User Tools

Site Tools


page:idp

Juniper SRX IPS/IDP Example

IPS/IDP - SSH bruteforce and DNS amplification filtering

DNS is only used to show the way how it could be done. There should be a better option to filter it, so I don't prefer this to production usage.

License is not needed for such filtering.

[edit security idp]
drixter@srx210# show
idp-policy base-idp {
    rulebase-ips {
        rule ssh {
            match {
                from-zone any;
                source-address any;
                to-zone any;
                destination-address any;
                application junos-ssh;
                attacks {
                    custom-attacks ssh-brute-force;
                }
            }
            then {
                action {
                    close-client-and-server;
                }
                ip-action {
                    ip-close;
                    target source-address;
                    log;
                    timeout 300;
                }
                notification {
                    log-attacks;
                }
                severity major;
            }
        }
        rule dns-udp {
            match {
                from-zone any;
                source-address any;
                to-zone any;
                destination-address any;
                application junos-dns-udp;
                attacks {
                    custom-attack-groups dns-amplification;
                }
            }
            then {
                action {
                    close-client-and-server;
                }
                ip-action {
                    ip-close;
                    target source-address;
                    timeout 60;
                }
                notification {
                    log-attacks;
                }
                severity minor;
            }
        }
        rule dns-tcp {
            match {
                from-zone any;
                source-address any;
                to-zone any;
                destination-address any;
                application junos-dns-tcp;
                attacks {
                    custom-attack-groups dns-amplification;
                }
            }
            then {
                action {
                    close-client-and-server;
                }
                ip-action {
                    ip-close;
                    target source-address;
                    timeout 60;
                }
                notification {
                    log-attacks;
                }
                severity minor;
            }
        }
    }
}
active-policy base-idp;
custom-attack ssh-brute-force {
    recommended-action close;
    severity major;
    time-binding {
        count 5;
        scope source;
    }
    attack-type {
        signature {
            context first-packet;
            pattern .*;
            direction any;
            protocol {
                tcp {
                    destination-port {
                        match equal;
                        value 22;
                    }
                }
            }
        }
    }
}
custom-attack dns-amplification-1 {
    recommended-action drop;
    severity minor;
    time-binding {
        count 5;
        scope destination;
    }
    attack-type {
        signature {
            context dns-type-name;
            pattern ".*\[\379zc.com\].*";
            direction any;
        }
    }
}
custom-attack dns-amplification-2 {
    recommended-action drop;
    severity minor;
    time-binding {
        count 5;
        scope destination;
    }
    attack-type {
        signature {
            context dns-type-name;
            pattern ".*\[\pkts.asia\].*";
            direction any;
        }
    }
}
custom-attack-group dns-amplification {
    group-members [ dns-amplification-1 dns-amplification-2 ];
}

[edit security idp]

Policy - SSH bruteforce and DNS amplification filtering

Below there is a policy example with IDP feature:

[edit security policies from-zone Internet to-zone DMZ]
drixter@srx210# show
policy SSH {
    description "SSH Brute Force";
    match {
        source-address any;
        destination-address any;
        application junos-ssh;
    }
    then {
        permit {
            application-services {
                idp;
            }
        }
    }
}
policy DNS {
    description "DNS Amplification Attack";
    match {
        source-address any;
        destination-address any;
        application [ junos-dns-tcp junos-dns-udp ];
    }
    then {
        permit {
            application-services {
                idp;
            }
        }
    }
}
page/idp.txt ยท Last modified: 2013/10/26 20:05 by drixter

Page Tools