Avatar of FireBall
FireBall
 asked on

SRX Custom Attack

we are getting as an attack given in the below and we try to add custom attacks to the idp but any of them can't catch the attacker strangely, Rules are working i know because they catch lots of other ip addresses :) where do we make mistake

       custom-attack Block_TTL {
            recommended-action drop-packet;
            severity major;
            time-binding {
                count 10;
                scope source;
            }
            attack-type {
                signature {
                    protocol-binding {
                        udp {
                            minimum-port 0 maximum-port 65535;
                        }
                    }
                    context packet;
                    direction any;
                    shellcode intel;
                    protocol {
                        ipv4 {
                            ttl {
                                match equal;
                                value 62;
                            }
                        }
                    }
                }
            }
        }
        custom-attack Block_Size {
            recommended-action drop-packet;
            severity major;
            time-binding {
                count 10;
                scope source;
            }
            attack-type {
                signature {
                    protocol-binding {
                        udp {
                            minimum-port 0 maximum-port 65535;
                        }
                    }
                    context packet;
                    direction any;
                    shellcode intel;
                    protocol {
                        ipv4 {
                            total-length {
                                match equal;
                                value 1;
                            }
                        }
                    }
                }
            }
        }
        custom-attack Block_Length {
            recommended-action drop-packet;
            severity major;
            time-binding {
                count 10;
                scope source;
            }
            attack-type {
                signature {
                    context packet;
                    direction any;
                    shellcode intel;
                    protocol {
                        udp {
                            data-length {
                                match equal;
                                value 1;
                            }
                        }
                    }
                }
            }
        }
        custom-attack Block_Flag {
            recommended-action drop-packet;
            severity major;
            time-binding {
                count 10;
                scope source;
            }
            attack-type {
                signature {
                    protocol-binding {
                        udp {
                            minimum-port 0 maximum-port 65535;
                        }
                    }
                    context packet;
                    direction any;
                    shellcode intel;
                    protocol {
                        ipv4 {
                            ip-flags df;
                        }
                    }
                }
            }
        }

Open in new window





02:06:30.678789 IP (tos 0x0, ttl  62, id 27604, offset 0, flags [DF], proto: UDP (17), length: 29) 185.9.156.2.58253 > 178.20.231.165.9987: [udp sum ok] UDP, length 1
        0x0000:  4500 001d 6bd4 4000 3e11 e235 b909 9c02  E...k.@.>..5....
        0x0010:  b214 e7a5 e38d 2703 0009 9a84 6c00 0000  ......'.....l...
        0x0020:  0000 0000 0000 0000 0000 0000 0000       ..............
02:06:30.679774 IP (tos 0x0, ttl  62, id 28335, offset 0, flags [DF], proto: UDP (17), length: 29) 185.9.156.2.58253 > 178.20.231.165.9987: [udp sum ok] UDP, length 1
        0x0000:  4500 001d 6eaf 4000 3e11 df5a b909 9c02  E...n.@.>..Z....
        0x0010:  b214 e7a5 e38d 2703 0009 9a84 6c00 0000  ......'.....l...
        0x0020:  0000 0000 0000 0000 0000 0000 0000       ..............
02:06:30.680880 IP (tos 0x0, ttl  62, id 29088, offset 0, flags [DF], proto: UDP (17), length: 29) 185.9.156.2.58253 > 178.20.231.165.9987: [udp sum ok] UDP, length 1
        0x0000:  4500 001d 71a0 4000 3e11 dc69 b909 9c02  E...q.@.>..i....
        0x0010:  b214 e7a5 e38d 2703 0009 9a84 6c00 0000  ......'.....l...
        0x0020:  0000 0000 0000 0000 0000 0000 0000       ..............
02:06:30.681780 IP (tos 0x0, ttl  62, id 29894, offset 0, flags [DF], proto: UDP (17), length: 29) 185.9.156.2.58253 > 178.20.231.165.9987: [udp sum ok] UDP, length 1
        0x0000:  4500 001d 74c6 4000 3e11 d943 b909 9c02  E...t.@.>..C....
        0x0010:  b214 e7a5 e38d 2703 0009 9a84 6c00 0000  ......'.....l...
        0x0020:  0000 0000 0000 0000 0000 0000 0000       ..............
02:06:30.682775 IP (tos 0x0, ttl  62, id 30682, offset 0, flags [DF], proto: UDP (17), length: 29) 185.9.156.2.58253 > 178.20.231.165.9987: [udp sum ok] UDP, length 1
        0x0000:  4500 001d 77da 4000 3e11 d62f b909 9c02  E...w.@.>../....
        0x0010:  b214 e7a5 e38d 2703 0009 9a84 6c00 0000  ......'.....l...
        0x0020:  0000 0000 0000 0000 0000 0000 0000       ..............
02:06:30.683773 IP (tos 0x0, ttl  62, id 31453, offset 0, flags [DF], proto: UDP (17), length: 29) 185.9.156.2.58253 > 178.20.231.165.9987: [udp sum ok] UDP, length 1
        0x0000:  4500 001d 7add 4000 3e11 d32c b909 9c02  E...z.@.>..,....
        0x0010:  b214 e7a5 e38d 2703 0009 9a84 6c00 0000  ......'.....l...
        0x0020:  0000 0000 0000 0000 0000 0000 0000       ..............
02:06:30.684776 IP (tos 0x0, ttl  62, id 32208, offset 0, flags [DF], proto: UDP (17), length: 29) 185.9.156.2.58253 > 178.20.231.165.9987: [udp sum ok] UDP, length 1
        0x0000:  4500 001d 7dd0 4000 3e11 d039 b909 9c02  E...}.@.>..9....
        0x0010:  b214 e7a5 e38d 2703 0009 9a84 6c00 0000  ......'.....l...
        0x0020:  0000 0000 0000 0000 0000 0000 0000       ..............

Open in new window

Hardware FirewallsSoftware FirewallsNetwork Security

Avatar of undefined
Last Comment
giltjr

8/22/2022 - Mon
harbor235

Why not just block based on source IP, the attack traffic appears to be coming from a single source Ip and single source udp port?


harbor235 ;}
FireBall

ASKER
Yes but it drop connections of streams
Juniper has not a function source connection limit on srx for udp
Very strangely when we remove udp threshold limit and try to block with policy juniper locking
harbor235

You need unicast reverse path forwarding enabled that can block traffic based on source IP traffic. That way only traffic from the bad source is dropped and not legitimate traffci destined to resources inside your network(s).

I assume that is what you mean, " Yes but it drop connections of streams" , that its dropping good traffic too because you are filtering based on destination traffic?


harbor235 ;}
Your help has saved me hundreds of hours of internet surfing.
fblack61
FireBall

ASKER
We are a public datacenter. RPF only checks for predixes to block some conditions like spoof outputs. It does not solve our problem also we already try it

And also i really do not understand when we disable UDP flood protection why the device is locking it self .
We try to block attack with
- Firewall filter
- IDS custom attack (on flow ip-action it shows the ip like blocked but attack still keep hitting to the idp attack-table)
- Policy based

On each of them result is same deivce is locikg itself and after attack finished it comes back a few minutes later.
Attack is not so big it comes with 200mbps & 100 - 120 K pps i do not beleive that juniper can not handle this


we were first try block zeus with the attacker ip then try  firewall filter then tryed  ids custom signature depending on the packets all the result is same :/
  xe-1/0/0 {
        description Uplink;
        unit 0 {
            family inet {
                rpf-check {
                    fail-filter rpf-filter;
                    mode loose;
                }
                filter {
                    input BlokKural;
                    output blocked.IP;
                }
                address 37.123.100.122/29;
            }
        }
    }

firewall {
    family inet {
        filter BlokKural {
            term 1 {
                from {
                    packet-length 0-30;
                    protocol udp;
                }
                then {
                    count dns-jova;
                    log;
                    syslog;
                    discard;
                }
            }
            term 2 {
                then accept;
            }
        }
        filter blocked.IP {
            term 1 {
                from {
                    prefix-list {
                        block.zeusCC;
                        unblock.zeusCC except;
                    }
                }
                then {
                    syslog;
                    discard;
                }
            }
            term 2 {
                then accept;
            }
        }
    }
    filter rpf-filter {
        term default {
            then {
                count rpf-failed-count;
                reject;
            }
        }
    }
policy-options {
    prefix-list block.zeusCC {
        43.255.180.0/24;
        43.255.184.0/24;
        43.255.190.0/24;
        43.255.191.0/24;
        61.168.229.0/24;
        182.100.64.0/24;
        182.100.67.0/24;
        218.65.24.0/24;
    }
    prefix-list unblock.zeusCC;
}
       custom-attack Block_Flooder {
            recommended-action drop-packet;
            severity major;
            time-binding {
                count 100;
                scope source;
            }
            attack-type {
                signature {
                    context packet;
                    direction any;
                    shellcode intel;
                }
            }
        }
        custom-attack Block_TTL {
            recommended-action drop-packet;
            severity major;
            time-binding {
                count 10;
                scope source;
            }
            attack-type {
                signature {
                    protocol-binding {
                        udp {
                            minimum-port 0 maximum-port 65535;
                        }
                    }
                    context packet;
                    direction any;
                    shellcode intel;
                    protocol {
                        ipv4 {
                            ttl {
                                match equal;
                                value 62;
                            }
                        }
                    }
                }
            }
        }
        custom-attack Block_Size {
            recommended-action drop-packet;
            severity major;
            time-binding {
                count 10;
                scope source;
            }
            attack-type {
                signature {
                    protocol-binding {
                        udp {
                            minimum-port 0 maximum-port 65535;
                        }
                    }
                    context packet;
                    direction any;
                    shellcode intel;
                    protocol {
                        ipv4 {
                            total-length {
                                match equal;
                                value 29;
                            }
                        }
                    }
                }
            }
        }
        custom-attack Block_Length {
            recommended-action drop-packet;
            severity major;
            time-binding {
                count 10;
                scope source;
            }
            attack-type {
                signature {
                    context packet;
                    direction any;
                    shellcode intel;
                    protocol {
                        udp {
                            data-length {
                                match equal;
                                value 1;
                            }
                        }
                    }
                }
            }
        }
        custom-attack Block_Flag {
            recommended-action drop-packet;
            severity major;
            time-binding {
                count 10;
                scope source;
            }
            attack-type {
                signature {
                    protocol-binding {
                        udp {
                            minimum-port 0 maximum-port 65535;
                        }
                    }
                    context packet;
                    direction any;
                    shellcode intel;
                    protocol {
                        ipv4 {
                            ip-flags df;
                        }
                    }
                }
            }
        }
        application-ddos dns-server-1 {

Open in new window



Our full configuration as this

## Last changed: 2015-04-15 10:41:15 UTC
version 12.1X44-D45.2;

    name-server {
        195.175.39.39;
        8.8.8.8;
    }
    scripts {
        commit {
            file templates.xsl;
        }
    }
    services {
        ssh;
        telnet;
        web-management {
            http {
                interface [ ge-0/0/1.0 xe-1/0/0.0 xe-1/0/1.0 ];
            }
        }
    }
    syslog {
        user * {
            any emergency;
        }
        host 185.9.157.27 {
            any any;
            match RT_FLOW;
        }
        file messages {
            any emergency;
            authorization info;
        }
        file policy_session {
            match RT_FLOW;
        }
    }
    license {
        autoupdate {
            url https://ae1.juniper.net/junos/key_retrieval;
        }
    }
}
interfaces {
    ge-0/0/0 {
        unit 0 {
            family ethernet-switching;
        }
    }
    ge-0/0/1 {
        unit 0 {
            family inet {
                address 192.168.1.95/24;
            }
        }
    }
    ge-0/0/2 {
        unit 0 {
            family inet {
                address 10.100.100.2/30;
            }
        }
    }
    xe-1/0/0 {
        description Uplink;
        unit 0 {
            family inet {
                rpf-check {
                    fail-filter rpf-filter;
                    mode loose;
                }
                filter {
                    input BlokKural;
                    output blocked.IP;
                }
                address 37.123.100.122/29;
            }
        }
    }
    xe-1/0/1 {
        description "Ex4500 Downlink";
        unit 0 {
            family inet {
                address 37.123.101.225/27;
                address 178.20.231.1/24;
                address 178.20.229.225/27;
                address 178.20.229.33/27;
                address 178.20.229.65/27;
                address 37.123.96.145/28;
            }
        }
    }
    st0 {
        unit 1 {
            family inet;
        }
    }
}
forwarding-options {
    packet-capture {
        file filename pcap-file files 100 size 1k world-readable;
        maximum-capture-size 1500;
    }
}
snmp {
    location izmir;
    contact "Cahit Eyigunlu";
    community SALAY {
        authorization read-only;
    }
}
routing-options {
    static {
        route 0.0.0.0/0 next-hop 37.123.100.121;
    }
    forwarding-table {
        unicast-reverse-path feasible-paths;
    }
}
policy-options {
    prefix-list block.zeusCC {
        43.255.180.0/24;
        43.255.184.0/24;
        43.255.190.0/24;
        43.255.191.0/24;
        61.168.229.0/24;
        182.100.64.0/24;
        182.100.67.0/24;
        218.65.24.0/24;
    }
    prefix-list unblock.zeusCC;
}
security {
    log {
        mode event;
        event-rate 1000;
        format sd-syslog;
    }
    idp {
        idp-policy Server-Protection {
            /* This template policy is designed to protect servers.  It is supported on devices with 2G or more of memory.  Branch devices with only 1G are not supported. */
            rulebase-ips {
                rule Web-Services-Essential {
                    /* This rule is designed to protect your servers against common internet attacks.  It includes Critical and Major severities.  This is an essential rule. */
                    match {
                        from-zone any;
                        source-address any;
                        to-zone any;
                        destination-address any;
                        application default;
                        attacks {
                            predefined-attack-groups [ "[Recommended]HTTP - Critical" "[Recommended]HTTP - Major" "[Recommended]SSL - Critical" "[Recommended]SSL - Major" "[Recommended]DNS - Critical" "[Recommended]DNS - Major" "[Recommended]FTP - Critical" "[Recommended]FTP - Major" ];
                        }
                    }
                    then {
                        action {
                            recommended;
                        }
                        notification {
                            log-attacks;
                        }
                    }
                }
                rule Web-Services-Supplemental {
                    /* This rule is designed to protect your servers against common internet attacks.  It includes Minor, Warning, and Info severities.  If you experience low IDP performance, you may remove the lower-severity groups from your policy for a small increase in performance, at the cost of security. */
                    match {
                        from-zone any;
                        source-address any;
                        to-zone any;
                        destination-address any;
                        application default;
                        attacks {
                            predefined-attack-groups [ "[Recommended]HTTP - Minor" "[Recommended]HTTP - Warning" "[Recommended]HTTP - Info" "[Recommended]SSL - Minor" "[Recommended]SSL - Warning" "[Recommended]SSL - Info" "[Recommended]DNS - Minor" "[Recommended]DNS - Warning" "[Recommended]DNS - Info" "[Recommended]FTP - Minor" "[Recommended]FTP - Warning" "[Recommended]FTP - Info" ];
                        }
                    }
                    then {
                        action {
                            recommended;
                        }
                        notification {
                            log-attacks;
                        }
                    }
                }
                rule Mail-Services {
                    /* This rule is designed to protect your servers against common mail attacks.  If you experience low IDP performance, you may remove the lower-severity groups from your policy for a small increase in performance, at the cost of security. */
                    match {
                        from-zone any;
                        source-address any;
                        to-zone any;
                        destination-address any;
                        application default;
                        attacks {
                            predefined-attack-groups [ "[Recommended]IMAP - Critical" "[Recommended]IMAP - Major" "[Recommended]IMAP - Minor" "[Recommended]IMAP - Warning" "[Recommended]IMAP - Info" "[Recommended]POP3 - Critical" "[Recommended]POP3 - Major" "[Recommended]POP3 - Minor" "[Recommended]POP3 - Warning" "[Recommended]POP3 - Info" "[Recommended]SMTP - Critical" "[Recommended]SMTP - Major" "[Recommended]SMTP - Minor" "[Recommended]SMTP - Warning" "[Recommended]SMTP - Info" ];
                        }
                    }
                    then {
                        action {
                            recommended;
                        }
                        notification {
                            log-attacks;
                        }
                    }
                }
                rule Internal-Services {
                    /* This rule is designed to protect your servers against common internal attacks. */
                    match {
                        from-zone any;
                        source-address any;
                        to-zone any;
                        destination-address any;
                        application default;
                        attacks {
                            predefined-attack-groups [ "[Recommended]SMB" "[Recommended]MS-RPC" "[Recommended]LDAP" "[Recommended]NETBIOS" "[Recommended]RADIUS" "[Recommended]SSH" "[Recommended]TELNET" "[Recommended]DB" "[Recommended]VNC" "[Recommended]NFS" "[Recommended]NTP" "[Recommended]PORTMAPPER" "[Recommended]DHCP" "[Recommended]RPC" "[Recommended]SNMP" "[Recommended]SNMPTRAP" ];
                        }
                    }
                    then {
                        action {
                            recommended;
                        }
                        notification {
                            log-attacks;
                        }
                    }
                }
                rule Malicious-Activity {
                    /* This rule is designed to protect your servers against common malware attacks and other malicious activity.  This is a very important rule and should be kept enabled. */
                    match {
                        from-zone any;
                        source-address any;
                        to-zone any;
                        destination-address any;
                        application default;
                        attacks {
                            predefined-attack-groups [ "[Recommended]SPYWARE" "[Recommended]TROJAN" "[Recommended]VIRUS" "[Recommended]WORM" "[Recommended]SHELLCODE" "[Recommended]SCAN" "[Recommended]DOS" "[Recommended]DDOS" "[Recommended]Misc_SPYWARE" "[Recommended]Misc_TROJAN" "[Recommended]Misc_VIRUS" "[Recommended]Misc_WORM" "[Recommended]Misc_SHELLCODE" "[Recommended]Misc_SCAN" "[Recommended]Misc_DOS" "[Recommended]Misc_DDOS" ];
                        }
                    }
                    then {
                        action {
                            recommended;
                        }
                        notification {
                            log-attacks;
                        }
                    }
                }
                rule Other-Activity {
                    /* This rule is designed to protect your servers against other common attacks.  This rule is useful if your organization is concerned about chat, P2P, and similar activity.  If not, this rule can be disabled or removed from your policy. */
                    match {
                        from-zone any;
                        source-address any;
                        to-zone any;
                        destination-address any;
                        application default;
                        attacks {
                            predefined-attack-groups [ "[Recommended]VOIP" "[Recommended]CHAT" "[Recommended]P2P" "[Recommended]APP" "[Recommended]RTSP" ];
                        }
                    }
                    then {
                        action {
                            recommended;
                        }
                        notification {
                            log-attacks;
                        }
                    }
                }
                rule Transport-Services {
                    /* This rule is designed to protect your servers against common transport attacks.  Triggers against this rule could indicate an attacker is attempting to evade your IDP.  Unusual network configurations can also sometimes trigger attacks in this rule. */
                    match {
                        from-zone any;
                        source-address any;
                        to-zone any;
                        destination-address any;
                        application default;
                        attacks {
                            predefined-attack-groups [ "[Recommended]IP" "[Recommended]TCP" "[Recommended]UDP" "[Recommended]ICMP" ];
                        }
                    }
                    then {
                        action {
                            recommended;
                        }
                        notification {
                            log-attacks;
                        }
                    }
                }
            }
        }
        idp-policy Server-Protection-1G {
            /* This template policy is designed to protect servers.  This template is supported on all platforms, including Branch devices with 1G of memory. */
            rulebase-ips {
                rule Web-Services-Essential {
                    /* This rule is designed to protect your servers against common internet attacks.  It includes Critical and Major severities.  This is an essential rule. */
                    match {
                        from-zone any;
                        source-address any;
                        to-zone any;
                        destination-address any;
                        application default;
                        attacks {
                            predefined-attack-groups [ "[Recommended]HTTP - Critical" "[Recommended]HTTP - Major" "[Recommended]SSL - Critical" "[Recommended]SSL - Major" "[Recommended]DNS - Critical" "[Recommended]DNS - Major" "[Recommended]FTP - Critical" "[Recommended]FTP - Major" ];
                        }
                    }
                    then {
                        action {
                            recommended;
                        }
                        notification {
                            log-attacks;
                        }
                    }
                }
                rule Mail-Services {
                    /* This rule is designed to protect your servers against common mail attacks. */
                    match {
                        from-zone any;
                        source-address any;
                        to-zone any;
                        destination-address any;
                        application default;
                        attacks {
                            predefined-attack-groups [ "[Recommended]IMAP - Critical" "[Recommended]IMAP - Major" "[Recommended]POP3 - Critical" "[Recommended]POP3 - Major" "[Recommended]SMTP - Critical" "[Recommended]SMTP - Major" ];
                        }
                    }
                    then {
                        action {
                            recommended;
                        }
                        notification {
                            log-attacks;
                        }
                    }
                }
                rule Internal-Services {
                    /* This rule is designed to protect your servers against common internal attacks. */
                    match {
                        from-zone any;
                        source-address any;
                        to-zone any;
                        destination-address any;
                        application default;
                        attacks {
                            predefined-attack-groups [ "[Recommended]SMB - Critical" "[Recommended]SMB - Major" "[Recommended]MS-RPC - Critical" "[Recommended]MS-RPC - Major" "[Recommended]NETBIOS - Critical" "[Recommended]NETBIOS - Major" "[Recommended]SSH - Critical" "[Recommended]SSH - Major" "[Recommended]DB - Critical" "[Recommended]DB - Major" "[Recommended]NTP - Critical" "[Recommended]NTP - Major" ];
                        }
                    }
                    then {
                        action {
                            recommended;
                        }
                        notification {
                            log-attacks;
                        }
                    }
                }
                rule Malicious-Activity {
                    /* This rule is designed to protect your servers against common malware attacks and other malicious activity.  This is a very important rule and should be kept enabled. */
                    match {
                        from-zone any;
                        source-address any;
                        to-zone any;
                        destination-address any;
                        application default;
                        attacks {
                            predefined-attack-groups [ "[Recommended]SPYWARE - Critical" "[Recommended]SPYWARE - Major" "[Recommended]TROJAN - Critical" "[Recommended]TROJAN - Major" "[Recommended]VIRUS - Critical" "[Recommended]VIRUS - Major" "[Recommended]WORM - Critical" "[Recommended]WORM - Major" "[Recommended]Misc_SPYWARE - Critical" "[Recommended]Misc_SPYWARE - Major" "[Recommended]Misc_TROJAN - Critical" "[Recommended]Misc_TROJAN - Major" "[Recommended]Misc_VIRUS - Critical" "[Recommended]Misc_VIRUS - Major" "[Recommended]Misc_WORM - Critical" 
                            "[Recommended]Misc_WORM - Major" ];
                        }
                    }
                    then {
                        action {
                            recommended;
                        }
                        notification {
                            log-attacks;
                        }
                    }
                }
                rule Transport-Services {
                    /* This rule is designed to protect your servers against common transport attacks.  Triggers against this rule could indicate an attacker is attempting to evade your IDP.  Unusual network configurations can also sometimes trigger attacks in this rule. */
                    match {
                        from-zone any;
                        source-address any;
                        to-zone any;
                        destination-address any;
                        application default;
                        attacks {
                            predefined-attack-groups [ "[Recommended]IP" "[Recommended]TCP" "[Recommended]UDP" "[Recommended]ICMP" ];
                        }
                    }
                    then {
                        action {
                            recommended;
                        }
                        notification {
                            log-attacks;
                        }
                    }
                }
            }
        }
        idp-policy Client-Protection {
            /* This template policy is designed to protect clients.  It is supported on devices with 2G or more of memory.  Branch devices with only 1G are not supported. */
            rulebase-ips {
                rule Web-Services-Essential {
                    /* This rule is designed to protect your clients against common internet attacks.  It includes Critical and Major severities.  This is an essential rule. */
                    match {
                        from-zone any;
                        source-address any;
                        to-zone any;
                        destination-address any;
                        application default;
                        attacks {
                            predefined-attack-groups [ "[Recommended]Response_HTTP - Critical" "[Recommended]Response_HTTP - Major" "[Recommended]Response_SSL - Critical" "[Recommended]Response_SSL - Major" "[Recommended]Response_DNS - Critical" "[Recommended]Response_DNS - Major" "[Recommended]Response_FTP - Critical" "[Recommended]Response_FTP - Major" ];
                        }
                    }
                    then {
                        action {
                            recommended;
                        }
                        notification {
                            log-attacks;
                        }
                    }
                }
                rule Web-Services-Supplemental {
                    /* This rule is designed to protect your clients against common internet attacks.  It includes Minor, Warning, and Info severities.  If IDP performance is low, this rule can be disabled to improve performance at the cost of security.  Alternatively, you may remove the lower-severity groups from your policy for a small increase in performance, with a lower cost of security impact. */
                    match {
                        from-zone any;
                        source-address any;
                        to-zone any;
                        destination-address any;
                        application default;
                        attacks {
                            predefined-attack-groups [ "[Recommended]Response_HTTP - Minor" "[Recommended]Response_HTTP - Warning" "[Recommended]Response_HTTP - Info" "[Recommended]Response_SSL - Minor" "[Recommended]Response_SSL - Warning" "[Recommended]Response_SSL - Info" "[Recommended]Response_DNS - Minor" "[Recommended]Response_DNS - Warning" "[Recommended]Response_DNS - Info" "[Recommended]Response_FTP - Minor" "[Recommended]Response_FTP - Warning" "[Recommended]Response_FTP - Info" ];
                        }
                    }
                    then {
                        action {
                            recommended;
                        }
                        notification {
                            log-attacks;
                        }
                    }
                }
                rule Web-Services-Low-Performance {
                    /* This rule is designed to protect your clients against common internet attacks.  It includes performance-impacting signatures.  If IDP performance is low, this rule can be disabled to improve performance at the cost of security.  Alternatively, you may remove the lower-severity groups from your policy for a small increase in performance, with a lower cost of security impact. */
                    match {
                        from-zone any;
                        source-address any;
                        to-zone any;
                        destination-address any;
                        application default;
                        attacks {
                            predefined-attack-groups [ "[Recommended]Misc_HTTP - Critical" "[Recommended]Misc_HTTP - Major" "[Recommended]Misc_HTTP - Minor" "[Recommended]Misc_HTTP - Warning" "[Recommended]Misc_HTTP - Info" "[Recommended]Misc_SSL - Critical" "[Recommended]Misc_SSL - Major" "[Recommended]Misc_SSL - Minor" "[Recommended]Misc_SSL - Warning" "[Recommended]Misc_SSL - Info" "[Recommended]Misc_DNS - Critical" "[Recommended]Misc_DNS - Major" "[Recommended]Misc_DNS - Minor" "[Recommended]Misc_DNS - Warning" "[Recommended]Misc_DNS - Info" 
                            "[Recommended]Misc_FTP - Critical" "[Recommended]Misc_FTP - Major" "[Recommended]Misc_FTP - Minor" "[Recommended]Misc_FTP - Warning" "[Recommended]Misc_FTP - Info" ];
                        }
                    }
                    then {
                        action {
                            recommended;
                        }
                        notification {
                            log-attacks;
                        }
                    }
                }
                rule Mail-Services {
                    /* This rule is designed to protect your clients against common mail attacks. If you experience low IDP performance, you may remove the lower-severity groups from your policy for a small increase in performance, at the cost of security. */
                    match {
                        from-zone any;
                        source-address any;
                        to-zone any;
                        destination-address any;
                        application default;
                        attacks {
                            predefined-attack-groups [ "[Recommended]Response_IMAP - Critical" "[Recommended]Response_IMAP - Major" "[Recommended]Response_IMAP - Minor" "[Recommended]Response_IMAP - Warning" "[Recommended]Response_IMAP - Info" "[Recommended]Response_POP3 - Critical" "[Recommended]Response_POP3 - Major" "[Recommended]Response_POP3 - Minor" "[Recommended]Response_POP3 - Warning" "[Recommended]Response_POP3 - Info" "[Recommended]Response_SMTP - Critical" "[Recommended]Response_SMTP - Major" "[Recommended]Response_SMTP - Minor" 
                            "[Recommended]Response_SMTP - Warning" "[Recommended]Response_SMTP - Info" ];
                        }
                    }
                    then {
                        action {
                            recommended;
                        }
                        notification {
                            log-attacks;
                        }
                    }
                }
                rule Internal-Services {
                    /* This rule is designed to protect your clients against common internal attacks. */
                    match {
                        from-zone any;
                        source-address any;
                        to-zone any;
                        destination-address any;
                        application default;
                        attacks {
                            predefined-attack-groups [ "[Recommended]Response_SMB" "[Recommended]Response_MS-RPC" "[Recommended]Response_LDAP" "[Recommended]Response_NETBIOS" "[Recommended]Response_RADIUS" "[Recommended]Response_SSH" "[Recommended]Response_TELNET" "[Recommended]Response_DB" "[Recommended]Response_VNC" "[Recommended]Response_NFS" "[Recommended]Response_NTP" "[Recommended]Response_PORTMAPPER" "[Recommended]Response_DHCP" "[Recommended]Response_RPC" "[Recommended]Response_SNMP" "[Recommended]Response_SNMPTRAP" ];
                        }
                    }
                    then {
                        action {
                            recommended;
                        }
                        notification {
                            log-attacks;
                        }
                    }
                }
                rule Malicious-Activity {
                    /* This rule is designed to protect your clients against common malware attacks and other malicious activity.  This is a very important rule and should be kept enabled. */
                    match {
                        from-zone any;
                        source-address any;
                        to-zone any;
                        destination-address any;
                        application default;
                        attacks {
                            predefined-attack-groups [ "[Recommended]Response_SPYWARE" "[Recommended]Misc_SPYWARE" "[Recommended]Response_TROJAN" "[Recommended]Misc_TROJAN" "[Recommended]Response_VIRUS" "[Recommended]Misc_VIRUS" "[Recommended]Response_WORM" "[Recommended]Misc_WORM" "[Recommended]Response_SHELLCODE" "[Recommended]Misc_SHELLCODE" "[Recommended]Response_SCAN" "[Recommended]Misc_SCAN" "[Recommended]Response_DOS" "[Recommended]Misc_DOS" "[Recommended]Response_DDOS" "[Recommended]Misc_DDOS" ];
                        }
                    }
                    then {
                        action {
                            recommended;
                        }
                        notification {
                            log-attacks;
                        }
                    }
                }
                rule Other-Activity {
                    /* This rule is designed to protect your clients against other common attacks.  This rule is useful if your organization is concerned about chat, P2P, and similar activity.  If not, this rule can be disabled or removed from your policy for a minor increase in performance. */
                    match {
                        from-zone any;
                        source-address any;
                        to-zone any;
                        destination-address any;
                        application default;
                        attacks {
                            predefined-attack-groups [ "[Recommended]Response_VOIP" "[Recommended]Response_CHAT" "[Recommended]Response_P2P" "[Recommended]Response_APP" "[Recommended]Response_RTSP" ];
                        }
                    }
                    then {
                        action {
                            recommended;
                        }
                        notification {
                            log-attacks;
                        }
                    }
                }
                rule Transport-Services {
                    /* This rule is designed to protect your clients against common transport attacks.  Triggers against this rule could indicate an attacker is attempting to evade your IDP.  Unusual network configurations can also sometimes trigger attacks in this rule. */
                    match {
                        from-zone any;
                        source-address any;
                        to-zone any;
                        destination-address any;
                        application default;
                        attacks {
                            predefined-attack-groups [ "[Recommended]Response_IP" "[Recommended]Response_TCP" "[Recommended]Response_UDP" "[Recommended]Response_ICMP" ];
                        }
                    }
                    then {
                        action {
                            recommended;
                        }
                        notification {
                            log-attacks;
                        }
                    }
                }
            }
        }
        idp-policy Client-Protection-1G {
            /* This template policy is designed to protect clients.  This template is supported on all platforms, including Branch devices with 1G of memory. */
            rulebase-ips {
                rule Web-Services-Essential {
                    /* This rule is designed to protect your clients against common internet attacks.  It includes Critical and Major severities.  This is an essential rule. */
                    match {
                        from-zone any;
                        source-address any;
                        to-zone any;
                        destination-address any;
                        application default;
                        attacks {
                            predefined-attack-groups [ "[Recommended]Response_HTTP - Critical" "[Recommended]Response_HTTP - Major" "[Recommended]Response_SSL - Critical" "[Recommended]Response_SSL - Major" "[Recommended]Response_DNS - Critical" "[Recommended]Response_DNS - Major" "[Recommended]Response_FTP - Critical" "[Recommended]Response_FTP - Major" ];
                        }
                    }
                    then {
                        action {
                            recommended;
                        }
                        notification {
                            log-attacks;
                        }
                    }
                }
                rule Web-Services-Low-Performance {
                    /* This rule is designed to protect your clients against common internet attacks.  It includes performance-impacting signatures.  If IDP performance is low, this rule can be disabled to improve performance at the cost of security.  Alternatively, you may remove the lower-severity groups from your policy for a small increase in performance, with a lower cost of security impact. */
                    match {
                        from-zone any;
                        source-address any;
                        to-zone any;
                        destination-address any;
                        application default;
                        attacks {
                            predefined-attack-groups [ "[Recommended]Misc_HTTP - Critical" "[Recommended]Misc_HTTP - Major" "[Recommended]Misc_SSL - Critical" "[Recommended]Misc_SSL - Major" "[Recommended]Misc_DNS - Critical" "[Recommended]Misc_DNS - Major" "[Recommended]Misc_FTP - Critical" "[Recommended]Misc_FTP - Major" ];
                        }
                    }
                    then {
                        action {
                            recommended;
                        }
                        notification {
                            log-attacks;
                        }
                    }
                }
                rule Mail-Services {
                    /* This rule is designed to protect your clients against common mail attacks. */
                    match {
                        from-zone any;
                        source-address any;
                        to-zone any;
                        destination-address any;
                        application default;
                        attacks {
                            predefined-attack-groups [ "[Recommended]Response_IMAP - Critical" "[Recommended]Response_IMAP - Major" "[Recommended]Response_POP3 - Critical" "[Recommended]Response_POP3 - Major" "[Recommended]Response_SMTP - Critical" "[Recommended]Response_SMTP - Major" ];
                        }
                    }
                    then {
                        action {
                            recommended;
                        }
                        notification {
                            log-attacks;
                        }
                    }
                }
                rule Internal-Services {
                    /* This rule is designed to protect your clients against common internal attacks. */
                    match {
                        from-zone any;
                        source-address any;
                        to-zone any;
                        destination-address any;
                        application default;
                        attacks {
                            predefined-attack-groups [ "[Recommended]Response_SMB - Critical" "[Recommended]Response_SMB - Major" "[Recommended]Response_MS-RPC - Critical" "[Recommended]Response_MS-RPC - Major" "[Recommended]Response_NETBIOS - Critical" "[Recommended]Response_NETBIOS - Major" ];
                        }
                    }
                    then {
                        action {
                            recommended;
                        }
                        notification {
                            log-attacks;
                        }
                    }
                }
                rule Malicious-Activity {
                    /* This rule is designed to protect your clients against common malware attacks and other malicious activity.  This is a very important rule and should be kept enabled. */
                    match {
                        from-zone any;
                        source-address any;
                        to-zone any;
                        destination-address any;
                        application default;
                        attacks {
                            predefined-attack-groups [ "[Recommended]Response_SPYWARE - Critical" "[Recommended]Misc_SPYWARE - Critical" "[Recommended]Response_SPYWARE - Major" "[Recommended]Misc_SPYWARE - Major" "[Recommended]Response_TROJAN - Critical" "[Recommended]Misc_TROJAN - Critical" "[Recommended]Response_TROJAN - Major" "[Recommended]Misc_TROJAN - Major" "[Recommended]Response_VIRUS - Critical" "[Recommended]Misc_VIRUS - Critical" "[Recommended]Response_VIRUS - Major" "[Recommended]Misc_VIRUS - Major" "[Recommended]Response_WORM - Critical" 
                            "[Recommended]Misc_WORM - Critical" "[Recommended]Response_WORM - Major" "[Recommended]Misc_WORM - Major" ];
                        }
                    }
                    then {
                        action {
                            recommended;
                        }
                        notification {
                            log-attacks;
                        }
                    }
                }
                rule Transport-Services {
                    /* This rule is designed to protect your clients against common transport attacks.  Triggers against this rule could indicate an attacker is attempting to evade your IDP.  Unusual network configurations can also sometimes trigger attacks in this rule. */
                    match {
                        from-zone any;
                        source-address any;
                        to-zone any;
                        destination-address any;
                        application default;
                        attacks {
                            predefined-attack-groups [ "[Recommended]Response_IP" "[Recommended]Response_TCP" "[Recommended]Response_UDP" "[Recommended]Response_ICMP" ];
                        }
                    }
                    then {
                        action {
                            recommended;
                        }
                        notification {
                            log-attacks;
                        }
                    }
                }
            }
        }
        idp-policy Client-And-Server-Protection {
            /* This template policy is designed to protect both clients and servers.  It is supported on devices with 2G or more of memory.  Branch devices with only 1G are not supported. */
            rulebase-ips {
                rule Web-Services-Essential {
                    /* This rule is designed to protect your clients against common internet attacks.  It includes Critical and Major severities.  This is an essential rule. */
                    match {
                        from-zone any;
                        source-address any;
                        to-zone any;
                        destination-address any;
                        application default;
                        attacks {
                            predefined-attack-groups [ "[Recommended]HTTP - Critical" "[Recommended]Response_HTTP - Critical" "[Recommended]HTTP - Major" "[Recommended]Response_HTTP - Major" "[Recommended]SSL - Critical" "[Recommended]Response_SSL - Critical" "[Recommended]SSL - Major" "[Recommended]Response_SSL - Major" "[Recommended]DNS - Critical" "[Recommended]Response_DNS - Critical" "[Recommended]DNS - Major" "[Recommended]Response_DNS - Major" "[Recommended]FTP - Critical" "[Recommended]Response_FTP - Critical" "[Recommended]FTP - Major" 
                            "[Recommended]Response_FTP - Major" ];
                        }
                    }
                    then {
                        action {
                            recommended;
                        }
                        notification {
                            log-attacks;
                        }
                    }
                }
                rule Web-Services-Supplemental {
                    /* This rule is designed to protect your clients against common internet attacks.  It includes Minor, Warning, and Info severities.  If IDP performance is low, this rule can be disabled to improve performance at the cost of security.  Alternatively, you may remove the lower-severity groups from your policy for a small increase in performance, with a lower cost of security impact. */
                    match {
                        from-zone any;
                        source-address any;
                        to-zone any;
                        destination-address any;
                        application default;
                        attacks {
                            predefined-attack-groups [ "[Recommended]HTTP - Minor" "[Recommended]Response_HTTP - Minor" "[Recommended]HTTP - Warning" "[Recommended]Response_HTTP - Warning" "[Recommended]HTTP - Info" "[Recommended]Response_HTTP - Info" "[Recommended]SSL - Minor" "[Recommended]Response_SSL - Minor" "[Recommended]SSL - Warning" "[Recommended]Response_SSL - Warning" "[Recommended]SSL - Info" "[Recommended]Response_SSL - Info" "[Recommended]DNS - Minor" "[Recommended]Response_DNS - Minor" "[Recommended]DNS - Warning" "[Recommended]Response_DNS - Warning" 
                            "[Recommended]DNS - Info" "[Recommended]Response_DNS - Info" "[Recommended]FTP - Minor" "[Recommended]Response_FTP - Minor" "[Recommended]FTP - Warning" "[Recommended]Response_FTP - Warning" "[Recommended]FTP - Info" "[Recommended]Response_FTP - Info" ];
                        }
                    }
                    then {
                        action {
                            recommended;
                        }
                        notification {
                            log-attacks;
                        }
                    }
                }
                rule Web-Services-Low-Performance {
                    /* This rule is designed to protect your clients against common internet attacks.  It includes performance-impacting signatures.  If IDP performance is low, this rule can be disabled to improve performance at the cost of security.  Alternatively, you may remove the lower-severity groups from your policy for a small increase in performance, with a lower cost of security impact. */
                    match {
                        from-zone any;
                        source-address any;
                        to-zone any;
                        destination-address any;
                        application default;
                        attacks {
                            predefined-attack-groups [ "[Recommended]Misc_HTTP - Critical" "[Recommended]Misc_HTTP - Major" "[Recommended]Misc_HTTP - Minor" "[Recommended]Misc_HTTP - Warning" "[Recommended]Misc_HTTP - Info" "[Recommended]Misc_SSL - Critical" "[Recommended]Misc_SSL - Major" "[Recommended]Misc_SSL - Minor" "[Recommended]Misc_SSL - Warning" "[Recommended]Misc_SSL - Info" "[Recommended]Misc_DNS - Critical" "[Recommended]Misc_DNS - Major" "[Recommended]Misc_DNS - Minor" "[Recommended]Misc_DNS - Warning" "[Recommended]Misc_DNS - Info" 
                            "[Recommended]Misc_FTP - Critical" "[Recommended]Misc_FTP - Major" "[Recommended]Misc_FTP - Minor" "[Recommended]Misc_FTP - Warning" "[Recommended]Misc_FTP - Info" ];
                        }
                    }
                    then {
                        action {
                            recommended;
                        }
                        notification {
                            log-attacks;
                        }
                    }
                }
                rule Mail-Services {
                    /* This rule is designed to protect your clients against common mail attacks. If you experience low IDP performance, you may remove the lower-severity groups from your policy for a small increase in performance, at the cost of security. */
                    match {
                        from-zone any;
                        source-address any;
                        to-zone any;
                        destination-address any;
                        application default;
                        attacks {
                            predefined-attack-groups [ "[Recommended]IMAP - Critical" "[Recommended]Response_IMAP - Critical" "[Recommended]IMAP - Major" "[Recommended]Response_IMAP - Major" "[Recommended]IMAP - Minor" "[Recommended]Response_IMAP - Minor" "[Recommended]IMAP - Warning" "[Recommended]Response_IMAP - Warning" "[Recommended]IMAP - Info" "[Recommended]Response_IMAP - Info" "[Recommended]POP3 - Critical" "[Recommended]Response_POP3 - Critical" "[Recommended]POP3 - Major" "[Recommended]Response_POP3 - Major" "[Recommended]POP3 - Minor" 
                            "[Recommended]Response_POP3 - Minor" "[Recommended]POP3 - Warning" "[Recommended]Response_POP3 - Warning" "[Recommended]POP3 - Info" "[Recommended]Response_POP3 - Info" "[Recommended]SMTP - Critical" "[Recommended]Response_SMTP - Critical" "[Recommended]SMTP - Major" "[Recommended]Response_SMTP - Major" "[Recommended]SMTP - Minor" "[Recommended]Response_SMTP - Minor" "[Recommended]SMTP - Warning" "[Recommended]Response_SMTP - Warning" "[Recommended]SMTP - Info" "[Recommended]Response_SMTP - Info" ];
                        }
                    }
                    then {
                        action {
                            recommended;
                        }
                        notification {
                            log-attacks;
                        }
                    }
                }
                rule Internal-Services {
                    /* This rule is designed to protect your clients against common internal attacks. */
                    match {
                        from-zone any;
                        source-address any;
                        to-zone any;
                        destination-address any;
                        application default;
                        attacks {
                            predefined-attack-groups [ "[Recommended]SMB" "[Recommended]Response_SMB" "[Recommended]MS-RPC" "[Recommended]Response_MS-RPC" "[Recommended]LDAP" "[Recommended]Response_LDAP" "[Recommended]NETBIOS" "[Recommended]Response_NETBIOS" "[Recommended]RADIUS" "[Recommended]Response_RADIUS" "[Recommended]SSH" "[Recommended]Response_SSH" "[Recommended]TELNET" "[Recommended]Response_TELNET" "[Recommended]DB" "[Recommended]Response_DB" "[Recommended]VNC" "[Recommended]Response_VNC" "[Recommended]NFS" "[Recommended]Response_NFS" 
                            "[Recommended]NTP" "[Recommended]Response_NTP" "[Recommended]PORTMAPPER" "[Recommended]Response_PORTMAPPER" "[Recommended]DHCP" "[Recommended]Response_DHCP" "[Recommended]RPC" "[Recommended]Response_RPC" "[Recommended]SNMP" "[Recommended]Response_SNMP" "[Recommended]SNMPTRAP" "[Recommended]Response_SNMPTRAP" ];
                        }
                    }
                    then {
                        action {
                            recommended;
                        }
                        notification {
                            log-attacks;
                        }
                    }
                }
                rule Malicious-Activity {
                    /* This rule is designed to protect your clients against common malware attacks and other malicious activity.  This is a very important rule and should be kept enabled. */
                    match {
                        from-zone any;
                        source-address any;
                        to-zone any;
                        destination-address any;
                        application default;
                        attacks {
                            predefined-attack-groups [ "[Recommended]SPYWARE" "[Recommended]Response_SPYWARE" "[Recommended]Misc_SPYWARE" "[Recommended]TROJAN" "[Recommended]Response_TROJAN" "[Recommended]Misc_TROJAN" "[Recommended]VIRUS" "[Recommended]Response_VIRUS" "[Recommended]Misc_VIRUS" "[Recommended]WORM" "[Recommended]Misc_WORM" "[Recommended]Response_WORM" "[Recommended]SHELLCODE" "[Recommended]Response_SHELLCODE" "[Recommended]Misc_SHELLCODE" "[Recommended]SCAN" "[Recommended]Response_SCAN" "[Recommended]Misc_SCAN" "[Recommended]DOS" 
                            "[Recommended]Response_DOS" "[Recommended]Misc_DOS" "[Recommended]DDOS" "[Recommended]Response_DDOS" "[Recommended]Misc_DDOS" ];
                        }
                    }
                    then {
                        action {
                            recommended;
                        }
                        notification {
                            log-attacks;
                        }
                    }
                }
                rule Other-Activity {
                    /* This rule is designed to protect your clients against other common attacks.  This rule is useful if your organization is concerned about chat, P2P, and similar activity.  If not, this rule can be disabled or removed from your policy for a minor increase in performance. */
                    match {
                        from-zone any;
                        source-address any;
                        to-zone any;
                        destination-address any;
                        application default;
                        attacks {
                            predefined-attack-groups [ "[Recommended]VOIP" "[Recommended]Response_VOIP" "[Recommended]CHAT" "[Recommended]Response_CHAT" "[Recommended]P2P" "[Recommended]Response_P2P" "[Recommended]APP" "[Recommended]Response_APP" "[Recommended]RTSP" "[Recommended]Response_RTSP" ];
                        }
                    }
                    then {
                        action {
                            recommended;
                        }
                    }
                }
                rule Transport-Services {
                    /* This rule is designed to protect your clients against common transport attacks.  Triggers against this rule could indicate an attacker is attempting to evade your IDP.  Unusual network configurations can also sometimes trigger attacks in this rule. */
                    match {
                        from-zone any;
                        source-address any;
                        to-zone any;
                        destination-address any;
                        application default;
                        attacks {
                            predefined-attack-groups [ "[Recommended]IP" "[Recommended]Response_IP" "[Recommended]TCP" "[Recommended]Response_TCP" "[Recommended]UDP" "[Recommended]Response_UDP" "[Recommended]ICMP" "[Recommended]Response_ICMP" ];
                        }
                    }
                    then {
                        action {
                            recommended;
                        }
                        notification {
                            log-attacks;
                        }
                    }
                }
            }
        }
        idp-policy Client-And-Server-Protection-1G {
            /* This template policy is designed to protect both clients and servers.  This template is supported on all platforms, including Branch devices with 1G of memory. */
            rulebase-ips {
                rule Web-Services-Essential {
                    /* This rule is designed to protect your clients against common internet attacks.  It includes Critical and Major severities.  This is an essential rule. */
                    match {
                        from-zone any;
                        source-address any;
                        to-zone any;
                        destination-address any;
                        application default;
                        attacks {
                            predefined-attack-groups [ "[Recommended]HTTP - Critical" "[Recommended]Response_HTTP - Critical" "[Recommended]HTTP - Major" "[Recommended]Response_HTTP - Major" "[Recommended]SSL - Critical" "[Recommended]Response_SSL - Critical" "[Recommended]SSL - Major" "[Recommended]Response_SSL - Major" "[Recommended]DNS - Critical" "[Recommended]Response_DNS - Critical" "[Recommended]DNS - Major" "[Recommended]Response_DNS - Major" "[Recommended]FTP - Critical" "[Recommended]Response_FTP - Critical" "[Recommended]FTP - Major" 
                            "[Recommended]Response_FTP - Major" ];
                        }
                    }
                    then {
                        action {
                            recommended;
                        }
                        notification {
                            log-attacks;
                        }
                    }
                }
                rule Web-Services-Low-Performance {
                    /* This rule is designed to protect your clients against common internet attacks.  It includes performance-impacting signatures.  If IDP performance is low, this rule can be disabled to improve performance at the cost of security.  Alternatively, you may remove the lower-severity groups from your policy for a small increase in performance, with a lower cost of security impact. */
                    match {
                        from-zone any;
                        source-address any;
                        to-zone any;
                        destination-address any;
                        application default;
                        attacks {
                            predefined-attack-groups [ "[Recommended]Misc_HTTP - Critical" "[Recommended]Misc_HTTP - Major" "[Recommended]Misc_SSL - Critical" "[Recommended]Misc_SSL - Major" "[Recommended]Misc_DNS - Critical" "[Recommended]Misc_DNS - Major" "[Recommended]Misc_FTP - Critical" "[Recommended]Misc_FTP - Major" ];
                        }
                    }
                    then {
                        action {
                            recommended;
                        }
                        notification {
                            log-attacks;
                        }
                    }
                }
                rule Mail-Services {
                    /* This rule is designed to protect your clients against common mail attacks. */
                    match {
                        from-zone any;
                        source-address any;
                        to-zone any;
                        destination-address any;
                        application default;
                        attacks {
                            predefined-attack-groups [ "[Recommended]IMAP - Critical" "[Recommended]Response_IMAP - Critical" "[Recommended]IMAP - Major" "[Recommended]Response_IMAP - Major" "[Recommended]POP3 - Critical" "[Recommended]Response_POP3 - Critical" "[Recommended]POP3 - Major" "[Recommended]Response_POP3 - Major" "[Recommended]SMTP - Critical" "[Recommended]Response_SMTP - Critical" "[Recommended]SMTP - Major" "[Recommended]Response_SMTP - Major" ];
                        }
                    }
                    then {
                        action {
                            recommended;
                        }
                        notification {
                            log-attacks;
                        }
                    }
                }
                rule Internal-Services {
                    /* This rule is designed to protect your clients against common internal attacks. */
                    match {
                        from-zone any;
                        source-address any;
                        to-zone any;
                        destination-address any;
                        application default;
                        attacks {
                            predefined-attack-groups [ "[Recommended]SMB - Critical" "[Recommended]Response_SMB - Critical" "[Recommended]SMB - Major" "[Recommended]Response_SMB - Major" "[Recommended]MS-RPC - Critical" "[Recommended]Response_MS-RPC - Critical" "[Recommended]MS-RPC - Major" "[Recommended]Response_MS-RPC - Major" "[Recommended]NETBIOS - Critical" "[Recommended]Response_NETBIOS - Critical" "[Recommended]NETBIOS - Major" "[Recommended]Response_NETBIOS - Major" "[Recommended]SSH - Critical" "[Recommended]Response_SSH - Critical" 
                            "[Recommended]SSH - Major" "[Recommended]Response_SSH - Major" "[Recommended]DB - Critical" "[Recommended]Response_DB - Critical" "[Recommended]DB - Major" "[Recommended]Response_DB - Major" "[Recommended]NTP - Critical" "[Recommended]Response_NTP - Critical" "[Recommended]NTP - Major" ];
                        }
                    }
                    then {
                        action {
                            recommended;
                        }
                        notification {
                            log-attacks;
                        }
                    }
                }
                rule Malicious-Activity {
                    /* This rule is designed to protect your clients against common malware attacks and other malicious activity.  This is a very important rule and should be kept enabled. */
                    match {
                        from-zone any;
                        source-address any;
                        to-zone any;
                        destination-address any;
                        application default;
                        attacks {
                            predefined-attack-groups [ "[Recommended]SPYWARE - Critical" "[Recommended]Response_SPYWARE - Critical" "[Recommended]Misc_SPYWARE - Critical" "[Recommended]SPYWARE - Major" "[Recommended]Response_SPYWARE - Major" "[Recommended]Misc_SPYWARE - Major" "[Recommended]TROJAN - Critical" "[Recommended]Response_TROJAN - Critical" "[Recommended]Misc_TROJAN - Critical" "[Recommended]TROJAN - Major" "[Recommended]Response_TROJAN - Major" "[Recommended]Misc_TROJAN - Major" "[Recommended]VIRUS - Critical" "[Recommended]Response_VIRUS - Critical" 
                            "[Recommended]Misc_VIRUS - Critical" "[Recommended]VIRUS - Major" "[Recommended]Response_VIRUS - Major" "[Recommended]Misc_VIRUS - Major" "[Recommended]WORM - Critical" "[Recommended]Misc_WORM - Critical" "[Recommended]Response_WORM - Critical" "[Recommended]WORM - Major" "[Recommended]Misc_WORM - Major" "[Recommended]Response_WORM - Major" ];
                        }
                    }
                    then {
                        action {
                            recommended;
                        }
                        notification {
                            log-attacks;
                        }
                    }
                }
                rule Transport-Services {
                    /* This rule is designed to protect your clients against common transport attacks.  Triggers against this rule could indicate an attacker is attempting to evade your IDP.  Unusual network configurations can also sometimes trigger attacks in this rule. */
                    match {
                        from-zone any;
                        source-address any;
                        to-zone any;
                        destination-address any;
                        application default;
                        attacks {
                            predefined-attack-groups [ "[Recommended]IP" "[Recommended]Response_IP" "[Recommended]TCP" "[Recommended]Response_TCP" "[Recommended]UDP" "[Recommended]Response_UDP" "[Recommended]ICMP" "[Recommended]Response_ICMP" ];
                        }
                    }
                    then {
                        action {
                            recommended;
                        }
                        notification {
                            log-attacks;
                        }
                    }
                }
            }
        }
        idp-policy Web_Server {
            /* This template policy is designed to protect commonly used HTTP servers from remote attacks. */
            rulebase-ips {
                rule 1 {
                    /* This rule drops all packets that should not occur on a clean network, and can be used by attackers to evade IDSs. This rule is necessary to harden the IDP against evasion attempts. */
                    match {
                        from-zone any;
                        source-address any;
                        to-zone any;
                        destination-address any;
                        application default;
                        attacks {
                            predefined-attack-groups [ "IP - Major" "IP - Critical" "TCP - Critical" "TCP - Major" ];
                        }
                    }
                    then {
                        action {
                            drop-packet;
                        }
                        notification {
                            log-attacks;
                        }
                    }
                }
                rule 2 {
                    /* This rule drops all DNS  and DHCP packets that contain critical severity attacks and logs them as alarms. Enable this rule if you are running your IDP in "in-line" mode, and wish to protect your network against critical DNS and DHCP attacks. */
                    match {
                        from-zone any;
                        source-address any;
                        to-zone any;
                        destination-address any;
                        application default;
                        attacks {
                            predefined-attack-groups [ "DNS - Critical" "DNS - Major" ];
                        }
                    }
                    then {
                        action {
                            drop-packet;
                        }
                        notification {
                            log-attacks;
                        }
                    }
                }
                rule 3 {
                    /* This rule drops critical and high severity attacks against common web and IIS services and logs them as alarms. Enable this rule if you are running your IDP in "in-line" mode, and wish to protect your network against critical and high severity attacks. */
                    match {
                        from-zone any;
                        source-address any;
                        to-zone any;
                        destination-address any;
                        application default;
                        attacks {
                            predefined-attack-groups [ "FINGER - Critical" "FINGER - Major" "GOPHER - Critical" "GOPHER - Major" "FTP - Critical" "FTP - Major" "HTTP - Critical" "HTTP - Major" "SHELLCODE - Major" "SHELLCODE - Critical" "NNTP - Critical" "NNTP - Major" ];
                        }
                    }
                    then {
                        action {
                            drop-packet;
                        }
                        notification {
                            log-attacks;
                        }
                    }
                }
                rule 4 {
                    /* This rule logs medium severity attacks.  Enable this rule if you are running your IDP in "in-line" mode, and wish to monitor your network for attacks and IDS evasion attempts. */
                    match {
                        from-zone any;
                        source-address any;
                        to-zone any;
                        destination-address any;
                        application default;
                        attacks {
                            predefined-attack-groups [ "DNS - Minor" "FINGER - Minor" "FTP - Minor" "GOPHER - Minor" "HTTP - Minor" "NNTP - Minor" "SHELLCODE - Minor" ];
                        }
                    }
                    then {
                        action {
                            no-action;
                        }
                        notification {
                            log-attacks;
                        }
                    }
                }
                inactive: rule 5 {
                    /* This rule logs low severity attacks.  The rule is disabled by default, as some networks contain many low severity events, which results in many logs. */
                    match {
                        from-zone any;
                        source-address any;
                        to-zone any;
                        destination-address any;
                        application default;
                        attacks {
                            predefined-attack-groups [ "Anomaly - Warning" "Signature - Warning" ];
                        }
                    }
                    then {
                        action {
                            no-action;
                        }
                        notification {
                            log-attacks;
                        }
                    }
                }
                inactive: rule 6 {
                    /* This rule logs informational events.  This rule is disabled by default as it generates many logs.  Informational signatures are included not to necessarily detect attacks, but to provide additional understanding of your network's traffic. */
                    match {
                        from-zone any;
                        source-address any;
                        to-zone any;
                        destination-address any;
                        application default;
                        attacks {
                            predefined-attack-groups [ "Anomaly - Info" "Signature - Info" ];
                        }
                    }
                    then {
                        action {
                            no-action;
                        }
                        notification {
                            log-attacks;
                        }
                    }
                }
            }
        }
        idp-policy DMZ_Services {
            /* This template policy is designed to be used to protect a typical DMZ environment. */
            rulebase-ips {
                rule 1 {
                    /* This rule drops all packets that should not occur on a clean network, and can be used by attackers to evade IDSs.  This rule is necessary to harden the IDP against evasion attempts. */
                    match {
                        from-zone any;
                        source-address any;
                        to-zone any;
                        destination-address any;
                        application default;
                        attacks {
                            predefined-attack-groups [ "IP - Major" "IP - Critical" "TCP - Critical" "TCP - Major" ];
                        }
                    }
                    then {
                        action {
                            drop-packet;
                        }
                        notification {
                            log-attacks {
                                alert;
                            }
                        }
                    }
                }
                rule 2 {
                    /* This rule drops all DNS  and DHCP packets that contain critical severity attacks and logs them as alarms.  Enable this rule if you are running your IDP in \"in-line\" mode, and wish to protect your network against critical DNS and DHCP attacks. */
                    match {
                        from-zone any;
                        source-address any;
                        to-zone any;
                        destination-address any;
                        application default;
                        attacks {
                            predefined-attack-groups [ "DNS - Critical" "DNS - Major" ];
                        }
                    }
                    then {
                        action {
                            drop-packet;
                        }
                        notification {
                            log-attacks {
                                alert;
                            }
                        }
                    }
                }
                rule 3 {
                    /* This rule drops critical and high severity attacks against common DMZ services and logs them as alarms. Enable this rule if you are running your IDP in \"in-line\" mode, and wish to protect your network against critical and high severity attacks. */
                    match {
                        from-zone any;
                        source-address any;
                        to-zone any;
                        destination-address any;
                        application default;
                        attacks {
                            predefined-attack-groups [ "FINGER - Critical" "FINGER - Major" "GOPHER - Critical" "GOPHER - Major" "FTP - Critical" "FTP - Major" "HTTP - Critical" "HTTP - Major" "SHELLCODE - Major" "SHELLCODE - Critical" "NNTP - Critical" "NNTP - Major" "IMAP - Critical" "IMAP - Major" "POP3 - Critical" "POP3 - Major" "SMTP - Critical" "SMTP - Major" "SSH - Critical" "SSH - Major" ];
                        }
                    }
                    then {
                        action {
                            drop-packet;
                        }
                        notification {
                            log-attacks {
                                alert;
                            }
                        }
                    }
                }
                rule 4 {
                    /* This rule logs medium severity attacks.  Enable this rule if you are running your IDP in "in-line" mode, and wish to monitor your network for attacks and IDS evasion attempts. */
                    match {
                        from-zone any;
                        source-address any;
                        to-zone any;
                        destination-address any;
                        application default;
                        attacks {
                            predefined-attack-groups [ "FINGER - Minor" "FTP - Minor" "GOPHER - Minor" "HTTP - Minor" "IMAP - Minor" "NNTP - Minor" "POP3 - Minor" "SHELLCODE - Minor" "SMTP - Minor" "SSH - Minor" ];
                        }
                    }
                    then {
                        action {
                            no-action;
                        }
                        notification {
                            log-attacks;
                        }
                    }
                }
                inactive: rule 5 {
                    /* This rule logs low severity attacks.  The rule is disabled by default, as some networks contain many low severity events, which results in many logs. */
                    match {
                        from-zone any;
                        source-address any;
                        to-zone any;
                        destination-address any;
                        application default;
                        attacks {
                            predefined-attack-groups [ "Anomaly - Warning" "Signature - Warning" ];
                        }
                    }
                    then {
                        action {
                            no-action;
                        }
                        notification {
                            log-attacks;
                        }
                    }
                }
                inactive: rule 6 {
                    /* This rule logs informational events.  This rule is disabled by default as it generates many logs.  Informational signatures are included not to necessarily detect attacks, but to provide additional understanding of your network's traffic. */
                    match {
                        from-zone any;
                        source-address any;
                        to-zone any;
                        destination-address any;
                        application default;
                        attacks {
                            predefined-attack-groups [ "Anomaly - Info" "Signature - Info" ];
                        }
                    }
                    then {
                        action {
                            no-action;
                        }
                        notification {
                            log-attacks;
                        }
                    }
                }
            }
        }
        idp-policy DNS_Service {
            /* This template policy is designed to protect DNS services. Use this template as a starting point to customize your desired level of protection. */
            rulebase-ips {
                rule 1 {
                    /* This rule drops all packets that should not occur on a clean network, and can be used by attackers to evade IDSs.  This rule is necessary to harden the IDP against evasion attempts. */
                    match {
                        from-zone any;
                        source-address any;
                        to-zone any;
                        destination-address any;
                        application default;
                        attacks {
                            predefined-attack-groups [ "IP - Major" "IP - Critical" "TCP - Critical" "TCP - Major" ];
                        }
                    }
                    then {
                        action {
                            drop-packet;
                        }
                        notification {
                            log-attacks {
                                alert;
                            }
                        }
                    }
                }
                rule 2 {
                    /* This rule drops all DNS  and DHCP packets that contain critical severity attacks and logs them as alarms.  Enable this rule if you are running your IDP in "in-line" mode, and wish to protect your network against critical DNS and DHCP attacks. */
                    match {
                        from-zone any;
                        source-address any;
                        to-zone any;
                        destination-address any;
                        application default;
                        attacks {
                            predefined-attack-groups [ "DNS - Critical" "DNS - Major" ];
                        }
                    }
                    then {
                        action {
                            drop-packet;
                        }
                        notification {
                            log-attacks {
                                alert;
                            }
                        }
                    }
                }
                rule 3 {
                    /* This rule logs medium severity DNS attacks. Enable this rule to investigate possible threats against Domain Name Services. */
                    match {
                        from-zone any;
                        source-address any;
                        to-zone any;
                        destination-address any;
                        application default;
                        attacks {
                            predefined-attack-groups "DNS - Minor";
                        }
                    }
                    then {
                        action {
                            no-action;
                        }
                        notification {
                            log-attacks;
                        }
                    }
                }
                inactive: rule 4 {
                    /* This rule logs low severity attacks.  The rule is disabled by default, as some networks contain many low severity events, which results in many logs. */
                    match {
                        from-zone any;
                        source-address any;
                        to-zone any;
                        destination-address any;
                        application default;
                        attacks {
                            predefined-attack-groups [ "Anomaly - Warning" "Signature - Warning" ];
                        }
                    }
                    then {
                        action {
                            no-action;
                        }
                        notification {
                            log-attacks;
                        }
                    }
                }
                inactive: rule 5 {
                    /* This rule logs informational events.  This rule is disabled by default as it generates many logs.  Informational signatures are included not to necessarily detect attacks, but to provide additional understanding of your network's traffic. */
                    match {
                        from-zone any;
                        source-address any;
                        to-zone any;
                        destination-address any;
                        application default;
                        attacks {
                            predefined-attack-groups [ "Anomaly - Info" "Signature - Info" ];
                        }
                    }
                    then {
                        action {
                            no-action;
                        }
                        notification {
                            log-attacks;
                        }
                    }
                }
            }
        }
        idp-policy File_Server {
            /* This template policy is designed to provide protection to various file sharing services such as AMB, NFS, FTP, and others. */
            rulebase-ips {
                rule 1 {
                    /* This rule drops all packets that should not occur on a clean network, and can be used by attackers to evade IDSs.  This rule is necessary to harden the IDP against evasion attempts. */
                    match {
                        from-zone any;
                        source-address any;
                        to-zone any;
                        destination-address any;
                        application default;
                        attacks {
                            predefined-attack-groups [ "IP - Major" "IP - Critical" "TCP - Critical" "TCP - Major" ];
                        }
                    }
                    then {
                        action {
                            drop-packet;
                        }
                        notification {
                            log-attacks {
                                alert;
                            }
                        }
                    }
                }
                rule 2 {
                    /* This rule drops all DNS  and DHCP packets that contain critical severity attacks and logs them as alarms.  Enable this rule if you are running your IDP in \"in-line\" mode, and wish to protect your network against critical DNS and DHCP attacks. */
                    match {
                        from-zone any;
                        source-address any;
                        to-zone any;
                        destination-address any;
                        application default;
                        attacks {
                            predefined-attack-groups [ "DNS - Critical" "DNS - Major" "DHCP - Critical" "DHCP - Major" "SHELLCODE - Critical" "SHELLCODE - Major" ];
                        }
                    }
                    then {
                        action {
                            drop-packet;
                        }
                        notification {
                            log-attacks {
                                alert;
                            }
                        }
                    }
                }
                rule 3 {
                    /* This rule drops critical and high severity attacks against common DMZ services and logs them as alarms. Enable this rule if you are running your IDP in "in-line" mode, and wish to protect your network against critical and high severity attacks. */
                    match {
                        from-zone any;
                        source-address any;
                        to-zone any;
                        destination-address any;
                        application default;
                        attacks {
                            predefined-attack-groups [ "FTP - Critical" "FTP - Major" "SSH - Critical" "SSH - Major" "NFS - Critical" "NFS - Major" "PORTMAPPER - Critical" "PORTMAPPER - Major" "RPC - Critical" "RPC - Major" "SMB - Critical" "SMB - Major" "MS-RPC - Critical" "MS-RPC - Major" "NETBIOS - Critical" "NETBIOS - Major" "TFTP - Critical" "TFTP - Major" ];
                        }
                    }
                    then {
                        action {
                            drop-packet;
                        }
                        notification {
                            log-attacks {
                                alert;
                            }
                        }
                    }
                }
                rule 4 {
                    /* This rule logs medium severity file service attacks. Enable this rule to investigate possible threats against file sharing services. */
                    match {
                        from-zone any;
                        source-address any;
                        to-zone any;
                        destination-address any;
                        application default;
                        attacks {
                            predefined-attack-groups [ "FTP - Minor" "SSH - Minor" "MS-RPC - Minor" "NETBIOS - Minor" "NFS - Minor" "PORTMAPPER - Minor" "RPC - Minor" "SMB - Minor" "TFTP - Minor" ];
                        }
                    }
                    then {
                        action {
                            no-action;
                        }
                        notification {
                            log-attacks;
                        }
                    }
                }
                inactive: rule 5 {
                    /* This rule logs low severity attacks.  The rule is disabled by default, as some networks contain many low severity events, which results in many logs. */
                    match {
                        from-zone any;
                        source-address any;
                        to-zone any;
                        destination-address any;
                        application default;
                        attacks {
                            predefined-attack-groups [ "Anomaly - Warning" "Signature - Warning" ];
                        }
                    }
                    then {
                        action {
                            no-action;
                        }
                        notification {
                            log-attacks;
                        }
                    }
                }
                inactive: rule 6 {
                    /* This rule logs informational events.  This rule is disabled by default as it generates many logs.  Informational signatures are included not to necessarily detect attacks, but to provide additional understanding of your network's traffic. */
                    match {
                        from-zone any;
                        source-address any;
                        to-zone any;
                        destination-address any;
                        application default;
                        attacks {
                            predefined-attack-groups [ "Anomaly - Info" "Signature - Info" ];
                        }
                    }
                    then {
                        action {
                            no-action;
                        }
                        notification {
                            log-attacks;
                        }
                    }
                }
            }
        }
        idp-policy Getting_Started {
            /* This template is a good starting point for learning how to create IDP policies. */
            rulebase-ips {
                rule 1 {
                    match {
                        from-zone any;
                        source-address any;
                        to-zone any;
                        destination-address any;
                        application default;
                        attacks {
                            predefined-attack-groups [ "IP - Major" "IP - Critical" "IP - Minor" "TCP - Critical" "TCP - Major" "TCP - Minor" ];
                        }
                    }
                    then {
                        action {
                            no-action;
                        }
                        notification {
                            log-attacks;
                        }
                    }
                }
                rule 2 {
                    match {
                        from-zone any;
                        source-address any;
                        to-zone any;
                        destination-address any;
                        application default;
                        attacks {
                            predefined-attack-groups [ "ICMP - Critical" "ICMP - Major" "ICMP - Minor" ];
                        }
                    }
                    then {
                        action {
                            no-action;
                        }
                        notification {
                            log-attacks;
                        }
                    }
                }
                rule 3 {
                    match {
                        from-zone any;
                        source-address any;
                        to-zone any;
                        destination-address any;
                        application default;
                        attacks {
                            predefined-attack-groups [ "HTTP - Critical" "HTTP - Major" "HTTP - Minor" ];
                        }
                    }
                    then {
                        action {
                            no-action;
                        }
                        notification {
                            log-attacks;
                        }
                    }
                }
                rule 4 {
                    match {
                        from-zone any;
                        source-address any;
                        to-zone any;
                        destination-address any;
                        application default;
                        attacks {
                            predefined-attack-groups [ "SMTP - Critical" "SMTP - Major" "SMTP - Minor" ];
                        }
                    }
                    then {
                        action {
                            no-action;
                        }
                        notification {
                            log-attacks;
                        }
                    }
                }
                rule 5 {
                    match {
                        from-zone any;
                        source-address any;
                        to-zone any;
                        destination-address any;
                        application default;
                        attacks {
                            predefined-attack-groups [ "DNS - Critical" "DNS - Major" "DNS - Minor" ];
                        }
                    }
                    then {
                        action {
                            no-action;
                        }
                        notification {
                            log-attacks;
                        }
                    }
                }
                rule 6 {
                    match {
                        from-zone any;
                        source-address any;
                        to-zone any;
                        destination-address any;
                        application default;
                        attacks {
                            predefined-attack-groups [ "FTP - Critical" "FTP - Major" "FTP - Minor" ];
                        }
                    }
                    then {
                        action {
                            no-action;
                        }
                        notification {
                            log-attacks;
                        }
                    }
                }
                rule 7 {
                    match {
                        from-zone any;
                        source-address any;
                        to-zone any;
                        destination-address any;
                        application default;
                        attacks {
                            predefined-attack-groups [ "POP3 - Critical" "POP3 - Major" "POP3 - Minor" ];
                        }
                    }
                    then {
                        action {
                            no-action;
                        }
                        notification {
                            log-attacks;
                        }
                    }
                }
                rule 8 {
                    match {
                        from-zone any;
                        source-address any;
                        to-zone any;
                        destination-address any;
                        application default;
                        attacks {
                            predefined-attack-groups [ "IMAP - Critical" "IMAP - Major" "IMAP - Minor" ];
                        }
                    }
                    then {
                        action {
                            no-action;
                        }
                        notification {
                            log-attacks;
                        }
                    }
                }
                rule 9 {
                    match {
                        from-zone any;
                        source-address any;
                        to-zone any;
                        destination-address any;
                        application default;
                        attacks {
                            predefined-attack-groups [ "TROJAN - Critical" "TROJAN - Major" "TROJAN - Minor" "VIRUS - Critical" "VIRUS - Major" "VIRUS - Minor" "WORM - Critical" "WORM - Major" "WORM - Minor" ];
                        }
                    }
                    then {
                        action {
                            no-action;
                        }
                        notification {
                            log-attacks;
                        }
                    }
                }
            }
        }
        idp-policy IDP_Default {
            /* This template policy represents a good blend od security and performance. Use this template for "in-line" mode. */
            rulebase-ips {
                rule 1 {
                    /* This rule drops all packets that should not occur on a clean network, and can be used by attackers to evade IDSs.  This rule is necessary to harden the IDP against evasion attempts. */
                    match {
                        from-zone any;
                        source-address any;
                        to-zone any;
                        destination-address any;
                        application default;
                        attacks {
                            predefined-attack-groups [ "IP - Major" "IP - Critical" "TCP - Critical" "TCP - Major" ];
                        }
                    }
                    then {
                        action {
                            drop-packet;
                        }
                        notification {
                            log-attacks {
                                alert;
                            }
                        }
                    }
                }
                rule 2 {
                    /* This rule drops high severity attacks and logs them as alarms. Enable this rule if you are running your IDP in "in-line" mode, and wish to protect your network against critical attacks and IDS evasion attempts. */
                    match {
                        from-zone any;
                        source-address any;
                        to-zone any;
                        destination-address any;
                        application default;
                        attacks {
                            predefined-attack-groups [ "DB - Critical" "DB - Major" "DDOS - Critical" "DDOS - Major" "DHCP - Critical" "DHCP - Major" "DNS - Critical" "DNS - Major" "DOS - Critical" "DOS - Major" "FTP - Critical" "FTP - Major" "HTTP - Critical" "HTTP - Major" "ICMP - Critical" "ICMP - Major" "IMAP - Critical" "IMAP - Major" "NETBIOS - Critical" "NETBIOS - Major" "MS-RPC - Critical" "MS-RPC - Major" "NFS - Critical" "NFS - Major" "POP3 - Critical" "POP3 - Major" "PORTMAPPER - Critical" "PORTMAPPER - Major" "RPC - Critical" 
                            "RPC - Major" "SCAN - Critical" "SCAN - Major" "SHELLCODE - Critical" "SHELLCODE - Major" "SMB - Critical" "SMB - Major" "SMTP - Critical" "SMTP - Major" "SSH - Critical" "SSH - Major" "TELNET - Critical" "TELNET - Major" "TROJAN - Critical" "TROJAN - Major" "WORM - Critical" "WORM - Major" "APP - Critical" "APP - Major" ];
                        }
                    }
                    then {
                        action {
                            drop-packet;
                        }
                        notification {
                            log-attacks {
                                alert;
                            }
                        }
                    }
                }
                rule 3 {
                    /* This rule logs medium severity attacks.  Enable this rule if you are running your IDP in "in-line" mode, and wish to monitor your network for attacks and IDS evasion attempts. */
                    match {
                        from-zone any;
                        source-address any;
                        to-zone any;
                        destination-address any;
                        application default;
                        attacks {
                            predefined-attack-groups [ "DB - Minor" "DDOS - Minor" "DHCP - Minor" "DNS - Minor" "DOS - Minor" "FTP - Minor" "HTTP - Minor" "ICMP - Minor" "IMAP - Minor" "NETBIOS - Minor" "MS-RPC - Minor" "NFS - Minor" "POP3 - Minor" "PORTMAPPER - Minor" "RPC - Minor" "SCAN - Minor" "SHELLCODE - Minor" "SMB - Minor" "SMTP - Minor" "SSH - Minor" "TELNET - Minor" "TROJAN - Minor" "WORM - Minor" "APP - Minor" ];
                        }
                    }
                    then {
                        action {
                            no-action;
                        }
                        notification {
                            log-attacks;
                        }
                    }
                }
                inactive: rule 4 {
                    /* This rule logs low severity attacks.  The rule is disabled by default, as some networks contain many low severity events, which results in many logs. */
                    match {
                        from-zone any;
                        source-address any;
                        to-zone any;
                        destination-address any;
                        application default;
                        attacks {
                            predefined-attack-groups [ "Anomaly - Warning" "Signature - Warning" ];
                        }
                    }
                    then {
                        action {
                            no-action;
                        }
                        notification {
                            log-attacks;
                        }
                    }
                }
                inactive: rule 5 {
                    /* This rule logs informational events.  This rule is disabled by default as it generates many logs.  Informational signatures are included not to necessarily detect attacks, but to provide additional understanding of your network's traffic. */
                    match {
                        from-zone any;
                        source-address any;
                        to-zone any;
                        destination-address any;
                        application default;
                        attacks {
                            predefined-attack-groups [ "Anomaly - Info" "Signature - Info" ];
                        }
                    }
                    then {
                        action {
                            no-action;
                        }
                        notification {
                            log-attacks;
                        }
                    }
                }
            }
        }
        idp-policy Recommended {
            /* This legacy template policy covers most current vulnerabilities.  This template is supported on all platforms, including Branch devices with 1G of memory. */
            rulebase-ips {
                rule 1 {
                    /* This rule is designed to protect your networks against important TCP/IP attacks. */
                    match {
                        from-zone any;
                        source-address any;
                        to-zone any;
                        destination-address any;
                        application default;
                        attacks {
                            predefined-attack-groups [ "[Recommended]IP - Critical" "[Recommended]IP - Minor" "[Recommended]IP - Major" "[Recommended]TCP - Critical" "[Recommended]TCP - Minor" "[Recommended]TCP - Major" ];
                        }
                    }
                    then {
                        action {
                            recommended;
                        }
                        notification {
                            log-attacks;
                        }
                    }
                }
                rule 2 {
                    /* This rule is designed to protect your network against  important ICMP attacks. */
                    match {
                        from-zone any;
                        source-address any;
                        to-zone any;
                        destination-address any;
                        application default;
                        attacks {
                            predefined-attack-groups [ "[Recommended]ICMP - Major" "[Recommended]ICMP - Minor" ];
                        }
                    }
                    then {
                        action {
                            recommended;
                        }
                        notification {
                            log-attacks;
                        }
                    }
                }
                rule 3 {
                    /* This rule is designed to protect your network against  important HTTP attacks. */
                    match {
                        from-zone any;
                        source-address any;
                        to-zone any;
                        destination-address any;
                        application default;
                        attacks {
                            predefined-attack-groups [ "[Recommended]HTTP - Critical" "[Recommended]HTTP - Major" "[Recommended]HTTP - Minor" ];
                        }
                    }
                    then {
                        action {
                            recommended;
                        }
                        notification {
                            log-attacks;
                        }
                    }
                }
                rule 4 {
                    /* This rule is designed to protect your network against  important SMTP attacks. */
                    match {
                        from-zone any;
                        source-address any;
                        to-zone any;
                        destination-address any;
                        application default;
                        attacks {
                            predefined-attack-groups [ "[Recommended]SMTP - Critical" "[Recommended]SMTP - Major" "[Recommended]SMTP - Minor" ];
                        }
                    }
                    then {
                        action {
                            recommended;
                        }
                        notification {
                            log-attacks;
                        }
                    }
                }
                rule 5 {
                    /* This rule is designed to protect your network against  important DNS attacks. */
                    match {
                        from-zone any;
                        source-address any;
                        to-zone any;
                        destination-address any;
                        application default;
                        attacks {
                            predefined-attack-groups [ "[Recommended]DNS - Critical" "[Recommended]DNS - Minor" "[Recommended]DNS - Major" ];
                        }
                    }
                    then {
                        action {
                            recommended;
                        }
                        notification {
                            log-attacks;
                        }
                    }
                }
                rule 6 {
                    /* This rule is designed to protect your network against  important FTP attacks. */
                    match {
                        from-zone any;
                        source-address any;
                        to-zone any;
                        destination-address any;
                        application default;
                        attacks {
                            predefined-attack-groups [ "[Recommended]FTP - Critical" "[Recommended]FTP - Minor" "[Recommended]FTP - Major" ];
                        }
                    }
                    then {
                        action {
                            recommended;
                        }
                        notification {
                            log-attacks;
                        }
                    }
                }
                rule 7 {
                    /* This rule is designed to protect your network against important POP3 attacks. */
                    match {
                        from-zone any;
                        source-address any;
                        to-zone any;
                        destination-address any;
                        application default;
                        attacks {
                            predefined-attack-groups [ "[Recommended]POP3 - Critical" "[Recommended]POP3 - Minor" "[Recommended]POP3 - Major" ];
                        }
                    }
                    then {
                        action {
                            recommended;
                        }
                        notification {
                            log-attacks;
                        }
                    }
                }
                rule 8 {
                    /* This rule is designed to protect your network against  important IMAP attacks. */
                    match {
                        from-zone any;
                        source-address any;
                        to-zone any;
                        destination-address any;
                        application default;
                        attacks {
                            predefined-attack-groups [ "[Recommended]IMAP - Critical" "[Recommended]IMAP - Major" ];
                        }
                    }
                    then {
                        action {
                            recommended;
                        }
                        notification {
                            log-attacks;
                        }
                    }
                }
                rule 9 {
                    /* This rule is designed to protect your network against common internet malware. */
                    match {
                        from-zone any;
                        source-address any;
                        to-zone any;
                        destination-address any;
                        application default;
                        attacks {
                            predefined-attack-groups [ "[Recommended]TROJAN - Critical" "[Recommended]TROJAN - Major" "[Recommended]TROJAN - Minor" "[Recommended]VIRUS - Critical" "[Recommended]VIRUS - Major" "[Recommended]VIRUS - Minor" "[Recommended]WORM - Critical" "[Recommended]WORM - Major" "[Recommended]WORM - Minor" ];
                        }
                    }
                    then {
                        action {
                            recommended;
                        }
                        notification {
                            log-attacks;
                        }
                    }
                }
                rule TCP/IP {
                    /* This rule is designed to protect your networks against important TCP/IP attacks. */
                    match {
                        from-zone any;
                        source-address any;
                        to-zone any;
                        destination-address any;
                        application default;
                        attacks {
                            predefined-attack-groups [ "[Recommended]IP - Critical" "[Recommended]IP - Minor" "[Recommended]IP - Major" "[Recommended]TCP - Critical" "[Recommended]TCP - Minor" "[Recommended]TCP - Major" ];
                        }
                    }
                    then {
                        action {
                            recommended;
                        }
                        notification {
                            log-attacks;
                        }
                    }
                }
                rule ICMP {
                    /* This rule is designed to protect your network against  important ICMP attacks. */
                    match {
                        from-zone any;
                        source-address any;
                        to-zone any;
                        destination-address any;
                        application default;
                        attacks {
                            predefined-attack-groups [ "[Recommended]ICMP - Major" "[Recommended]ICMP - Minor" ];
                        }
                    }
                    then {
                        action {
                            recommended;
                        }
                        notification {
                            log-attacks;
                        }
                    }
                }
                rule HTTP {
                    /* This rule is designed to protect your network against  important HTTP attacks. */
                    match {
                        from-zone any;
                        source-address any;
                        to-zone any;
                        destination-address any;
                        application default;
                        attacks {
                            predefined-attack-groups [ "[Recommended]HTTP - Critical" "[Recommended]HTTP - Major" "[Recommended]HTTP - Minor" ];
                        }
                    }
                    then {
                        action {
                            recommended;
                        }
                        notification {
                            log-attacks;
                        }
                    }
                }
                rule SMTP {
                    /* This rule is designed to protect your network against  important SMTP attacks. */
                    match {
                        from-zone any;
                        source-address any;
                        to-zone any;
                        destination-address any;
                        application default;
                        attacks {
                            predefined-attack-groups [ "[Recommended]SMTP - Critical" "[Recommended]SMTP - Major" "[Recommended]SMTP - Minor" ];
                        }
                    }
                    then {
                        action {
                            recommended;
                        }
                        notification {
                            log-attacks;
                        }
                    }
                }
                rule DNS {
                    /* This rule is designed to protect your network against important DNS attacks. */
                    match {
                        from-zone any;
                        source-address any;
                        to-zone any;
                        destination-address any;
                        application default;
                        attacks {
                            predefined-attack-groups [ "[Recommended]DNS - Critical" "[Recommended]DNS - Minor" "[Recommended]DNS - Major" ];
                        }
                    }
                    then {
                        action {
                            recommended;
                        }
                        notification {
                            log-attacks;
                        }
                    }
                }
                rule FTP {
                    /* This rule is designed to protect your network against important FTP attacks. */
                    match {
                        from-zone any;
                        source-address any;
                        to-zone any;
                        destination-address any;
                        application default;
                        attacks {
                            predefined-attack-groups [ "[Recommended]FTP - Critical" "[Recommended]FTP - Minor" "[Recommended]FTP - Major" ];
                        }
                    }
                    then {
                        action {
                            recommended;
                        }
                        notification {
                            log-attacks;
                        }
                    }
                }
                rule POP3 {
                    /* This rule is designed to protect your network against important POP3 attacks. */
                    match {
                        from-zone any;
                        source-address any;
                        to-zone any;
                        destination-address any;
                        application default;
                        attacks {
                            predefined-attack-groups [ "[Recommended]POP3 - Critical" "[Recommended]POP3 - Minor" "[Recommended]POP3 - Major" ];
                        }
                    }
                    then {
                        action {
                            recommended;
                        }
                        notification {
                            log-attacks;
                        }
                    }
                }
                rule IMAP {
                    /* This rule is designed to protect your network against important IMAP attacks. */
                    match {
                        from-zone any;
                        source-address any;
                        to-zone any;
                        destination-address any;
                        application default;
                        attacks {
                            predefined-attack-groups [ "[Recommended]IMAP - Critical" "[Recommended]IMAP - Major" ];
                        }
                    }
                    then {
                        action {
                            recommended;
                        }
                        notification {
                            log-attacks;
                        }
                    }
                }
                rule Malware {
                    /* This rule is designed to protect your network against common internet malware. */
                    match {
                        from-zone any;
                        source-address any;
                        to-zone any;
                        destination-address any;
                        application default;
                        attacks {
                            predefined-attack-groups [ "[Recommended]TROJAN - Critical" "[Recommended]TROJAN - Major" "[Recommended]TROJAN - Minor" "[Recommended]VIRUS - Critical" "[Recommended]VIRUS - Major" "[Recommended]VIRUS - Minor" "[Recommended]WORM - Critical" "[Recommended]WORM - Major" "[Recommended]WORM - Minor" ];
                        }
                    }
                    then {
                        action {
                            recommended;
                        }
                        notification {
                            log-attacks;
                        }
                    }
                }
            }
        }
        active-policy Recommended;
        custom-attack Block_Flooder {
            recommended-action drop-packet;
            severity major;
            time-binding {
                count 100;
                scope source;
            }
            attack-type {
                signature {
                    context packet;
                    direction any;
                    shellcode intel;
                }
            }
        }
        custom-attack Block_TTL {
            recommended-action drop-packet;
            severity major;
            time-binding {
                count 10;
                scope source;
            }
            attack-type {
                signature {
                    protocol-binding {
                        udp {
                            minimum-port 0 maximum-port 65535;
                        }
                    }
                    context packet;
                    direction any;
                    shellcode intel;
                    protocol {
                        ipv4 {
                            ttl {
                                match equal;
                                value 62;
                            }
                        }
                    }
                }
            }
        }
        custom-attack Block_Size {
            recommended-action drop-packet;
            severity major;
            time-binding {
                count 10;
                scope source;
            }
            attack-type {
                signature {
                    protocol-binding {
                        udp {
                            minimum-port 0 maximum-port 65535;
                        }
                    }
                    context packet;
                    direction any;
                    shellcode intel;
                    protocol {
                        ipv4 {
                            total-length {
                                match equal;
                                value 29;
                            }
                        }
                    }
                }
            }
        }
        custom-attack Block_Length {
            recommended-action drop-packet;
            severity major;
            time-binding {
                count 10;
                scope source;
            }
            attack-type {
                signature {
                    context packet;
                    direction any;
                    shellcode intel;
                    protocol {
                        udp {
                            data-length {
                                match equal;
                                value 1;
                            }
                        }
                    }
                }
            }
        }
        custom-attack Block_Flag {
            recommended-action drop-packet;
            severity major;
            time-binding {
                count 10;
                scope source;
            }
            attack-type {
                signature {
                    protocol-binding {
                        udp {
                            minimum-port 0 maximum-port 65535;
                        }
                    }
                    context packet;
                    direction any;
                    shellcode intel;
                    protocol {
                        ipv4 {
                            ip-flags df;
                        }
                    }
                }
            }
        }
        application-ddos dns-server-1 {
            service dns;
            connection-rate-threshold 1200;
            context dns-type-name {
                hit-rate-threshold 72000;
                value-hit-rate-threshold 2400;
                max-context-values 100;
                time-binding-count 10;
                time-binding-period 30;
                exclude-context-values [ .*google.com .*yahoo.com ];
            }
        }
        application-ddos Protect-HTTP-Server {
            service http;
            connection-rate-threshold 100;
            context http-url-parsed {
                hit-rate-threshold 200;
                value-hit-rate-threshold 20;
                max-context-values 20;
                time-binding-count 3;
                time-binding-period 60;
            }
        }
        security-package {
            url http://services.netscreen.com/cgi-bin/index.cgi;
            automatic {
                start-time "2015-4-4.21:50:00 +0000";
                interval 24;
                enable;
            }
        }
        sensor-configuration {
            log {
                cache-size 32000;
                suppression {
                    include-destination-address;
                    start-log 1;
                    max-logs-operate 32000;
                    max-time-report 30;
                }
            }
            flow {
                log-errors;
                no-allow-icmp-without-flow;
            }
            re-assembler {
                no-ignore-memory-overflow;
                no-ignore-reassembly-memory-overflow;
                ignore-reassembly-overflow;
                max-flow-mem 3200000;
                max-packet-mem-ratio 20;
            }
            ips {
                no-process-override;
                detect-shellcode;
                no-process-ignore-s2c;
                ignore-regular-expression;
                log-supercede-min 32000;
            }
            global {
                enable-packet-pool;
                enable-all-qmodules;
                no-policy-lookup-cache;
                memory-limit-percent 70;
            }
        }
    }
    address-book {
        web-server {
            address SPD 185.9.157.15/32;
            address SALAY 178.20.231.5/32;
        }
        TeamSpeak {
            address Veli 178.20.231.165/32;
            attach {
                zone DisNetwork;
                zone IcNetwork;
            }
        }
    }
    alg {
        ftp ftps-extension;
        mgcp disable;
        rtsp;
        sccp disable;
        ike-esp-nat {
            enable;
        }
    }
    application-firewall {
        rule-sets TeamSpeak {
            rule TeamSpeak {
                match {
                    dynamic-application junos:TEAMSPEAK;
                }
                then {
                    permit;
                }
            }
            rule SSH {
                match {
                    dynamic-application junos:SSH;
                }
                then {
                    permit;
                }
            }
            default-rule {
                deny;
            }
        }
    }
    utm {
        custom-objects {
            url-pattern {
                ip-black-list {
                    value [ http://*.sex.com http://*.gamble.com http://*.flashgames.com ];
                }
                ip-white-list {
                    value [ http://*.work.com http://*.taxes.com http://*.networking.com ];
                }
            }
        }
        feature-profile {
            anti-spam {
                address-whitelist ip-white-list;
                address-blacklist ip-black-list;
                sbl {
                    profile local-profile {
                        no-sbl-default-server;
                        spam-action tag-subject;
                        custom-tag-string ***YEP*SPAM***;
                    }
                }
            }
        }
        utm-policy spam-block {
            anti-spam {
                smtp-profile local-profile;
            }
        }
    }
    flow {
        allow-dns-reply;
        syn-flood-protection-mode syn-cookie;
        aging {
            early-ageout 50;
            low-watermark 80;
            high-watermark 90;
        }
        tcp-mss {
            all-tcp {
                mss 1460;
            }
        }
        tcp-session {
            rst-invalidate-session;
            rst-sequence-check;
            strict-syn-check;
            no-sequence-check;
            tcp-initial-timeout 10;
        }
    }
    screen {
        ids-option internet-screen {
            icmp {
                ip-sweep threshold 10000;
                fragment;
                large;
                flood threshold 1000;
                ping-death;
            }
            ip {
                bad-option;
                record-route-option;
                timestamp-option;
                security-option;
                stream-option;
                spoofing;
                source-route-option;
                loose-source-route-option;
                strict-source-route-option;
                unknown-protocol;
                tear-drop;
            }
            tcp {
                syn-fin;
                fin-no-ack;
                tcp-no-flag;
                syn-frag;
                port-scan threshold 5000;
                syn-ack-ack-proxy threshold 50;
                syn-flood {
                    alarm-threshold 512;
                    attack-threshold 200;
                    source-threshold 4000;
                    destination-threshold 4000;
                    queue-size 2000;
                    timeout 30;
                }
                land;
                winnuke;
            }
            udp {
                flood threshold 50000;
                udp-sweep threshold 1000;
            }
            limit-session {
                source-ip-based 100;
                destination-ip-based 2000;
            }
        }
    }
    policies {
        from-zone IcNetwork to-zone DisNetwork {
            policy default-permit {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone DisNetwork to-zone IcNetwork {
            policy default-permit {
                match {
                    source-address any;
                    destination-address any;
                    application [ TCPDefault UDPDefault ICMPDefault ];
                }
                then {
                    permit {
                        application-services {
                            idp;
                        }
                    }
                    log {
                        session-init;
                        session-close;
                    }
                }
            }
            policy BlockOther {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    deny;
                }
            }
            policy spam-tag {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit {
                        application-services {
                            utm-policy spam-block;
                        }
                    }
                }
            }
            policy TeamSpeak {
                description "TeamSpeak Ozel";
                match {
                    source-address any;
                    destination-address Veli;
                    application any;
                }
                then {
                    permit {
                        application-services {
                            application-firewall {
                                rule-set TeamSpeak;
                            }
                        }
                    }
                }
            }
        }
        default-policy {
            permit-all;
        }
    }
    datapath-debug {
        capture-file PCAP;
        maximum-capture-size 10000;
        action-profile {
            Capture {
                event np-ingress {
                    packet-dump;
                }
            }
        }
        packet-filter 1 {
            action-profile Capture;
        }
    }
    zones {
        security-zone trust {
            host-inbound-traffic {
                system-services {
                    all;
                }
                protocols {
                    all;
                }
            }
            interfaces {
                ge-0/0/1.0;
            }
        }
        security-zone DisNetwork {
            tcp-rst;
            screen internet-screen;
            host-inbound-traffic {
                system-services {
                    all;
                }
                protocols {
                    all;
                }
            }
            interfaces {
                xe-1/0/0.0;
            }
        }
        security-zone IcNetwork {
            host-inbound-traffic {
                system-services {
                    all;
                }
                protocols {
                    all;
                }
            }
            interfaces {
                xe-1/0/1.0;
            }
        }
    }
}
firewall {
    family inet {
        filter BlokKural {
            term 1 {
                from {
                    packet-length 0-30;
                    protocol udp;
                }
                then {
                    count dns-jova;
                    log;
                    syslog;
                    discard;
                }
            }
            term 2 {
                then accept;
            }
        }
        filter blocked.IP {
            term 1 {
                from {
                    prefix-list {
                        block.zeusCC;
                        unblock.zeusCC except;
                    }
                }
                then {
                    syslog;
                    discard;
                }
            }
            term 2 {
                then accept;
            }
        }
    }
    filter rpf-filter {
        term default {
            then {
                count rpf-failed-count;
                reject;
            }
        }
    }
}
applications {
    application TTPBlocker protocol 84;
    application TCPDefault protocol tcp;
    application UDPDefault protocol udp;
    application ICMPDefault protocol icmp;
}

Open in new window

harbor235

The key regarding uRPF is that what I am talking about leverages uRPF and source based remotely triggered black hole routing. It is a standard ISP tool for mitigating many types of attacks. The key is a trigger router that announces the attacking prefix with a next-hop to a discard interface or null route.

What version of code are you using?

"And also i really do not understand when we disable UDP flood protection why the device is locking it self "
Because this is a cpu intensive activity and there must be allot of this traffic. Are you watching your CPU will implementing this?

Is your SRX fronted by a router?

Tell me exactly what you are trying to block ?  src ip = 185.9.156.2  src port 58253 ?

firewall filter applied to outside interface, destination IP any, port any will block this.

harbor235 ;}
FireBall

ASKER
Is your SRX fronted by a router?
we have 4500 EX series a device in front of the SRX but there is no problem with sending black hole manually packages. This is a simple flood and firewall need to resolve it.

Tell me exactly what you are trying to block ?  src ip = 185.9.156.2  src port 58253 ?
device and the connected all servers loosng connection when we release the traffic from screen


firewall filter applied to outside interface, destination IP any, port any will block this.
other ports was inaccesible to like the srx closed.
âš¡ FREE TRIAL OFFER
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.
FireBall

ASKER
We have tryed u-rpf

    xe-1/0/0 {
        description Uplink;
        unit 0 {
            family inet {
                rpf-check {
                    fail-filter rpf-filter;
                    mode loose;
                }
                filter {
                    input BlokKural;
                    output blocked.IP;
                }
                address 37.123.100.122/29;
            }
        }
    }

Open in new window


result is same srx is locking it self, with limiting the connections udp thereshold on screen

root@srx3600.spd.net.tr> show firewall

Filter: blocked.IP

Filter: rpf-filter
Counters:
Name                                                Bytes              Packets
rpf-failed-count                                        0                    0

Filter: __default_bpdu_filter__

Filter: BlokKural
Counters:
Name                                                Bytes              Packets
dns-jova                                         51590713              1778991

Open in new window


Attack did not hit the rpf-check -we delete dns jova rule to see if there is a problem with order , nothing change

this is the tcpdump output of victim machine , so urpf not worked

01:02:12.333168 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.333207 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.333212 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.333247 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.333252 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.333288 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.333293 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.333315 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.333344 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.333349 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.333385 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.333390 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.333412 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.333447 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.333452 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.333490 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.333495 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.333517 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.333601 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.333621 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.333625 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.333637 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.333683 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.333689 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.333690 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.333692 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.333694 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.333727 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.333730 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.333751 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.333786 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.333791 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.333814 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.333818 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.333842 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.333911 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.333921 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.333925 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.333929 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.333949 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.333983 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.334052 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.334062 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.334066 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.334069 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.334073 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.334092 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.334100 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.334134 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.334225 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.334236 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.334239 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.334243 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.334247 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.334250 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.334297 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.334301 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.334303 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.334344 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.334349 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.334372 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.334408 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.334413 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.334447 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.334452 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.334524 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.334534 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.334538 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.334542 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.334563 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.334566 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.334649 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.334654 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.334656 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.334664 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.334666 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.334699 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.334727 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.334732 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.334754 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.334774 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.334792 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.334822 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.334827 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.334867 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.334872 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.334895 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.334926 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.334931 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.334967 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.334972 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.335006 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.335011 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.335041 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.335046 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.335069 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.335088 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.335148 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.335158 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.335162 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.335166 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.335211 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.335215 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.335235 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.335254 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.335289 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.335294 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.335320 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.335324 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.335412 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.335417 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.335419 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.335421 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.335423 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.335467 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.335472 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.335566 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.335576 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.335580 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.335584 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.335587 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.335655 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.335660 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.335662 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.335664 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.335666 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.335712 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.335717 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.335725 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.335766 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.335771 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.335804 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.335809 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.335846 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.335851 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.335884 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.335889 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.335911 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.335930 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.335949 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.335968 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.335972 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.336039 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.336057 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.336059 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.336061 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.336092 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.336102 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.336122 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.336148 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.336171 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.336190 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.336227 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.336232 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.336254 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.336283 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.336288 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.336327 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.336332 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.336355 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.336389 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.336394 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.336417 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.336421 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.336445 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.336567 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.336578 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.336582 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.336585 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.336589 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.336655 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.336660 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.336662 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.336664 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.336665 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.336667 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.336706 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.336730 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.336734 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.336755 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.336759 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.336803 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.336808 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.336880 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.336890 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.336894 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.336937 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.336940 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.336942 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.336969 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.336973 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.337005 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.337010 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.337082 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.337093 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.337097 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.337100 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.337104 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.337150 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.337153 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.337174 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.337192 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.337226 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.337231 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.337302 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.337312 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.337316 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.337320 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.337366 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.337370 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.337372 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.337405 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.337410 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.337441 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.337464 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.337468 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.337488 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.337960 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.338121 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.338126 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.338128 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.338130 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.338132 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.338134 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.338136 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.338138 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.338139 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.338141 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.338143 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.338145 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.338147 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.338148 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.338150 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.338154 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.338157 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.338158 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.338160 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.338162 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.338164 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.338165 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.338167 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.338169 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.338170 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.338172 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.338174 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.338176 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.338177 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.338179 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.338269 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.338273 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.338275 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.338277 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.338279 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.338281 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.338282 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.338284 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.338319 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.338323 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.338351 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.338356 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.338666 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.338671 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.338673 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.338675 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.338677 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.338678 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.338680 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.338682 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.338683 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.338685 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.338687 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.338688 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.338690 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.338691 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.338693 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.338695 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.338699 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.338701 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.338767 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.338771 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.338791 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.338794 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.338814 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.338818 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.338850 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.338888 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.338892 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.338989 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.338994 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.338996 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.338998 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.338999 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.339001 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.339045 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.339051 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.339086 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.339091 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.339113 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.339144 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.339149 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.339394 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.339399 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.339401 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.339403 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.339405 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.339407 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.339408 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.339410 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.339412 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.339413 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.339415 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.339417 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.339419 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.339427 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.339482 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.339486 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.339506 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.339510 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.339547 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.339552 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.339574 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.339603 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.339613 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.339665 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.339670 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.339672 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.339700 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.339704 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.339743 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.339748 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.339788 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.339793 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.339906 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.339917 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.339921 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.339925 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.339928 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.339932 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.339935 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.339953 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.339989 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.339993 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.340013 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.340044 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.340049 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.340071 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.340161 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.340171 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.340175 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.340179 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.340182 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.340186 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.340246 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.340251 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.340253 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.340284 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.340289 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.340311 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.340330 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.340467 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.340478 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.340481 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.340485 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.340489 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.340492 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.340504 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.340506 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.340508 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.340551 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.340555 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.340557 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.340649 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.340653 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.340699 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.340704 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.340706 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.340708 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.340716 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.340718 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.340750 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.340787 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.340792 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.340824 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.340829 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.340851 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.340886 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.340891 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.340913 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.340947 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.340953 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.340986 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.340991 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.341062 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.341072 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.341076 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.341079 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.341083 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.341129 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.341132 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.341153 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.341183 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.341188 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.341211 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.341230 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.341248 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.341267 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.341302 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.341307 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.341385 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.341395 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.341399 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.341403 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.341432 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.341435 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.341517 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.341528 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.341656 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.341660 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.341662 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.341664 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.341666 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.341668 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.341669 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.341671 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.341782 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.341793 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.341797 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.341800 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.341804 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.341807 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.341811 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.341823 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.341831 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.341834 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.341885 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.341890 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.341892 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.341917 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.341946 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.341951 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.341973 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.342003 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.342008 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.342042 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.342047 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.342085 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.342090 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.342112 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.342122 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.342142 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.342161 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.342243 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.342253 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.342257 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.342268 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.342270 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.342304 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.342308 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.342399 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.342409 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.342413 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.342417 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.342420 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.342466 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.342469 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.342471 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.342545 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.342556 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.342560 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.342563 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.342567 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.342587 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.342654 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.342659 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.342661 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.342669 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.342749 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.342759 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.342763 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.342767 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.342771 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.342815 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.342819 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.342888 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.342898 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.342902 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.342905 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.342909 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.342954 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.342958 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.342960 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.342987 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.343005 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.343031 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.343066 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.343071 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.343101 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.343106 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.343129 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.343148 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.343166 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.343185 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.343221 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.343226 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.343249 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.343268 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.343287 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.343305 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.343326 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.343389 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.343399 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.343403 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.343407 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.343452 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.343455 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.343457 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.343484 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.343527 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.343532 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.343565 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.343570 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.343593 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.343597 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.343647 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.343652 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.343685 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.343690 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.343762 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.343772 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.343776 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.343799 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.343801 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.343803 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.343838 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.343842 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.343866 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.343941 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.343951 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.343955 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.343995 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.343999 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.344001 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.344002 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.344032 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.344050 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.344086 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.344091 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.344126 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.344131 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.344153 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.344162 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.344202 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.344207 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.344283 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.344293 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.344297 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.344320 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.344322 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.344352 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.344355 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.344381 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.344385 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.344407 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.344441 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.344446 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.344468 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.344487 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.344525 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.344530 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.344566 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1
01:02:12.344571 IP 185.9.156.2.41034 > 178.20.231.2.ddi-udp-1: UDP, length 1

Open in new window

FireBall

ASKER
I have created a test zone and I have added
-no filter
-no policy
-no screen
-no ips

I just give an ip address to the interface and test the same attack script to hit this interface directly to main ip address of to the interface , srx locked again.

I have checked last 60 second
session counts
cpu usage
memory usage
npc status
spc status

every thing seems fine


so how the device can block with screen and can not pass the traffic ssimply without screen  ? what should be the problem :(
FireBall

ASKER
I think i found but i can not accept :(

1. http://orm-chimera-prod.s3.amazonaws.com/1234000001633/images/jsec_0801.png

depending on this image SRX checks each connection's session for that datasheet :
http://www.lightriver.com/uploadfiles/pdf/Juniper/JNPR-DS-SRX3400-SRX3600.pdf

SRX can check for 175000 session per second.  but this attack creates 200k+ pps and it does not create session

2. depending on o'relly book page 365   SRX can not handle more then 70000K udp threshold

but this is an enterprise firewall how this should be possible this is so small numbers
Experts Exchange has (a) saved my job multiple times, (b) saved me hours, days, and even weeks of work, and often (c) makes me look like a superhero! This place is MAGIC!
Walt Forbes
ASKER CERTIFIED SOLUTION
giltjr

THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
GET A PERSONALIZED SOLUTION
Ask your own question & get feedback from real experts
Find out why thousands trust the EE community with their toughest problems.
giltjr

Not sure if this command will work, but can you issue:

show protocols UDP timeout

It looks like the default timeout for tracking UDP requests is 60 seconds.
FireBall

ASKER
while an attack goes on we checked from the serial connection :

                                                           elay: 0/0/68
Interface: ge-0/0/1, Enabled, Link is Up
Encapsulation: Ethernet, Speed: 1000mbps
Traffic statistics:                                           Current delta
  Input bytes:                8882410078 (482358664 bps)        [473343620]
  Output bytes:                 99109988 (0 bps)                        [0]
  Input packets:               142247660 (972491 pps)             [7634523]
  Output packets:                 590560 (0 pps)                        [0]
Error statistics:
  Input errors:                        0                                [0]
  Input drops:                         0                                [0]
  Input framing errors:                0                                [0]
  Policed discards:                    0                                [0]
  L3 incompletes:                      0                                [0]
  L2 channel errors:                   0                                [0]
  L2 mismatch timeouts:                0  Carrier transiti              [0]






Next='n', Quit='q' or ESC, Freeze='f', Thaw='t', Clear='c', Interface='i'

Open in new window



Valid sessions: 112
Pending sessions: 562421
Invalidated sessions: 545656
Sessions in other states: 0
Total sessions: 1108189
Maximum sessions: 2359296

Open in new window

giltjr

I just noticed that you displayed the ge-0/0/1 interface.  Based on your configuration this interface is not defined in a zone and thus does not have any firewall/ids/ips/screen/filter rules applied.  

The only zone you idp/firewall rules applied to is the DisNetwork, which interface xe-1/0/0.0 is the only interface in this zone.

I am assuming that ge-0/0/1 is supposed to be on your internal "management" network and your DisNetwork (xe-1/0/0.0) would be your "outside/untrust" network and IcNetwork (interface xe-1/0/1.0) is your inside/trusted network.
âš¡ FREE TRIAL OFFER
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.