Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

TechLibrary
Navigation
Table of Contents
Guide That Contains This Content
[+] Expand All
[-] Collapse All

    Verifying the Signature Database

    Verifying the IDP Policy Compilation and Load Status

    Purpose

    Display the IDP log files to verify the IDP policy load and compilation status. When activating an IDP policy, you can view the IDP logs and verify if the policy is loaded and compiled successfully.

    Action

    To track the load and compilation progress of an IDP policy, configure either one or both of the following in the CLI:

    • You can configure a log file, which will be located in /var/log/, and set trace option flags to record these operations:
      user@host# set security idp traceoptions file idpduser@host# set security idp traceoptions flag all
    • You can configure your device to log system log messages to a file in the /var/log directory:
      user@host# set system syslog file messages any any

    After committing the configuration in the CLI, enter either of the following commands from the shell prompt in the UNIX-level shell:

    Sample Output

    user@host> start shell
    user@host% tail -f /var/log/idpd
    Aug 3 15:46:42 chiron clear-log[2655]: logfile cleared 
Aug  3 15:47:12 idpd_config_read: called: check: 0
Aug  3 15:47:12 idpd commit in progres ...
Aug  3 15:47:13 Entering enable processing.
Aug  3 15:47:13 Enable value (default)
Aug  3 15:47:13 IDP processing default.
Aug  3 15:47:13 idp config knob set to (2)
Aug  3 15:47:13 Warning: active policy configured but no application package installed, attack may not be detected!
Aug  3 15:47:13 idpd_need_policy_compile:480 Active policy path /var/db/idpd/sets/idpengine.set
Aug  3 15:47:13 Active Policy (idpengine) rule base configuration is changed so need to recompile active policy 
Aug  3 15:47:13 Compiling policy idpengine....
Aug  3 15:47:13 Apply policy configuration, policy ops bitmask = 41
Aug  3 15:47:13 Starting policy(idpengine) compile with compress dfa...
Aug  3 15:47:35 policy compilation memory estimate: 82040
Aug  3 15:47:35 ...Passed
Aug  3 15:47:35 Starting policy package...
Aug  3 15:47:36 ...Policy Packaging Passed
Aug  3 15:47:36 [get_secupdate_cb_status] state = 0x1
Aug  3 15:47:36 idpd_policy_apply_config idpd_policy_set_config() 
Aug  3 15:47:36 Reading sensor config...
Aug  3 15:47:36 sensor/idp node does not exist, apply defaults
Aug  3 15:47:36 sensor conf saved
Aug  3 15:47:36 idpd_dev_add_ipc_connection called...
Aug  3 15:47:36 idpd_dev_add_ipc_connection: done.
Aug  3 15:47:36 idpd_policy_apply_config: IDP state (2) being set
Aug  3 15:47:36 idpd_comm_server_get_event:545: evGetNext got event.
Aug  3 15:47:36 idpd_comm_server_get_event:553: evDispatch OK
Aug  3 15:47:36 Apply policy configuration, policy ops bitmask = 4
Aug  3 15:47:36 Starting policy load...
Aug  3 15:47:36 Loading policy(/var/db/idpd/bins/idpengine.bin.gz.v + /var/db/idpd/sec-repository/installed-detector/libidp-detector.so.tgz.v + /var/db/idpd/bins/compressed_ai.bin)...
Aug  3 15:47:36 idpd_dev_add_ipc_connection called...
Aug  3 15:47:36 idpd_dev_add_ipc_connection: done.
Aug  3 15:47:37 idpd_policy_load: creating temp tar directory '/var/db/idpd//bins/52b58e5'
Aug  3 15:47:37 sc_policy_unpack_tgz: running addver cmd '/usr/bin/addver -r /var/db/idpd/sec-repository/installed-detector/libidp-detector.so.tgz.v /var/db/idpd//bins/52b58e5/__temp.tgz > /var/log/idpd.addver'
Aug  3 15:47:38 sc_policy_unpack_tgz: running tar cmd '/usr/bin/tar -C /var/db/idpd//bins/52b58e5 -xzf /var/db/idpd//bins/52b58e5/__temp.tgz'
Aug  3 15:47:40 idpd_policy_load: running cp cmd 'cp /var/db/idpd//bins/52b58e5/detector4.so /var/db/idpd//bins/detector.so'
Aug  3 15:47:43 idpd_policy_load: running chmod cmd 'chmod 755 /var/db/idpd//bins/detector.so'
Aug  3 15:47:44 idpd_policy_load: running rm cmd 'rm -fr /var/db/idpd//bins/52b58e5'
Aug  3 15:47:45 idpd_policy_load: detector version: 10.3.160100209
Aug  3 15:47:45 idpd_comm_server_get_event:545: evGetNext got event.
Aug  3 15:47:45 idpd_comm_server_get_event:553: evDispatch OK
Aug  3 15:47:45 idp_policy_loader_command: sc_klibs_subs_policy_pre_compile() returned 0 (EOK)
Aug  3 15:47:45 idpd_policy_load: IDP_LOADER_POLICY_PRE_COMPILE returned EAGAIN, retrying... after (5) secs
Aug  3 15:47:50 idpd_comm_server_get_event:545: evGetNext got event.
Aug  3 15:47:50 idpd_comm_server_get_event:553: evDispatch OK
Aug  3 15:47:50 idp_policy_loader_command: sc_klibs_subs_policy_pre_compile() returned 0 (EOK)
Aug  3 15:47:50 idpd_policy_load: idp policy parser pre compile succeeded, after (1) retries
Aug  3 15:47:50 idpd_policy_load: policy parser compile  subs s0 name /var/db/idpd/bins/idpengine.bin.gz.v.1 buf 0x0 size 0zones 0xee34c7 z_size 136 detector /var/db/idpd//bins/detector.so ai_buf 0x0 ai_size 0 ai /var/db/idpd/bins/compressed_ai.bin
Aug  3 15:47:50 idpd_comm_server_get_event:545: evGetNext got event.
Aug  3 15:47:50 idpd_comm_server_get_event:553: evDispatch OK
Aug  3 15:47:50 idpd_comm_server_get_event:545: evGetNext got event.
Aug  3 15:47:50 idpd_comm_server_get_event:553: evDispatch OK
Aug  3 15:47:50 idpd_policy_load: idp policy parser compile succeeded
Aug  3 15:47:50 idpd_comm_server_get_event:545: evGetNext got event.
Aug  3 15:47:50 idpd_comm_server_get_event:553: evDispatch OK
Aug  3 15:47:50 idpd_policy_load: idp policy pre-install succeeded
Aug  3 15:47:50 idpd_comm_server_get_event:545: evGetNext got event.
Aug  3 15:47:50 idpd_comm_server_get_event:553: evDispatch OK
Aug  3 15:47:50 idpd_comm_server_get_event:545: evGetNext got event.
Aug  3 15:47:50 idpd_comm_server_get_event:553: evDispatch OK
Aug  3 15:47:50 idpd_policy_load: idp policy install succeeded
Aug  3 15:47:50 idpd_comm_server_get_event:545: evGetNext got event.
Aug  3 15:47:50 idpd_comm_server_get_event:553: evDispatch OK
Aug  3 15:47:50 idpd_policy_load: idp policy post-install succeeded
Aug  3 15:47:51 IDP policy[/var/db/idpd/bins/idpengine.bin.gz.v] and detector[/var/db/idpd/sec-repository/installed-detector/libidp-detector.so.tgz.v] loaded successfully.
Aug  3 15:47:51 Applying sensor configuration
Aug  3 15:47:51 idpd_dev_add_ipc_connection called...
Aug  3 15:47:51 idpd_dev_add_ipc_connection: done.
Aug  3 15:47:51 idpd_comm_server_get_event:545: evGetNext got event.
Aug  3 15:47:51 idpd_comm_server_get_event:553: evDispatch OK
Aug  3 15:47:51 idpd_comm_server_get_event:545: evGetNext got event.
Aug  3 15:47:51 idpd_comm_server_get_event:553: evDispatch OK
Aug  3 15:47:51 
...idpd commit end
Aug  3 15:47:51 Returning from commit mode, status = 0.
Aug  3 15:47:51 [get_secupdate_cb_status] state = 0x1
Aug  3 15:47:51 Got signal SIGCHLD....

    Sample Output

    user@host> start shell
    user@host% tail -f /var/log/messages
    Aug  3 15:46:56  chiron mgd[2444]: UI_COMMIT_PROGRESS: Commit operation in progress: no commit script changes
Aug  3 15:46:56  chiron mgd[2444]: UI_COMMIT_PROGRESS: Commit operation in progress: no transient commit script changes
Aug  3 15:46:56  chiron mgd[2444]: UI_COMMIT_PROGRESS: Commit operation in progress: finished loading commit script changes
Aug  3 15:46:56  chiron mgd[2444]: UI_COMMIT_PROGRESS: Commit operation in progress: exporting juniper.conf
.....
Aug  3 15:47:51  chiron idpd[2678]: IDP_POLICY_LOAD_SUCCEEDED: IDP policy[/var/db/idpd/bins/idpengine.bin.gz.v] and detector[/var/db/idpd/sec-repository/installed-detector/libidp-detector.so.tgz.v] loaded successfully(Regular load).
Aug  3 15:47:51  chiron idpd[2678]: IDP_COMMIT_COMPLETED: IDP policy commit is complete.
......
Aug  3 15:47:51  chiron chiron sc_set_flow_max_sessions: max sessions set 16384

    Meaning

    Displays log messages showing the procedures that run in the background after you commit the set security idp active-policy command. This sample output shows that the policy compilation, sensor configuration, and policy load are successful.

    Verifying the IDP Signature Database Version

    Purpose

    Display the signature database version.

    Action

    From the operational mode in the CLI, enter show security idp security-package-version.

    Sample Output

    user@host> show security idp security-package-version
    Attack database version:31(Wed Apr 16 15:53:46 2008)
  Detector version :9.1.140080400
  Policy template version :N/A

    Meaning

    The output displays the version numbers for the signature database, protocol detector, and the policy template on the IDP-enabled device. Verify the following information:

    • Attack database version—On April 16, 2008, the version of the signature database active on the device is 31.
    • Detector version—Displays the version number of the IDP protocol detector currently running on the device.
    • Policy template version—Displays the version of the policy template that is installed in the /var/db/scripts/commit directory when you run the request security idp security-package install policy-templates configuration statement in the CLI.

    For a complete description of show security idp security-package-version output, see the Junos OS CLI Reference.

    Published: 2012-06-29

    Previous Page Next Page