IDP Utility for PCAP
Understanding Packet Capture
On SRX300, SRX320, SRX340, SRX345, SRX550, SRX550HM devices, to improve the IDP validation process, a CLI command is introduced to display and clear the contexts and the associated data only for the packet capture (PCAP) traffic.
You can run the packet capture utility in either inet mode or transparent mode to generate protocol contexts. You should run the command line PCAP feeder utility tool from the UNIX shell prompt (%).
A PCAP feeder utility uses a pair of source and destination IPv4 addresses available in the traffic, interfaces where the packets are to be fed, and the IPV4 addresses configured for the interfaces through which these PCAPs are injected. Once the PCAPs are fed to these interfaces, a list of contexts associated with the PCAPs and the data are matched for the context. The context, hits, and associated data will be displayed only for traffic that is generated by the PCAP feeder. Live traffic statistics will not be captured. While feeding packets, make sure to feed the packets to the subnet IP of the interface. If you feed packets to the interface IP, IDP security processing might not detect the contexts. Except for the interface IP all other subnet IP can be used.
Before you run new PCAPs through PCAP feeder utility tool, clear the existing contexts and data by using the following clear contexts commands:
[edit security] user@host> clear security idp attack context user@host> clear security flow session interface <intf1> user@host> clear security flow session interface <intf2> user@host> clear security flow session idp user@host> clear security idp attack table
Sample command used for Inet mode PCAP feeder:
% pcapfeed –verbose --interface-ip1 5.0.0.13 --interface-ip2 15.0.0.14 --pcap-ip1 6.0.0.1 --pcap-ip2 7.0.0.1 --interface1 ge-0/0/6 --interface2 ge-0/0/7 --pcap /var/tmp/http.pcap
Or
% pcapfeed –quiet --interface-ip1 5.0.0.13 --interface-ip2 15.0.0.14 --pcap-ip1 6.0.0.1 --pcap-ip2 7.0.0.1 --interface1 ge-0/0/6 --interface2 ge-0/0/7 --pcap /var/tmp/http.pcap
Sample command used for transparent mode PCAP feeder:
% pcapfeed –verbose –transparent --pcap-ip1 6.0.0.1 --pcap-ip2 7.0.0.1 --interface1 ge-0/0/6 --interface2 ge-0/0/7 --pcap /var/tmp/http.pcap
Or
% pcapfeed –quiet –transparent --pcap-ip1 6.0.0.1 --pcap-ip2 7.0.0.1 --interface1 ge-0/0/6 --interface2 ge-0/0/7 --pcap /var/tmp/http.pcap
Table 1 defines the PCAP feeder tool fields from the above provided sample outputs.
Fields |
Description |
pcap --quiet |
Suppresses logs from appearing in the console |
pcap --verbose |
Enables logs to appear in the console |
interface-ip1 |
IP address of the first interface for feeding PCAP packets |
interface-ip2 |
IP address of the other interface for feeding PCAP packets |
pcap-ip1 |
IP address seen in the PCAP |
pcap-ip2 |
Another IP address seen in the PCAP |
interface1 |
Interface 1 in SRX device |
interface2 |
Interface 1 in SRX device |
PCAP feeder does not support:
IPv6
Multiple channel protocols such as FTP
Example: Configuring packet capture feeder in inet mode
This example explains how to run the packet capture (PCAP) feeder in inet mode to generate protocol contexts.
Requirements
Before you begin:
Configure network interfaces.
Overview
To run the PCAP feeder with a relevant IDP policy to get the associated protocol contexts. In this example, PCAPs are fed using pcap-ip1 6.0.0.1 and pcap-ip2 7.0.0.1 in quiet mode.
Configuration
Procedure
CLI Quick Configuration
To quickly configure this example, copy the
following commands, paste them into a text file, remove any line breaks,
change any details necessary to match your network configuration,
and then copy and paste the commands into the CLI at the [edit]
hierarchy level, and then enter commit
from configuration
mode.
set security idp idp-policy idppolicy rulebase-ips rule 1 match from-zone any set security idp idp-policy idppolicy rulebase-ips rule 1 match source-address any set security idp idp-policy idppolicy rulebase-ips rule 1 match to-zone any set security idp idp-policy idppolicy rulebase-ips rule 1 match destination-address any set security idp idp-policy idppolicy rulebase-ips rule 1 match application default set security idp idp-policy idppolicy rulebase-ips rule 1 match attacks predefined-attack-groups “HTTP - All” set security idp idp-policy idppolicy rulebase-ips rule 1 then action close-client-and-server set security idp idp-policy idppolicy rulebase-ips rule 1 then notification log-attacks set security forwarding-options family inet6 mode flow-based set security policies from-zone trust to-zone untrust policy 1 match source-address any set security policies from-zone trust to-zone untrust policy 1 match destination-address any set security policies from-zone trust to-zone untrust policy 1 match application any set security policies from-zone trust to-zone untrust policy 1 then permit application-services idp-policy idppolicy set security policies from-zone untrust to-zone trust policy 1 match source-address any set security policies from-zone untrust to-zone trust policy 1 match destination-address any set security policies from-zone untrust to-zone trust policy 1 match application any set security policies from-zone untrust to-zone trust policy 1 then permit application-services idp-policy idppolicy set security zones security-zone untrust host-inbound-traffic system-services all set security zones security-zone untrust host-inbound-traffic protocols all set security zones security-zone untrust interfaces ge-0/0/0.0 set security zones security-zone untrust application-tracking set security zones security-zone trust host-inbound-traffic system-services all set security zones security-zone trust host-inbound-traffic protocols all set security zones security-zone trust interfaces ge-0/0/2.0 set interfaces ge-0/0/0 unit 0 family inet address 5.0.0.15/24 set interfaces ge-0/0/2 unit 0 family inet address 15.0.0.16/24
Step-by-Step Procedure
The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the CLI User Guide.
To create an application and associate it with an IDP policy:
Create a policy by assigning a meaningful name to it, associate a rulebase with the policy , add rules to the rulebase, and define match criteria for the rule.
[edit security] user@host#set idp idp-policy idppolicy rulebase-ips rule 1 match from-zone any user@host#set idp idp-policy idppolicy rulebase-ips rule 1 match source-address any user@host#set idp idp-policy idppolicy rulebase-ips rule 1 match to-zone any user@host#set idp idp-policy idppolicy rulebase-ips rule 1 match destination-address any user@host#set idp idp-policy idppolicy rulebase-ips rule 1 match application default user@host#set idp idp-policy idppolicy rulebase-ips rule 1 match attacks predefined-attack-groups “HTTP - All” user@host#set idp idp-policy idppolicy rulebase-ips rule 1 then action close-client-and-server user@host#set idp idp-policy idppolicy rulebase-ips rule 1 then notification log-attacks user@host#set forwarding-options family inet6 mode flow-based
Configure policies.
[edit security] user@host#set policies from-zone trust to-zone untrust policy 1 match source-address any user@host#set policies from-zone trust to-zone untrust policy 1 match destination-address any user@host#set policies from-zone trust to-zone untrust policy 1 match application any user@host#set policies from-zone trust to-zone untrust policy 1 then permit application-services idp-policy idppolicy user@host#set policies from-zone untrust to-zone trust policy 1 match source-address any user@host#set policies from-zone untrust to-zone trust policy 1 match destination-address any user@host#set policies from-zone untrust to-zone trust policy 1 match application any user@host#set policies from-zone untrust to-zone trust policy 1 then permit application-services idp-policy idppolicy
Configure zones and assign interfaces.
[edit security] user@host# set zones security-zone untrust host-inbound-traffic system-services all user@host# set zones security-zone untrust host-inbound-traffic protocols all user@host# set zones security-zone untrust interfaces ge-0/0/0.0 user@host# set zones security-zone untrust application-tracking user@host# set zones security-zone trust host-inbound-traffic system-services all user@host# set zones security-zone trust host-inbound-traffic protocols all user@host# set zones security-zone trust interfaces ge-0/0/2.0
Configure forwarding interfaces.
[edit] user@host# set interfaces ge-0/0/0 unit 0 family inet address 5.0.0.15/24 user@host# set interfaces ge-0/0/2 unit 0 family inet address 15.0.0.16/24
Results
From configuration mode, confirm your configuration
by entering the show security idp
and show applications
commands. If the output does not display the intended configuration,
repeat the configuration instructions in this example to correct it.
[edit] user@host# show security idp idp-policy idppolicy { rulebase-ips { rule 1 { match { from-zone any; source-address any; to-zone any; destination-address any; application default; } then { action { close-client-and-server; } notification { log-attacks; } } } } }
[edit] user@host# show security policies from-zone trust to-zone untrust { policy 1 { match { source-address any; destination-address any; application any; } then { permit { application-services { idp-policy idppolicy; } } } }
[edit] user@host# show security zones security-zone untrust { host-inbound-traffic { system-services { all; } protocols { all; } } interfaces { ge-0/0/0.0; } application-tracking; }
[edit] user@host# show interfaces ge-0/0/0 { unit 0 { family inet { address 5.0.0.15/24; } } } ge-0/0/2 { unit 0 { family inet { address 15.0.0.16/24; } } }
If you are done configuring the device, enter commit
from configuration mode.
Verification
To confirm that the configuration is working properly, perform this task:
Verifying the Configuration
Purpose
Verify that the IDP attack context after you run the PCAPs using the PCAP feeder tool.
Action
From operational mode, enter the show security
idp attack context
command.
Sample Output
command-name
user@host> show security idp attack context IDP context statistics: Context name #Hits #Data http-url 1 / http-get-url 1 / http-header-host 1 7.0.0.1 http-header-user-agent 1 lwp-request/5.827 libwww-perl/5.833 http-header 2 te: deflate,gzip;q=0.3 && connection: TE, close http-request 1 GET / HTTP/1.1 http-request-method 1 GET / HTTP/1.1
Example: Configuring packet capture feeder in transparent mode
This example explains how to run the packet capture (PCAP) feeder in transparent mode to generate protocol contexts.
Requirements
Before you begin:
Configure network interfaces.
Overview
To run some PCAP feeder with a relevant IDP policy to get the
associated protocol contexts out of the packets which are running
from the packet capture. In this example, PCAP feeder pcap-ip
2 7.0.0.1
is used in quiet mode to feed the packets.
Configuration
Procedure
CLI Quick Configuration
To quickly configure this example, copy the
following commands, paste them into a text file, remove any line breaks,
change any details necessary to match your network configuration,
and then copy and paste the commands into the CLI at the [edit]
hierarchy level, and then enter commit
from configuration
mode.
set groups global protocols l2-learning global-mode transparent-bridge set security idp idp-policy idppolicy rulebase-ips rule 1 match from-zone any set security idp idp-policy idppolicy rulebase-ips rule 1 match source-address any set security idp idp-policy idppolicy rulebase-ips rule 1 match to-zone any set security idp idp-policy idppolicy rulebase-ips rule 1 match destination-address any set security idp idp-policy idppolicy rulebase-ips rule 1 match application default set security idp idp-policy idppolicy rulebase-ips rule 1 match attacks predefined-attack-groups “HTTP - All” set security idp idp-policy idppolicy rulebase-ips rule 1 then action close-client-and-server set security idp idp-policy idppolicy rulebase-ips rule 1 then notification log-attacks set security policies from-zone trust to-zone untrust policy 1 match source-address any set security policies from-zone trust to-zone untrust policy 1 match destination-address any set security policies from-zone trust to-zone untrust policy 1 match application any set security policies from-zone trust to-zone untrust policy 1 then permit application-services idp-policy idppolicy set security policies from-zone untrust to-zone trust policy 1 match source-address any set security policies from-zone untrust to-zone trust policy 1 match destination-address any set security policies from-zone untrust to-zone trust policy 1 match application any set security policies from-zone untrust to-zone trust policy 1 then permit application-services idp-policy idppolicy set security zones security-zone untrust host-inbound-traffic system-services all set security zones security-zone untrust host-inbound-traffic protocols all set security zones security-zone untrust interfaces ge-0/0/0.0 set security zones security-zone untrust application-tracking set security zones security-zone trust host-inbound-traffic system-services all set security zones security-zone trust host-inbound-traffic protocols all set security zones security-zone trust interfaces ge-0/0/2.0 set interfaces ge-0/0/0 unit 0 family ethernet-switching interface-mode access set interfaces ge-0/0/0 unit 0 family ethernet-switching vlan members 301 set interfaces ge-0/0/2 unit 0 family ethernet-switching interface-mode access set interfaces ge-0/0/2 unit 0 family ethernet-switching vlan members 301 set interfaces irb unit 301 family inet address 1.1.1.11/8 set vlans bd-vlan-301 vlan-id 301 set vlans bd-vlan-301 l3-interface irb.301
Step-by-Step Procedure
The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the CLI User Guide.
To create an application and associate it with an IDP policy:
Set the configuration group.
[edit] user@host#set groups global protocols l2-learning global-mode transparent-bridge
Create a policy by assigning a meaningful name to it, associate a rulebase with the policy , add rules to the rulebase, and define match criteria for the rule.
[edit security] user@host# set idp idp-policy idppolicy rulebase-ips rule 1 match from-zone any user@host# set idp idp-policy idppolicy rulebase-ips rule 1 match source-address any user@host# set idp idp-policy idppolicy rulebase-ips rule 1 match to-zone any user@host# set idp idp-policy idppolicy rulebase-ips rule 1 match destination-address any user@host# set idp idp-policy idppolicy rulebase-ips rule 1 match application default user@host# set idp idp-policy idppolicy rulebase-ips rule 1 match attacks predefined-attack-groups “HTTP - All” user@host# set idp idp-policy idppolicy rulebase-ips rule 1 then action close-client-and-server user@host# set idp idp-policy idppolicy rulebase-ips rule 1 then notification log-attacks user@host# set forwarding-options family inet6 mode flow-based
Configure policies.
[edit security] user@host# set policies from-zone trust to-zone untrust policy 1 match source-address any user@host# set policies from-zone trust to-zone untrust policy 1 match destination-address any user@host# set policies from-zone trust to-zone untrust policy 1 match application any user@host# set policies from-zone trust to-zone untrust policy 1 then permit application-services idp-policy idppolicy user@host# set policies from-zone untrust to-zone trust policy 1 match source-address any user@host# set policies from-zone untrust to-zone trust policy 1 match destination-address any user@host# set policies from-zone untrust to-zone trust policy 1 match application any user@host# set policies from-zone untrust to-zone trust policy 1 then permit application-services idp-policy idppolicy
Configure zones and assign interfaces.
[edit security] user@host# set zones security-zone untrust host-inbound-traffic system-services all user@host# set zones security-zone untrust host-inbound-traffic protocols all user@host# set zones security-zone untrust interfaces ge-0/0/0.0 user@host# set zones security-zone untrust application-tracking user@host# set zones security-zone trust host-inbound-traffic system-services all user@host# set zones security-zone trust host-inbound-traffic protocols all user@host# set zones security-zone trust interfaces ge-0/0/2.0
Configure forwarding interfaces.
[edit] user@host# set interfaces ge-0/0/0 unit 0 family ethernet-switching interface-mode access user@host# set interfaces ge-0/0/0 unit 0 family ethernet-switching vlan members 301 user@host# set interfaces ge-0/0/2 unit 0 family ethernet-switching interface-mode access user@host# set interfaces ge-0/0/2 unit 0 family ethernet-switching vlan members 301 user@host# set interfaces irb unit 301 family inet address 1.1.1.11/8
Configure VLAN-ID.
[edit] user@host# set vlans bd-vlan-301 vlan-id 301 user@host# set vlans bd-vlan-301 l3-interface irb.301
Results
From configuration mode, confirm your configuration
by entering the show security idp
and show applications
commands. If the output does not display the intended configuration,
repeat the configuration instructions in this example to correct it.
[edit] user@host# show security idp idp-policy idppolicy { rulebase-ips { rule 1 { match { from-zone any; source-address any; to-zone any; destination-address any; application default; } then { action { close-client-and-server; } notification { log-attacks; } } } } }
[edit] user@host# show security policies from-zone untrust to-zone trust { policy 1 { match { source-address any; destination-address any; application any; } then { permit { application-services { idp-policy idppolicy; } } } } } default-policy { permit-all; }
[edit] user@host# show security zones security-zone trust { host-inbound-traffic { system-services { all; } protocols { all; } } interfaces { ge-0/0/0.0; ge-0/0/2.0; } advance-policy-based-routing-profile { p1; } } security-zone untrust { host-inbound-traffic { system-services { all; } protocols { all; } } interfaces { ge-0/0/1.0; ge-0/0/2.0; ge-0/0/3.0; ge-0/0/0.0; } application-tracking; }
[edit] user@host# show interfaces ge-0/0/0 { unit 0 { family inet { address 4.0.0.1/24; } family ethernet-switching { interface-mode access; vlan { members 301; } } } } ge-0/0/2 { unit 0 { family inet { address 192.0.3.1/24; } family ethernet-switching { interface-mode access; vlan { members 301; } } } }
If you are done configuring the device, enter commit
from configuration mode.
Verification
To confirm that the configuration is working properly, perform this task:
Verifying the Configuration
Purpose
Verify that the IDP attack context after you run the PCAPs using the PCAP feeder tool.
Action
From operational mode, enter the show security
idp attack context
command.
Sample Output
command-name
user@host> show security idp attack context IDP context statistics: Context name #Hits #Data http-url 1 / http-get-url 1 / http-header-host 1 7.0.0.1 http-header-user-agent 1 lwp-request/5.827 libwww-perl/5.833 http-header 2 te: deflate,gzip;q=0.3 && connection: TE, close http-request 1 GET / HTTP/1.1 http-request-method 1 GET / HTTP/1.1