Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

IDP Security Packet Capture

An IDP sensor configuration defines the device specifications for the packet capture.

For more information, see the following topics:

Understanding Security Packet Capture

Viewing packets that precede and follow an attack helps you determine the purpose and extent of an attempted attack, whether an attack was successful, and if any network damage was caused by an attack. Packet analysis also aids in defining attack signatures to minimize false positives.

If packet capture is enabled when an attack is logged, a specified number of packets before and after the attack can be captured for the session. When all packets have been collected, they are transmitted in Device Management Interface (DMI) to a host device for offline analysis.

A notification option in the IDP policy rule enables packet capture when a rule match occurs. The option further defines the number of packets to be captured and the duration of packet capture for the associated session.

An IDP sensor configuration defines the device specifications for the packet capture. Options for this command determine the memory to be allocated for packet capture, and the source and host devices between which the packet capture object will be transmitted.

A show command displays packet capture counters that provide details about the progress, success, and failure of packet capture activity on the device.

Support for packet capture is available only once on each session.

Note:

When packet capturing is configured with an improved pre-attack configuration parameter value, the resource usage increases proportionally and might affect the performance of your device.

Encryption support for IDP Packet Capture

Starting in Junos OS Release 22.1R1, you can enable a secure SSL or TLS connection and send encrypted IDP packet capture log to the packet capture receiver. To establish the SSL or TLS connection, you must specify the SSL initiation profile name that you want to use in the IDP packet log configuration. The SRX Series Firewall is the SSL or TLS client and the packet capture receiver is the SSL or TLS server.

IDP uses a secure SSL or TLS connection to send the IDP packet logs to the configured host for all sessions (encrypted and non-encrypted) within a logical system or a tenant system, if encryption support is enabled in the packet log configuration. Once the packet logs are sent to the packet capture receiver, the SSL connection is closed.

Previously, when encrypted traffic is sent for inspection then IDP recieves decrypted traffic using SSL proxy and inspects this traffic for attack detection. If an attack was detected and packet log was configured, then decrypted packets were sent as part of packet log to the configured host through UDP traffic. This transmission of packet-log without encryption is not secured, especially when packet-log captured is for encrypted traffic.

Note:

When encryption support is enabled, SSL profile must be configured in each logical system separately. The IDP sensor configuration performed in root logical system for transport parameters cannot be used for the other logical systems or tenant systems.

The SSL or TLS connection for IDP packet logs is established as follows:

  • When packet logging process starts, if there is no SSL or TLS connection to the host, then a new SSL connection is established for sending the packet logs.

  • During packet log transmission, if there is an existing SSL or TLS connection,then the same connection is reused.

  • When packet logging stops, captured packets are sent over the established SSL or TLS connection.

  • When there is a busy SSL or TLS packet transmission session and if there is a new packet log request from the host, then those packet logs are pushed back and sent only when the existing SSL session is completed.

The packet log configuration of IDP now supports the SSL profile name configuration. You can use this updated packet log configuration to establish a secure SSL connection for IDP packet logs.

The updated IDP packet log commands with SSL configuration are:

  • set security idp sensor-configuration packet-log ssl-profile-name < profile-name>
  • For sessions within a logical system-set logical system logical system name security idp sensor-configuration packet-log ssl-profile-name < profile-name>
  • For sessions within a tenant system-set tenants tenant name security idp sensor-configuration packet-log ssl-profile-name < profile-name>

The profile name mentioned in these commands must be configured in the SSL initiation profile configuration. SSL initiation profile configuration performs the required SSL certificates and SSL handshake operations to establish a secure connection. SSL versions are chosen based on the SSL initiation configuration.

Note:

If SSL profile name is not configured in SSL initiation profile configuration, then the following message is displayed Referenced SSL initiation profile is not defined.

To view the new packet log counters, use the show security idp counters packet-log command.

Benefits

  • Provides privacy and security of data using SSL and TLS keys and certificates encryption mechanism.

  • Allows support for streaming potential private information to shared entities in a network.

Support for IDP On-Box Packet Capture

When an attack occurs, packets are captured using the IDP packet logging feature and the attack behavior is analyzed offline. Sometimes, a log collector device such as the Security Director is not available for offline collection of the captured packets. In such cases, starting in Junos OS Release 23.1R1, the captured packets can now be stored locally on the SRX Series Firewall and details can be viewed on the user interface or J-Web.

The existing IDP packet log configurations are used as usual, and you can use the commands to set the packet-log for the IDP rule. You can use the set security idp sensor-configuration packet-log local-storage command to store the captured packets on the device.

Note:

If you use this configuration, there is no change in sending the packet-log to the off-box host or collector if the details are configured for the host.

The captured traffic is stored at /var/log/pcap/idp/. The name of the PCAP file is based on the time stamp, attack log ID, and the trigger packet number.

You can restrict the number of PCAP files that are created by using the log rotation facility that is provided. Use the following configuration to limit the number of PCAP files that should be created in /var/log/pcap/idp:

set security idp sensor-configuration packet-log local-storage max-files <1..5000>

The default value is 500.

The following configuration is used to set the limit for the maximum disk space to be used to store the PCAP files.

set security idp sensor-configuration packet-log local-storage storage-limit <1048576...4294967296>

The default value is 100M and the minimum is 1M.

Counters indicate the on-box capture statistics. New counters are added to the existing packet-log counters. You can view details of the packet-log counters using the following command:

user@host> show security idp counters packet-log

A flag is now set on the existing session-close syslog when an on-box packet capture file is generated for this session. The third-last parameter in the following example (128 - feature stats for the session) indicates this. The following is an example:

RT_FLOW: RT_FLOW_SESSION_CLOSE: session closed TCP FIN: 4.0.0.1/44508->6.0.0.2/80 0x0 junos-http 4.0.0.1/44508->6.0.0.2/80 0x0 N/A N/A N/A N/A 6 1 trust untrust 22 7(420) 6(3879) 2 HTTP UNKNOWN N/A(N/A) ge-0/0/2.0 No Web N/A 4 Can Leak Information;Supports File Transfer;Prone to Misuse;Known Vulnerabilities;Carrier of Malware;Capable of Tunneling; NA 0 0.0.0.0/0->0.0.0.0/0 NA NA N/A N/A Off root 128 N/A N/A

The following are the other useful commands:

  • Use delete security idp sensor-configuration packet-log local-storage and commit to delete the configuration and commit to disable on-box logging.

  • Use the clear counter command, clear security idp counters packet-log to remove the on-box capture details.

  • Use request security idp storage-cleanup packet-capture to clear all the captured files.

Example: Configuring Security Packet Capture

This example shows how to configure the security packet capture.

Requirements

Before you begin, configure network interfaces.

Overview

In this example, you configure a packet capture for rule 1 of policy pol0. The rule specifies that, if an attack occurs, 1 packets before the attack and 3 packets after the attack will be captured, and that the post-attack capture should time out after 60 seconds. The sensor configuration is modified to allocate 5 percent of available memory and 15 percent of the IDP sessions to packet capture. When the packet capture object is prepared, it is transmitted from device 10.56.97.3 to port 5 on device 10.24.45.7.

Configuration

Procedure

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, and then copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the CLI User Guide.

To configure the security packet capture:

  1. Create an IDP policy.

  2. Associate a rulebase with the policy.

  3. Add rules to the rulebase.

  4. Specify notification, define the size and timing constraints for each packet capture.

  5. Define an attack as match criteria.

  6. Specify an action for the rule.

  7. Enable the security idp sensor-configuration.

  8. (Optional) Disable security idp sensor-configuration log suppression.

    Note:

    When IDP log suppression is enabled (which is the default behaviour), during incidents of high volume or repetitive attacks matching a single signature, a packet capture (PCAP) may not be generated by the SRX Series Firewall and forwarded to the collector. It is recommended to disable IDP log suppression if you require PCAP records for each attack.

  9. Allocate the device resources to be used for packet capture.

  10. Identify the source and host devices for transmitting the packet-capture object.

  11. Enable secured SSL or TLS connection to encrypt the IDP packet log sent to the configured host (PCAP reciever).

    SSL profile name mentioned above should be configured in the SSL initiation profile configuration. All the SSL and TLS versions supported by SSL initiation configuration are supported for this IDP packet log SSL or TLS connection. You can choose only the SSL or TLS version configured in the SSL initiation configuration.

    Run the user@host# show services ssl initiation | display set to view the SSL profile name configured in the SSL initiation and use the required SSL or TLS version.

Results

From configuration mode, confirm your configuration by entering the show security idp command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

If you are done configuring the device, enter commit from configuration mode.

Verification

Confirm that the configuration is working properly.

Verifying Security Packet Capture

Purpose

Verify security packet capture.

Action

From operational mode, enter the show security idp counters packet-log command.

Example: Configure Packet Capture for Datapath Debugging

This example shows how to configure packet capture to monitor traffic that passes through the device. Packet capture then dumps the packets into a PCAP file format that can be later examined by the tcpdump utility.

Requirements

Overview

A filter is defined to filter traffic; then an action profile is applied to the filtered traffic. The action profile specifies a variety of actions on the processing unit. One of the supported actions is packet dump, which sends the packet to the Routing Engine and stores it in proprietary form to be read using the show security datapath-debug capture command.

Configuration

Procedure

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Modein the Junos OS CLI User Guide.

To configure packet capture:

  1. Edit the security datapath-debug option for the multiple processing units along the packet-processing path:

  2. Enable the capture file, the file format, the file size, and the number of files. Size number limits the size of the capture file. After the limit size is reached, if the file number is specified, then the capture file will be rotated to filename x, where x is auto-incremented until it reaches the specified index and then returns to zero. If no files index is specified, the packets will be discarded after the size limit is reached. The default size is 512 kilobytes.

  3. Enable action profile and set the event. Set the action profile as do-capture and the event type as np-ingress:

  4. Enable packet dump for the action profile:

  5. Enable packet filter, action, and filter options. The packet filter is set to my-filter, the action profile is set to do-capture, and filter option is set to source-prefix 1.2.3.4/32.

Results

From configuration mode, confirm your configuration by entering the show security datapath-debug command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

If you are done configuring the device, enter commit from configuration mode.

Verification

Confirm that the configuration is working properly.

Verifying Packet Capture

Purpose

Verify if the packet capture is working.

Action

From operational mode, enter the request security datapath-debug capture start command to start packet capture and enter the request security datapath-debug capture stop command to stop packet capture.

To view the results, from CLI operational mode, access the local UNIX shell and navigate to the directory /var/log/my-capture. The result can be read by using the tcpdump utility.

Verifying Data Path Debugging Capture

Purpose

Verify the details of data path debugging capture file.

Action

From operational mode, enter the show security datapath-debug capture command.

Warning:

When you are done troubleshooting, make sure to remove or deactivate all the traceoptions configurations (not limited to flow traceoptions) and the complete security datapath-debug configuration stanza. If any debugging configurations remain active, they will continue to use the device's CPU and memory resources.

Verifying Data Path Debugging Counter

Purpose

Verify the details of the data path debugging counter.

Action

From operational mode, enter the show security datapath-debug counter command.

IDP Security Packet Logging for Logical Systems and Tenant Systems

Starting in Junos OS Release 21.3R1, you can capture IDP security packet logs for logical systems and tenant systems. With packet capture enabled on your security device, you can also specify a number of post-attack or pre-attack packets to capture. After you configure packet capture on your security device, the device collects the captured information and stores it as a packet capture (.pcap) file at the logical systems and tenant systems level.

When you configure IDP security packet logs for logical systems and tenant systems, your configuration looks as the following sample:

IDP Packet Logging Sample Configuration

Route and Reachability

You can specify packet logging sensors at the logical systems and tenant systems level to store the captured packets on a destination device (PCAP receiver). To send and store the captured packets, you must add the IP address of the destination device in your logical systems and tenant systems configuration. Otherwise, the device uses the IP address of the device configured at the root logical systems and tenant systems level to send the captured packet. In this case, captured packets are not stored at the logical systems and tenant systems level.

If your root logical systems and tenant systems do not include the IP address of the destination device, the security device fails to send the captured packet to the destination.

You can use the show security idp counters packet log logical-system <logical-system-name> command and check the option Packet log host route lookup failures field to see the number of times the security device did not send captured packets because of missing route details.