Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Navigation  Back up to About Overview 
ContentIndex
  
[+] Expand All
[-] Collapse All

No index entries found.

Understanding How the Integrated ClearPass Feature Detects Threats and Attacks and Notifies the CPPM

The integrated ClearPass authentication and enforcement feature allows you to integrate your SRX Series device with the ClearPass Policy Manager (CPPM) to obtain authenticated user identity information. It also allows the SRX Series device to send attack and threat logs to the CPPM. This topic focuses on sending attack and threat logs to the CPPM.

When the SRX Series device features detect threat and attack events, the event is recorded in the SRX Series device event log. The SRX Series device uses syslog to forward the logs to the CPPM. The CPPM can evaluate the logs and take action based on matching conditions. As administrator of ClearPass, you can use the information from the SRX Series device and define appropriate actions on the CPPM to harden your security.

Junos OS on the SRX Series device generates over 100 different types of log entries issued by more than 10 of its modules. Among the SRX Series device features that generate threat and attack logs are SCREENS, IDP, and UTM. To avoid overburdening the SRX Series device and the log server, the integrated ClearPass feature allows you to configure the SRX Series device to send to the CPPM only attack and threat log entries that were written to the event log in response to activity detected by the SCREENS, IDP, and UTM security features.

You can set the following conditions to control the log transmission:

  • A log stream filter to ensure that only threat and attack logs are sent.
  • A rate limiter to control the transmission volume. The SRX Series device log transmission will not exceed the rate-limiting conditions that you set.

For the CPPM to analyze the log information that the SRX Series sends to it, the content must be formatted in a standard, structured manner. The SRX Series log transmission follows the syslog protocol, which has a message format that allows vendor-specific extensions to be provided in a structured way.

Here is an example of an attack log generated by IDP:

<14>1 2014-07-24T13:16:58.362+08:00 bjsolar RT_IDP - IDP_ATTACK_LOG_EVENT [junos@2636.1.1.1.2.86 epoch-time="1421996988" message-type="SIG" source-address="4.0.0.1" source-port="32796" destination-address="5.0.0.1" destination-port="21" protocol-name="TCP" service-name="SERVICE_IDP" application-name="NONE" rule-name="1" rulebase-name="IPS" policy-name="idpengine" export-id="4641"repeat-count="0" action="NONE" threat-severity="MEDIUM" attack-name="FTP:USER:ROOT" nat-source-address="0.0.0.0" nat-source-port="0" nat-destination-address="0.0.0.0" nat-destination-port="0" elapsed-time="0" inbound-bytes="0" outbound-bytes="0" inbound-packets="0" outbound-packets="0" source-zone-name="untrust" source-interface-name="ge-0/0/1.0" destination-zone-name="trust" destination-interface-name="ge-0/0/7.0" packet-log-id="0" alert="no" username="N/A" roles="N/A" message="-"]

Table 4 uses the content of this example IDP attack log to identify the parts of an attack log entry. See SRX Series Threat and Attack Logs Sent to Aruba ClearPass for further details on types of attack and threat logs.

Table 4: Attack Log Fields Using Example Log

Log Entry Component

Meaning

Format

Example

Priority

pri = LOG_USER + severity. Version is always 1

pri version

<14>1

Time and Time Zone

When the log was recorded and in what time zone.

y-m-dTh:m:s.ms+time zone

  • y = year
  • m=month
  • d = day
  • T+hours

2014-07-24T13:16:58.362+08:00

Device/Host Name

Name of the device from which the event log was sent. This value is configured by the user.

string, hostname

bjsolar

Service Name

SRX Series feature that issued the event log.

string service

SERVICE_IDP

Application Name

Application that generated the log entry.

string application-name

NONE

PID

Process ID.

The process ID is not meaningful in this context, so pid is replaced by “-”.

The value “-” is a placeholder for process ID.

pid

-

Errmsg Tag

Log ID name, error message tag.

string, log-name and tag

IDP_ATTACK_LOG_EVENT

Errmsg Tag Square Bracket

Log content enclosed in square brackets.

[ ]

-

OID

Product ID provided by the chassis daemon (chassisd).

junos@oid

junos@2636.1.1.1.2.86

Epoch Time

The time when the log was generated after the epoch.

number

1421996988

Related Documentation

Modified: 2016-05-01