Step 2: Up and Running
Activate a Predefined Policy Template
Let’s activate the predefined policy template named Recommended.
- Set the default policy to Recommended.[edit]user@host# set security idp default-policy Recommended
- Confirm the Recommended policy is enabled on your device.[edit]user@host# show security idp default-policy
default-policy Recommended;
Enable an IDP Action in a Policy
You can configure attack objects and groups as match conditions in IDP policy rules. In this example, we show you how to create a policy rule and enable the predefined attack group “HTTP-Critical” in a policy. The “HTTP-critical” attack group defines actions to take for HTTP traffic from the untrust zone to the trust zone. When this attack group is enabled, IDP tells the device to check for “HTTP-Critical” attacks and then take the action defined in the policy (which is probably to drop the traffic).
- Create an IDP policy rule.[edit]user@host# set security idp idp-policy http rulebase-ips rule 1 match from-zone untrustuser@host# set security idp idp-policy http rulebase-ips rule 1 match to-zone trustuser@host# set security idp idp-policy http rulebase-ips rule 1 match application junos-httpuser@host# set security idp idp-policy http rulebase-ips rule 1 match attacks predefined-attack-groups "HTTP - Critical"user@host# set security idp idp-policy http rulebase-ips rule 1 then action recommendeduser@host# set security idp idp-policy http rulebase-ips rule 1 then notification log-attacks
- Commit the changes.user@host#commit
- Apply the IDP policy.[edit]user@host# set security policies from-zone untrust to-zone trust policy policy-2 match source-address anyuser@host# set security policies from-zone untrust to-zone trust policy policy-2 match destination-address anyuser@host# set security policies from-zone untrust to-zone trust policy policy-2 match application junos-httpuser@host# set security policies from-zone untrust to-zone trust policy policy-2 then permit application-services idp-policy http
- Commit the changes.user@host# commit
- Verify that HTTP-Critical is enabled in the policy.user@host# show security policies policy-name policy-1 detail
user@host# show security idp idp-policy http rulebase-ips { rule 1 { match { from-zone untrust; to-zone trust; application junos-http; attacks { predefined-attack-groups "HTTP - Critical"; } } then { action { recommended; } notification { log-attacks; } } } } user@host# show security policies from-zone untrust to-zone trust policy policy-2 match { source-address any; destination-address any; application junos-http; } then { permit { application-services { idp-policy http; } } }
The sample output confirms that the “HTTP-critical” attack group is enabled for the policy.
View Predefined Attacks and Attack Groups in an IDP Policy
The IDP attack database stores thousands of attack objects. To make them easier to manage, attack objects are organized into attack groups. An attack group contains two or more types of attack objects.
Use the show security idp attack attack-list policy policy-name command to view the attacks available in a IDP policy template or IDP policy. If an IDP policy contains an attack that belongs to several attack groups, the IDP policy command output will display the redundant attack names.
View a List of Detected Attacks
## Displays attack table (attack hits are aggregated across all SPUs) user@host> show security idp attack table IDP attack statistics: Attack name #Hits TROJAN:SUBSEVEN:SCAN 1303 APP:CA:ARCSRV:DISCOVERY-OF 1301 SCADA:DNP3:NON-DNP3 1301 TCP:C2S:AMBIG:C2S-SYN-DATA 1300 SCADA:MODBUS:NON-MODBUS 1299 OS:LINUXX86:NTPDX-OF 975 NETBIOS:WINS:REPLICATION-PTR 944 RPC:RPC.STATD:STATD-FMT-STR2 154 DOS:NETDEV:CISCO-PIM 16 DOS:NETDEV:CISCO-SUNND 16 SCADA:MODBUS:SLAVE-ID 7 SCADA:MODBUS:READ-ID 6