebase-ips {
rule 1 {
match {
from-zone any;
source-address any;
to-zone any;
destination-address any;
application default;
}
then {
action {
close-client-and-server;
}
notification {
log-attacks;
}
}
}
}
}
[edit]
user@host# show security policies
from-zone trust to-zone untrust {
policy 1 {
match {
source-address any;
destination-address any;
application any;
}
then {
permit {
application-services {
idp-policy idppolicy;
}
}
}
}
[edit]
user@host# show security zones
security-zone untrust {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
ge-0/0/0.0;
}
application-tracking;
}
[edit]
user@host# show interfaces
ge-0/0/0 {
unit 0 {
family inet {
address 10.0.0.15/24;
}
}
}
ge-0/0/2 {
unit 0 {
family inet {
address 10.0.0.16/24;
}
}
}
If you are done configuring the device, enter commit from configuration mode.
Verification
To confirm that the configuration is working properly, perform this task:
Verify the Configuration
Purpose
Verify the IDP attack context after you run the PCAPs using the PCAP feeder tool.
Action
From operational mode, enter the show security
idp attack context command.
Sample Output
user@host> show security idp attack context IDP context statistics: Context name #Hits #Data http-url 1 / http-get-url 1 / http-header-host 1 7.0.0.1 http-header-user-agent 1 lwp-request/5.827 libwww-perl/5.833 http-header 2 te: deflate,gzip;q=0.3 && connection: TE, close http-request 1 GET / HTTP/1.1 http-request-method 1 GET / HTTP/1.1
Example: Configure Packet Capture Feeder in Transparent Mode
This example explains how to run the packet capture (PCAP) feeder in transparent mode to generate protocol contexts.
Requirements
Before you begin:
Configure network interfaces.
Overview
To run a PCAP feeder with a relevant IDP policy to get the associated protocol contexts out of
the packets which are running from the packet capture. In this example, PCAP feeder
pcap-ip 2 7.0.0.1 is used in quiet mode to feed the
packets.
Configuration
Procedure
CLI Quick Configuration
To quickly configure this example, copy the
following commands, paste them into a text file, remove any line breaks,
change any details necessary to match your network configuration,
and then copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration
mode.
set groups global protocols l2-learning global-mode transparent-bridge set security idp idp-policy idppolicy rulebase-ips rule 1 match from-zone any set security idp idp-policy idppolicy rulebase-ips rule 1 match source-address any set security idp idp-policy idppolicy rulebase-ips rule 1 match to-zone any set security idp idp-policy idppolicy rulebase-ips rule 1 match destination-address any set security idp idp-policy idppolicy rulebase-ips rule 1 match application default set security idp idp-policy idppolicy rulebase-ips rule 1 match attacks predefined-attack-groups “HTTP - All” set security idp idp-policy idppolicy rulebase-ips rule 1 then action close-client-and-server set security idp idp-policy idppolicy rulebase-ips rule 1 then notification log-attacks set security policies from-zone trust to-zone untrust policy 1 match source-address any set security policies from-zone trust to-zone untrust policy 1 match destination-address any set security policies from-zone trust to-zone untrust policy 1 match application any set security policies from-zone trust to-zone untrust policy 1 then permit application-services idp-policy idppolicy set security policies from-zone untrust to-zone trust policy 1 match source-address any set security policies from-zone untrust to-zone trust policy 1 match destination-address any set security policies from-zone untrust to-zone trust policy 1 match application any set security policies from-zone untrust to-zone trust policy 1 then permit application-services idp-policy idppolicy set security zones security-zone untrust host-inbound-traffic system-services all set security zones security-zone untrust host-inbound-traffic protocols all set security zones security-zone untrust interfaces ge-0/0/0.0 set security zones security-zone untrust application-tracking set security zones security-zone trust host-inbound-traffic system-services all set security zones security-zone trust host-inbound-traffic protocols all set security zones security-zone trust interfaces ge-0/0/2.0 set interfaces ge-0/0/0 unit 0 family ethernet-switching interface-mode access set interfaces ge-0/0/0 unit 0 family ethernet-switching vlan members 301 set interfaces ge-0/0/2 unit 0 family ethernet-switching interface-mode access set interfaces ge-0/0/2 unit 0 family ethernet-switching vlan members 301 set interfaces irb unit 301 family inet address 10.1.1.11/8 set vlans bd-vlan-301 vlan-id 301 set vlans bd-vlan-301 l3-interface irb.301
Step-by-Step Procedure
The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the CLI User Guide.
To create an application and associate it with an IDP policy:
Set the configuration group.
[edit] user@host#set groups global protocols l2-learning global-mode transparent-bridge
Create a policy by assigning a meaningful name to it, associate a rulebase with the policy , add rules to the rulebase, and define match criteria for the rule.
[edit security] user@host# set idp idp-policy idppolicy rulebase-ips rule 1 match from-zone any user@host# set idp idp-policy idppolicy rulebase-ips rule 1 match source-address any user@host# set idp idp-policy idppolicy rulebase-ips rule 1 match to-zone any user@host# set idp idp-policy idppolicy rulebase-ips rule 1 match destination-address any user@host# set idp idp-policy idppolicy rulebase-ips rule 1 match application default user@host# set idp idp-policy idppolicy rulebase-ips rule 1 match attacks predefined-attack-groups “HTTP - All” user@host# set idp idp-policy idppolicy rulebase-ips rule 1 then action close-client-and-server user@host# set idp idp-policy idppolicy rulebase-ips rule 1 then notification log-attacks user@host# set forwarding-options family inet6 mode flow-based
Configure policies.
[edit security] user@host# set policies from-zone trust to-zone untrust policy 1 match source-address any user@host# set policies from-zone trust to-zone untrust policy 1 match destination-address any user@host# set policies from-zone trust to-zone untrust policy 1 match application any user@host# set policies from-zone trust to-zone untrust policy 1 then permit application-services idp-policy idppolicy user@host# set policies from-zone untrust to-zone trust policy 1 match source-address any user@host# set policies from-zone untrust to-zone trust policy 1 match destination-address any user@host# set policies from-zone untrust to-zone trust policy 1 match application any user@host# set policies from-zone untrust to-zone trust policy 1 then permit application-services idp-policy idppolicy
Configure zones and assign interfaces.
[edit security] user@host# set zones security-zone untrust host-inbound-traffic system-services all user@host# set zones security-zone untrust host-inbound-traffic protocols all user@host# set zones security-zone untrust interfaces ge-0/0/0.0 user@host# set zones security-zone untrust application-tracking user@host# set zones security-zone trust host-inbound-traffic system-services all user@host# set zones security-zone trust host-inbound-traffic protocols all user@host# set zones security-zone trust interfaces ge-0/0/2.0
Configure forwarding interfaces.
[edit] user@host# set interfaces ge-0/0/0 unit 0 family ethernet-switching interface-mode access user@host# set interfaces ge-0/0/0 unit 0 family ethernet-switching vlan members 301 user@host# set interfaces ge-0/0/2 unit 0 family ethernet-switching interface-mode access user@host# set interfaces ge-0/0/2 unit 0 family ethernet-switching vlan members 301 user@host# set interfaces irb unit 301 family inet address 10.1.1.11/8
Configure VLAN-ID.
[edit] user@host# set vlans bd-vlan-301 vlan-id 301 user@host# set vlans bd-vlan-301 l3-interface irb.301
Results
From configuration mode, confirm your configuration
by entering the show security idp and show applications commands. If the output does not display the intended configuration,
repeat the configuration instructions in this example to correct it.
[edit]
user@host# show security idp
idp-policy idppolicy {
rulebase-ips {
rule 1 {
match {
from-zone any;
source-address any;
to-zone any;
destination-address any;
application default;
}
then {
action {
close-client-and-server;
}
notification {
log-attacks;
}
}
}
}
}
[edit]
user@host# show security policies
from-zone untrust to-zone trust {
policy 1 {
match {
source-address any;
destination-address any;
application any;
}
then {
permit {
application-services {
idp-policy idppolicy;
}
}
}
}
}
default-policy {
permit-all;
}
[edit]
user@host# show security zones
security-zone trust {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
ge-0/0/0.0;
ge-0/0/2.0;
}
advance-policy-based-routing-profile {
p1;
}
}
security-zone untrust {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
ge-0/0/1.0;
ge-0/0/2.0;
ge-0/0/3.0;
ge-0/0/0.0;
}
application-tracking;
}
[edit]
user@host# show interfaces
ge-0/0/0 {
unit 0 {
family inet {
address 14.0.0.1/24;
}
family ethernet-switching {
interface-mode access;
vlan {
members 301;
}
}
}
}
ge-0/0/2 {
unit 0 {
family inet {
address 192.0.3.1/24;
}
family ethernet-switching {
interface-mode access;
vlan {
members 301;
}
}
}
}
If you are done configuring the device, enter commit from configuration mode.
Verification
To confirm that the configuration is working properly, perform this task:
Verify the Configuration
Purpose
Verify the IDP attack context after you run the PCAPs using the PCAP feeder tool.
Action
From operational mode, enter the show security
idp attack context command.
Sample Output
user@host> show security idp attack context IDP context statistics: Context name #Hits #Data http-url 1 / http-get-url 1 / http-header-host 1 7.0.0.1 http-header-user-agent 1 lwp-request/5.827 libwww-perl/5.833 http-header 2 te: deflate,gzip;q=0.3 && connection: TE, close http-request 1 GET / HTTP/1.1 http-request-method 1 GET / HTTP/1.1
Platform-Specific Packet Capture Behavior
Use Feature Explorer to confirm platform and release support for specific features.
Use the following table to review platform-specific behaviors for your platform.
|
Platform |
Difference |
|---|---|
|
SRX Series Firewalls |
SRX300, SRX320, SRX340, and SRX345 Firewalls that support Packet
Capture support the |