FireBall
asked on
SRX3600 Source Based UDP Connection Limit
is there any possible way to block source ip on protocol udp depending on connection count ?
ASKER
Dear btan an other question goes to same point and i am sharing the same answer
We are a public datacenter. RPF only checks for predixes to block some conditions like spoof outputs. It does not solve our problem also we already try it
And also i really do not understand when we disable UDP flood protection why the device is locking it self .
We try to block attack with
- Firewall filter
- IDS custom attack (on flow ip-action it shows the ip like blocked but attack still keep hitting to the idp attack-table)
- Policy based
On each of them result is same deivce is locikg itself and after attack finished it comes back a few minutes later.
Attack is not so big it comes with 200mbps & 100 - 120 K pps i do not beleive that juniper can not handle this
we were first try block zeus with the attacker ip then try firewall filter then tryed ids custom signature depending on the packets all the result is same :/
Our full configuration as this
We are a public datacenter. RPF only checks for predixes to block some conditions like spoof outputs. It does not solve our problem also we already try it
And also i really do not understand when we disable UDP flood protection why the device is locking it self .
We try to block attack with
- Firewall filter
- IDS custom attack (on flow ip-action it shows the ip like blocked but attack still keep hitting to the idp attack-table)
- Policy based
On each of them result is same deivce is locikg itself and after attack finished it comes back a few minutes later.
Attack is not so big it comes with 200mbps & 100 - 120 K pps i do not beleive that juniper can not handle this
we were first try block zeus with the attacker ip then try firewall filter then tryed ids custom signature depending on the packets all the result is same :/
xe-1/0/0 {
description Uplink;
unit 0 {
family inet {
rpf-check {
fail-filter rpf-filter;
mode loose;
}
filter {
input BlokKural;
output blocked.IP;
}
address 37.123.100.122/29;
}
}
}
firewall {
family inet {
filter BlokKural {
term 1 {
from {
packet-length 0-30;
protocol udp;
}
then {
count dns-jova;
log;
syslog;
discard;
}
}
term 2 {
then accept;
}
}
filter blocked.IP {
term 1 {
from {
prefix-list {
block.zeusCC;
unblock.zeusCC except;
}
}
then {
syslog;
discard;
}
}
term 2 {
then accept;
}
}
}
filter rpf-filter {
term default {
then {
count rpf-failed-count;
reject;
}
}
}
policy-options {
prefix-list block.zeusCC {
43.255.180.0/24;
43.255.184.0/24;
43.255.190.0/24;
43.255.191.0/24;
61.168.229.0/24;
182.100.64.0/24;
182.100.67.0/24;
218.65.24.0/24;
}
prefix-list unblock.zeusCC;
}
custom-attack Block_Flooder {
recommended-action drop-packet;
severity major;
time-binding {
count 100;
scope source;
}
attack-type {
signature {
context packet;
direction any;
shellcode intel;
}
}
}
custom-attack Block_TTL {
recommended-action drop-packet;
severity major;
time-binding {
count 10;
scope source;
}
attack-type {
signature {
protocol-binding {
udp {
minimum-port 0 maximum-port 65535;
}
}
context packet;
direction any;
shellcode intel;
protocol {
ipv4 {
ttl {
match equal;
value 62;
}
}
}
}
}
}
custom-attack Block_Size {
recommended-action drop-packet;
severity major;
time-binding {
count 10;
scope source;
}
attack-type {
signature {
protocol-binding {
udp {
minimum-port 0 maximum-port 65535;
}
}
context packet;
direction any;
shellcode intel;
protocol {
ipv4 {
total-length {
match equal;
value 29;
}
}
}
}
}
}
custom-attack Block_Length {
recommended-action drop-packet;
severity major;
time-binding {
count 10;
scope source;
}
attack-type {
signature {
context packet;
direction any;
shellcode intel;
protocol {
udp {
data-length {
match equal;
value 1;
}
}
}
}
}
}
custom-attack Block_Flag {
recommended-action drop-packet;
severity major;
time-binding {
count 10;
scope source;
}
attack-type {
signature {
protocol-binding {
udp {
minimum-port 0 maximum-port 65535;
}
}
context packet;
direction any;
shellcode intel;
protocol {
ipv4 {
ip-flags df;
}
}
}
}
}
application-ddos dns-server-1 {Our full configuration as this
## Last changed: 2015-04-15 10:41:15 UTC
version 12.1X44-D45.2;
name-server {
195.175.39.39;
8.8.8.8;
}
scripts {
commit {
file templates.xsl;
}
}
services {
ssh;
telnet;
web-management {
http {
interface [ ge-0/0/1.0 xe-1/0/0.0 xe-1/0/1.0 ];
}
}
}
syslog {
user * {
any emergency;
}
host 185.9.157.27 {
any any;
match RT_FLOW;
}
file messages {
any emergency;
authorization info;
}
file policy_session {
match RT_FLOW;
}
}
license {
autoupdate {
url https://ae1.juniper.net/junos/key_retrieval;
}
}
}
interfaces {
ge-0/0/0 {
unit 0 {
family ethernet-switching;
}
}
ge-0/0/1 {
unit 0 {
family inet {
address 192.168.1.95/24;
}
}
}
ge-0/0/2 {
unit 0 {
family inet {
address 10.100.100.2/30;
}
}
}
xe-1/0/0 {
description Uplink;
unit 0 {
family inet {
rpf-check {
fail-filter rpf-filter;
mode loose;
}
filter {
input BlokKural;
output blocked.IP;
}
address 37.123.100.122/29;
}
}
}
xe-1/0/1 {
description "Ex4500 Downlink";
unit 0 {
family inet {
address 37.123.101.225/27;
address 178.20.231.1/24;
address 178.20.229.225/27;
address 178.20.229.33/27;
address 178.20.229.65/27;
address 37.123.96.145/28;
}
}
}
st0 {
unit 1 {
family inet;
}
}
}
forwarding-options {
packet-capture {
file filename pcap-file files 100 size 1k world-readable;
maximum-capture-size 1500;
}
}
snmp {
location izmir;
contact "Cahit Eyigunlu";
community SALAY {
authorization read-only;
}
}
routing-options {
static {
route 0.0.0.0/0 next-hop 37.123.100.121;
}
forwarding-table {
unicast-reverse-path feasible-paths;
}
}
policy-options {
prefix-list block.zeusCC {
43.255.180.0/24;
43.255.184.0/24;
43.255.190.0/24;
43.255.191.0/24;
61.168.229.0/24;
182.100.64.0/24;
182.100.67.0/24;
218.65.24.0/24;
}
prefix-list unblock.zeusCC;
}
security {
log {
mode event;
event-rate 1000;
format sd-syslog;
}
idp {
idp-policy Server-Protection {
/* This template policy is designed to protect servers. It is supported on devices with 2G or more of memory. Branch devices with only 1G are not supported. */
rulebase-ips {
rule Web-Services-Essential {
/* This rule is designed to protect your servers against common internet attacks. It includes Critical and Major severities. This is an essential rule. */
match {
from-zone any;
source-address any;
to-zone any;
destination-address any;
application default;
attacks {
predefined-attack-groups [ "[Recommended]HTTP - Critical" "[Recommended]HTTP - Major" "[Recommended]SSL - Critical" "[Recommended]SSL - Major" "[Recommended]DNS - Critical" "[Recommended]DNS - Major" "[Recommended]FTP - Critical" "[Recommended]FTP - Major" ];
}
}
then {
action {
recommended;
}
notification {
log-attacks;
}
}
}
rule Web-Services-Supplemental {
/* This rule is designed to protect your servers against common internet attacks. It includes Minor, Warning, and Info severities. If you experience low IDP performance, you may remove the lower-severity groups from your policy for a small increase in performance, at the cost of security. */
match {
from-zone any;
source-address any;
to-zone any;
destination-address any;
application default;
attacks {
predefined-attack-groups [ "[Recommended]HTTP - Minor" "[Recommended]HTTP - Warning" "[Recommended]HTTP - Info" "[Recommended]SSL - Minor" "[Recommended]SSL - Warning" "[Recommended]SSL - Info" "[Recommended]DNS - Minor" "[Recommended]DNS - Warning" "[Recommended]DNS - Info" "[Recommended]FTP - Minor" "[Recommended]FTP - Warning" "[Recommended]FTP - Info" ];
}
}
then {
action {
recommended;
}
notification {
log-attacks;
}
}
}
rule Mail-Services {
/* This rule is designed to protect your servers against common mail attacks. If you experience low IDP performance, you may remove the lower-severity groups from your policy for a small increase in performance, at the cost of security. */
match {
from-zone any;
source-address any;
to-zone any;
destination-address any;
application default;
attacks {
predefined-attack-groups [ "[Recommended]IMAP - Critical" "[Recommended]IMAP - Major" "[Recommended]IMAP - Minor" "[Recommended]IMAP - Warning" "[Recommended]IMAP - Info" "[Recommended]POP3 - Critical" "[Recommended]POP3 - Major" "[Recommended]POP3 - Minor" "[Recommended]POP3 - Warning" "[Recommended]POP3 - Info" "[Recommended]SMTP - Critical" "[Recommended]SMTP - Major" "[Recommended]SMTP - Minor" "[Recommended]SMTP - Warning" "[Recommended]SMTP - Info" ];
}
}
then {
action {
recommended;
}
notification {
log-attacks;
}
}
}
rule Internal-Services {
/* This rule is designed to protect your servers against common internal attacks. */
match {
from-zone any;
source-address any;
to-zone any;
destination-address any;
application default;
attacks {
predefined-attack-groups [ "[Recommended]SMB" "[Recommended]MS-RPC" "[Recommended]LDAP" "[Recommended]NETBIOS" "[Recommended]RADIUS" "[Recommended]SSH" "[Recommended]TELNET" "[Recommended]DB" "[Recommended]VNC" "[Recommended]NFS" "[Recommended]NTP" "[Recommended]PORTMAPPER" "[Recommended]DHCP" "[Recommended]RPC" "[Recommended]SNMP" "[Recommended]SNMPTRAP" ];
}
}
then {
action {
recommended;
}
notification {
log-attacks;
}
}
}
rule Malicious-Activity {
/* This rule is designed to protect your servers against common malware attacks and other malicious activity. This is a very important rule and should be kept enabled. */
match {
from-zone any;
source-address any;
to-zone any;
destination-address any;
application default;
attacks {
predefined-attack-groups [ "[Recommended]SPYWARE" "[Recommended]TROJAN" "[Recommended]VIRUS" "[Recommended]WORM" "[Recommended]SHELLCODE" "[Recommended]SCAN" "[Recommended]DOS" "[Recommended]DDOS" "[Recommended]Misc_SPYWARE" "[Recommended]Misc_TROJAN" "[Recommended]Misc_VIRUS" "[Recommended]Misc_WORM" "[Recommended]Misc_SHELLCODE" "[Recommended]Misc_SCAN" "[Recommended]Misc_DOS" "[Recommended]Misc_DDOS" ];
}
}
then {
action {
recommended;
}
notification {
log-attacks;
}
}
}
rule Other-Activity {
/* This rule is designed to protect your servers against other common attacks. This rule is useful if your organization is concerned about chat, P2P, and similar activity. If not, this rule can be disabled or removed from your policy. */
match {
from-zone any;
source-address any;
to-zone any;
destination-address any;
application default;
attacks {
predefined-attack-groups [ "[Recommended]VOIP" "[Recommended]CHAT" "[Recommended]P2P" "[Recommended]APP" "[Recommended]RTSP" ];
}
}
then {
action {
recommended;
}
notification {
log-attacks;
}
}
}
rule Transport-Services {
/* This rule is designed to protect your servers against common transport attacks. Triggers against this rule could indicate an attacker is attempting to evade your IDP. Unusual network configurations can also sometimes trigger attacks in this rule. */
match {
from-zone any;
source-address any;
to-zone any;
destination-address any;
application default;
attacks {
predefined-attack-groups [ "[Recommended]IP" "[Recommended]TCP" "[Recommended]UDP" "[Recommended]ICMP" ];
}
}
then {
action {
recommended;
}
notification {
log-attacks;
}
}
}
}
}
idp-policy Server-Protection-1G {
/* This template policy is designed to protect servers. This template is supported on all platforms, including Branch devices with 1G of memory. */
rulebase-ips {
rule Web-Services-Essential {
/* This rule is designed to protect your servers against common internet attacks. It includes Critical and Major severities. This is an essential rule. */
match {
from-zone any;
source-address any;
to-zone any;
destination-address any;
application default;
attacks {
predefined-attack-groups [ "[Recommended]HTTP - Critical" "[Recommended]HTTP - Major" "[Recommended]SSL - Critical" "[Recommended]SSL - Major" "[Recommended]DNS - Critical" "[Recommended]DNS - Major" "[Recommended]FTP - Critical" "[Recommended]FTP - Major" ];
}
}
then {
action {
recommended;
}
notification {
log-attacks;
}
}
}
rule Mail-Services {
/* This rule is designed to protect your servers against common mail attacks. */
match {
from-zone any;
source-address any;
to-zone any;
destination-address any;
application default;
attacks {
predefined-attack-groups [ "[Recommended]IMAP - Critical" "[Recommended]IMAP - Major" "[Recommended]POP3 - Critical" "[Recommended]POP3 - Major" "[Recommended]SMTP - Critical" "[Recommended]SMTP - Major" ];
}
}
then {
action {
recommended;
}
notification {
log-attacks;
}
}
}
rule Internal-Services {
/* This rule is designed to protect your servers against common internal attacks. */
match {
from-zone any;
source-address any;
to-zone any;
destination-address any;
application default;
attacks {
predefined-attack-groups [ "[Recommended]SMB - Critical" "[Recommended]SMB - Major" "[Recommended]MS-RPC - Critical" "[Recommended]MS-RPC - Major" "[Recommended]NETBIOS - Critical" "[Recommended]NETBIOS - Major" "[Recommended]SSH - Critical" "[Recommended]SSH - Major" "[Recommended]DB - Critical" "[Recommended]DB - Major" "[Recommended]NTP - Critical" "[Recommended]NTP - Major" ];
}
}
then {
action {
recommended;
}
notification {
log-attacks;
}
}
}
rule Malicious-Activity {
/* This rule is designed to protect your servers against common malware attacks and other malicious activity. This is a very important rule and should be kept enabled. */
match {
from-zone any;
source-address any;
to-zone any;
destination-address any;
application default;
attacks {
predefined-attack-groups [ "[Recommended]SPYWARE - Critical" "[Recommended]SPYWARE - Major" "[Recommended]TROJAN - Critical" "[Recommended]TROJAN - Major" "[Recommended]VIRUS - Critical" "[Recommended]VIRUS - Major" "[Recommended]WORM - Critical" "[Recommended]WORM - Major" "[Recommended]Misc_SPYWARE - Critical" "[Recommended]Misc_SPYWARE - Major" "[Recommended]Misc_TROJAN - Critical" "[Recommended]Misc_TROJAN - Major" "[Recommended]Misc_VIRUS - Critical" "[Recommended]Misc_VIRUS - Major" "[Recommended]Misc_WORM - Critical"
"[Recommended]Misc_WORM - Major" ];
}
}
then {
action {
recommended;
}
notification {
log-attacks;
}
}
}
rule Transport-Services {
/* This rule is designed to protect your servers against common transport attacks. Triggers against this rule could indicate an attacker is attempting to evade your IDP. Unusual network configurations can also sometimes trigger attacks in this rule. */
match {
from-zone any;
source-address any;
to-zone any;
destination-address any;
application default;
attacks {
predefined-attack-groups [ "[Recommended]IP" "[Recommended]TCP" "[Recommended]UDP" "[Recommended]ICMP" ];
}
}
then {
action {
recommended;
}
notification {
log-attacks;
}
}
}
}
}
idp-policy Client-Protection {
/* This template policy is designed to protect clients. It is supported on devices with 2G or more of memory. Branch devices with only 1G are not supported. */
rulebase-ips {
rule Web-Services-Essential {
/* This rule is designed to protect your clients against common internet attacks. It includes Critical and Major severities. This is an essential rule. */
match {
from-zone any;
source-address any;
to-zone any;
destination-address any;
application default;
attacks {
predefined-attack-groups [ "[Recommended]Response_HTTP - Critical" "[Recommended]Response_HTTP - Major" "[Recommended]Response_SSL - Critical" "[Recommended]Response_SSL - Major" "[Recommended]Response_DNS - Critical" "[Recommended]Response_DNS - Major" "[Recommended]Response_FTP - Critical" "[Recommended]Response_FTP - Major" ];
}
}
then {
action {
recommended;
}
notification {
log-attacks;
}
}
}
rule Web-Services-Supplemental {
/* This rule is designed to protect your clients against common internet attacks. It includes Minor, Warning, and Info severities. If IDP performance is low, this rule can be disabled to improve performance at the cost of security. Alternatively, you may remove the lower-severity groups from your policy for a small increase in performance, with a lower cost of security impact. */
match {
from-zone any;
source-address any;
to-zone any;
destination-address any;
application default;
attacks {
predefined-attack-groups [ "[Recommended]Response_HTTP - Minor" "[Recommended]Response_HTTP - Warning" "[Recommended]Response_HTTP - Info" "[Recommended]Response_SSL - Minor" "[Recommended]Response_SSL - Warning" "[Recommended]Response_SSL - Info" "[Recommended]Response_DNS - Minor" "[Recommended]Response_DNS - Warning" "[Recommended]Response_DNS - Info" "[Recommended]Response_FTP - Minor" "[Recommended]Response_FTP - Warning" "[Recommended]Response_FTP - Info" ];
}
}
then {
action {
recommended;
}
notification {
log-attacks;
}
}
}
rule Web-Services-Low-Performance {
/* This rule is designed to protect your clients against common internet attacks. It includes performance-impacting signatures. If IDP performance is low, this rule can be disabled to improve performance at the cost of security. Alternatively, you may remove the lower-severity groups from your policy for a small increase in performance, with a lower cost of security impact. */
match {
from-zone any;
source-address any;
to-zone any;
destination-address any;
application default;
attacks {
predefined-attack-groups [ "[Recommended]Misc_HTTP - Critical" "[Recommended]Misc_HTTP - Major" "[Recommended]Misc_HTTP - Minor" "[Recommended]Misc_HTTP - Warning" "[Recommended]Misc_HTTP - Info" "[Recommended]Misc_SSL - Critical" "[Recommended]Misc_SSL - Major" "[Recommended]Misc_SSL - Minor" "[Recommended]Misc_SSL - Warning" "[Recommended]Misc_SSL - Info" "[Recommended]Misc_DNS - Critical" "[Recommended]Misc_DNS - Major" "[Recommended]Misc_DNS - Minor" "[Recommended]Misc_DNS - Warning" "[Recommended]Misc_DNS - Info"
"[Recommended]Misc_FTP - Critical" "[Recommended]Misc_FTP - Major" "[Recommended]Misc_FTP - Minor" "[Recommended]Misc_FTP - Warning" "[Recommended]Misc_FTP - Info" ];
}
}
then {
action {
recommended;
}
notification {
log-attacks;
}
}
}
rule Mail-Services {
/* This rule is designed to protect your clients against common mail attacks. If you experience low IDP performance, you may remove the lower-severity groups from your policy for a small increase in performance, at the cost of security. */
match {
from-zone any;
source-address any;
to-zone any;
destination-address any;
application default;
attacks {
predefined-attack-groups [ "[Recommended]Response_IMAP - Critical" "[Recommended]Response_IMAP - Major" "[Recommended]Response_IMAP - Minor" "[Recommended]Response_IMAP - Warning" "[Recommended]Response_IMAP - Info" "[Recommended]Response_POP3 - Critical" "[Recommended]Response_POP3 - Major" "[Recommended]Response_POP3 - Minor" "[Recommended]Response_POP3 - Warning" "[Recommended]Response_POP3 - Info" "[Recommended]Response_SMTP - Critical" "[Recommended]Response_SMTP - Major" "[Recommended]Response_SMTP - Minor"
"[Recommended]Response_SMTP - Warning" "[Recommended]Response_SMTP - Info" ];
}
}
then {
action {
recommended;
}
notification {
log-attacks;
}
}
}
rule Internal-Services {
/* This rule is designed to protect your clients against common internal attacks. */
match {
from-zone any;
source-address any;
to-zone any;
destination-address any;
application default;
attacks {
predefined-attack-groups [ "[Recommended]Response_SMB" "[Recommended]Response_MS-RPC" "[Recommended]Response_LDAP" "[Recommended]Response_NETBIOS" "[Recommended]Response_RADIUS" "[Recommended]Response_SSH" "[Recommended]Response_TELNET" "[Recommended]Response_DB" "[Recommended]Response_VNC" "[Recommended]Response_NFS" "[Recommended]Response_NTP" "[Recommended]Response_PORTMAPPER" "[Recommended]Response_DHCP" "[Recommended]Response_RPC" "[Recommended]Response_SNMP" "[Recommended]Response_SNMPTRAP" ];
}
}
then {
action {
recommended;
}
notification {
log-attacks;
}
}
}
rule Malicious-Activity {
/* This rule is designed to protect your clients against common malware attacks and other malicious activity. This is a very important rule and should be kept enabled. */
match {
from-zone any;
source-address any;
to-zone any;
destination-address any;
application default;
attacks {
predefined-attack-groups [ "[Recommended]Response_SPYWARE" "[Recommended]Misc_SPYWARE" "[Recommended]Response_TROJAN" "[Recommended]Misc_TROJAN" "[Recommended]Response_VIRUS" "[Recommended]Misc_VIRUS" "[Recommended]Response_WORM" "[Recommended]Misc_WORM" "[Recommended]Response_SHELLCODE" "[Recommended]Misc_SHELLCODE" "[Recommended]Response_SCAN" "[Recommended]Misc_SCAN" "[Recommended]Response_DOS" "[Recommended]Misc_DOS" "[Recommended]Response_DDOS" "[Recommended]Misc_DDOS" ];
}
}
then {
action {
recommended;
}
notification {
log-attacks;
}
}
}
rule Other-Activity {
/* This rule is designed to protect your clients against other common attacks. This rule is useful if your organization is concerned about chat, P2P, and similar activity. If not, this rule can be disabled or removed from your policy for a minor increase in performance. */
match {
from-zone any;
source-address any;
to-zone any;
destination-address any;
application default;
attacks {
predefined-attack-groups [ "[Recommended]Response_VOIP" "[Recommended]Response_CHAT" "[Recommended]Response_P2P" "[Recommended]Response_APP" "[Recommended]Response_RTSP" ];
}
}
then {
action {
recommended;
}
notification {
log-attacks;
}
}
}
rule Transport-Services {
/* This rule is designed to protect your clients against common transport attacks. Triggers against this rule could indicate an attacker is attempting to evade your IDP. Unusual network configurations can also sometimes trigger attacks in this rule. */
match {
from-zone any;
source-address any;
to-zone any;
destination-address any;
application default;
attacks {
predefined-attack-groups [ "[Recommended]Response_IP" "[Recommended]Response_TCP" "[Recommended]Response_UDP" "[Recommended]Response_ICMP" ];
}
}
then {
action {
recommended;
}
notification {
log-attacks;
}
}
}
}
}
idp-policy Client-Protection-1G {
/* This template policy is designed to protect clients. This template is supported on all platforms, including Branch devices with 1G of memory. */
rulebase-ips {
rule Web-Services-Essential {
/* This rule is designed to protect your clients against common internet attacks. It includes Critical and Major severities. This is an essential rule. */
match {
from-zone any;
source-address any;
to-zone any;
destination-address any;
application default;
attacks {
predefined-attack-groups [ "[Recommended]Response_HTTP - Critical" "[Recommended]Response_HTTP - Major" "[Recommended]Response_SSL - Critical" "[Recommended]Response_SSL - Major" "[Recommended]Response_DNS - Critical" "[Recommended]Response_DNS - Major" "[Recommended]Response_FTP - Critical" "[Recommended]Response_FTP - Major" ];
}
}
then {
action {
recommended;
}
notification {
log-attacks;
}
}
}
rule Web-Services-Low-Performance {
/* This rule is designed to protect your clients against common internet attacks. It includes performance-impacting signatures. If IDP performance is low, this rule can be disabled to improve performance at the cost of security. Alternatively, you may remove the lower-severity groups from your policy for a small increase in performance, with a lower cost of security impact. */
match {
from-zone any;
source-address any;
to-zone any;
destination-address any;
application default;
attacks {
predefined-attack-groups [ "[Recommended]Misc_HTTP - Critical" "[Recommended]Misc_HTTP - Major" "[Recommended]Misc_SSL - Critical" "[Recommended]Misc_SSL - Major" "[Recommended]Misc_DNS - Critical" "[Recommended]Misc_DNS - Major" "[Recommended]Misc_FTP - Critical" "[Recommended]Misc_FTP - Major" ];
}
}
then {
action {
recommended;
}
notification {
log-attacks;
}
}
}
rule Mail-Services {
/* This rule is designed to protect your clients against common mail attacks. */
match {
from-zone any;
source-address any;
to-zone any;
destination-address any;
application default;
attacks {
predefined-attack-groups [ "[Recommended]Response_IMAP - Critical" "[Recommended]Response_IMAP - Major" "[Recommended]Response_POP3 - Critical" "[Recommended]Response_POP3 - Major" "[Recommended]Response_SMTP - Critical" "[Recommended]Response_SMTP - Major" ];
}
}
then {
action {
recommended;
}
notification {
log-attacks;
}
}
}
rule Internal-Services {
/* This rule is designed to protect your clients against common internal attacks. */
match {
from-zone any;
source-address any;
to-zone any;
destination-address any;
application default;
attacks {
predefined-attack-groups [ "[Recommended]Response_SMB - Critical" "[Recommended]Response_SMB - Major" "[Recommended]Response_MS-RPC - Critical" "[Recommended]Response_MS-RPC - Major" "[Recommended]Response_NETBIOS - Critical" "[Recommended]Response_NETBIOS - Major" ];
}
}
then {
action {
recommended;
}
notification {
log-attacks;
}
}
}
rule Malicious-Activity {
/* This rule is designed to protect your clients against common malware attacks and other malicious activity. This is a very important rule and should be kept enabled. */
match {
from-zone any;
source-address any;
to-zone any;
destination-address any;
application default;
attacks {
predefined-attack-groups [ "[Recommended]Response_SPYWARE - Critical" "[Recommended]Misc_SPYWARE - Critical" "[Recommended]Response_SPYWARE - Major" "[Recommended]Misc_SPYWARE - Major" "[Recommended]Response_TROJAN - Critical" "[Recommended]Misc_TROJAN - Critical" "[Recommended]Response_TROJAN - Major" "[Recommended]Misc_TROJAN - Major" "[Recommended]Response_VIRUS - Critical" "[Recommended]Misc_VIRUS - Critical" "[Recommended]Response_VIRUS - Major" "[Recommended]Misc_VIRUS - Major" "[Recommended]Response_WORM - Critical"
"[Recommended]Misc_WORM - Critical" "[Recommended]Response_WORM - Major" "[Recommended]Misc_WORM - Major" ];
}
}
then {
action {
recommended;
}
notification {
log-attacks;
}
}
}
rule Transport-Services {
/* This rule is designed to protect your clients against common transport attacks. Triggers against this rule could indicate an attacker is attempting to evade your IDP. Unusual network configurations can also sometimes trigger attacks in this rule. */
match {
from-zone any;
source-address any;
to-zone any;
destination-address any;
application default;
attacks {
predefined-attack-groups [ "[Recommended]Response_IP" "[Recommended]Response_TCP" "[Recommended]Response_UDP" "[Recommended]Response_ICMP" ];
}
}
then {
action {
recommended;
}
notification {
log-attacks;
}
}
}
}
}
idp-policy Client-And-Server-Protection {
/* This template policy is designed to protect both clients and servers. It is supported on devices with 2G or more of memory. Branch devices with only 1G are not supported. */
rulebase-ips {
rule Web-Services-Essential {
/* This rule is designed to protect your clients against common internet attacks. It includes Critical and Major severities. This is an essential rule. */
match {
from-zone any;
source-address any;
to-zone any;
destination-address any;
application default;
attacks {
predefined-attack-groups [ "[Recommended]HTTP - Critical" "[Recommended]Response_HTTP - Critical" "[Recommended]HTTP - Major" "[Recommended]Response_HTTP - Major" "[Recommended]SSL - Critical" "[Recommended]Response_SSL - Critical" "[Recommended]SSL - Major" "[Recommended]Response_SSL - Major" "[Recommended]DNS - Critical" "[Recommended]Response_DNS - Critical" "[Recommended]DNS - Major" "[Recommended]Response_DNS - Major" "[Recommended]FTP - Critical" "[Recommended]Response_FTP - Critical" "[Recommended]FTP - Major"
"[Recommended]Response_FTP - Major" ];
}
}
then {
action {
recommended;
}
notification {
log-attacks;
}
}
}
rule Web-Services-Supplemental {
/* This rule is designed to protect your clients against common internet attacks. It includes Minor, Warning, and Info severities. If IDP performance is low, this rule can be disabled to improve performance at the cost of security. Alternatively, you may remove the lower-severity groups from your policy for a small increase in performance, with a lower cost of security impact. */
match {
from-zone any;
source-address any;
to-zone any;
destination-address any;
application default;
attacks {
predefined-attack-groups [ "[Recommended]HTTP - Minor" "[Recommended]Response_HTTP - Minor" "[Recommended]HTTP - Warning" "[Recommended]Response_HTTP - Warning" "[Recommended]HTTP - Info" "[Recommended]Response_HTTP - Info" "[Recommended]SSL - Minor" "[Recommended]Response_SSL - Minor" "[Recommended]SSL - Warning" "[Recommended]Response_SSL - Warning" "[Recommended]SSL - Info" "[Recommended]Response_SSL - Info" "[Recommended]DNS - Minor" "[Recommended]Response_DNS - Minor" "[Recommended]DNS - Warning" "[Recommended]Response_DNS - Warning"
"[Recommended]DNS - Info" "[Recommended]Response_DNS - Info" "[Recommended]FTP - Minor" "[Recommended]Response_FTP - Minor" "[Recommended]FTP - Warning" "[Recommended]Response_FTP - Warning" "[Recommended]FTP - Info" "[Recommended]Response_FTP - Info" ];
}
}
then {
action {
recommended;
}
notification {
log-attacks;
}
}
}
rule Web-Services-Low-Performance {
/* This rule is designed to protect your clients against common internet attacks. It includes performance-impacting signatures. If IDP performance is low, this rule can be disabled to improve performance at the cost of security. Alternatively, you may remove the lower-severity groups from your policy for a small increase in performance, with a lower cost of security impact. */
match {
from-zone any;
source-address any;
to-zone any;
destination-address any;
application default;
attacks {
predefined-attack-groups [ "[Recommended]Misc_HTTP - Critical" "[Recommended]Misc_HTTP - Major" "[Recommended]Misc_HTTP - Minor" "[Recommended]Misc_HTTP - Warning" "[Recommended]Misc_HTTP - Info" "[Recommended]Misc_SSL - Critical" "[Recommended]Misc_SSL - Major" "[Recommended]Misc_SSL - Minor" "[Recommended]Misc_SSL - Warning" "[Recommended]Misc_SSL - Info" "[Recommended]Misc_DNS - Critical" "[Recommended]Misc_DNS - Major" "[Recommended]Misc_DNS - Minor" "[Recommended]Misc_DNS - Warning" "[Recommended]Misc_DNS - Info"
"[Recommended]Misc_FTP - Critical" "[Recommended]Misc_FTP - Major" "[Recommended]Misc_FTP - Minor" "[Recommended]Misc_FTP - Warning" "[Recommended]Misc_FTP - Info" ];
}
}
then {
action {
recommended;
}
notification {
log-attacks;
}
}
}
rule Mail-Services {
/* This rule is designed to protect your clients against common mail attacks. If you experience low IDP performance, you may remove the lower-severity groups from your policy for a small increase in performance, at the cost of security. */
match {
from-zone any;
source-address any;
to-zone any;
destination-address any;
application default;
attacks {
predefined-attack-groups [ "[Recommended]IMAP - Critical" "[Recommended]Response_IMAP - Critical" "[Recommended]IMAP - Major" "[Recommended]Response_IMAP - Major" "[Recommended]IMAP - Minor" "[Recommended]Response_IMAP - Minor" "[Recommended]IMAP - Warning" "[Recommended]Response_IMAP - Warning" "[Recommended]IMAP - Info" "[Recommended]Response_IMAP - Info" "[Recommended]POP3 - Critical" "[Recommended]Response_POP3 - Critical" "[Recommended]POP3 - Major" "[Recommended]Response_POP3 - Major" "[Recommended]POP3 - Minor"
"[Recommended]Response_POP3 - Minor" "[Recommended]POP3 - Warning" "[Recommended]Response_POP3 - Warning" "[Recommended]POP3 - Info" "[Recommended]Response_POP3 - Info" "[Recommended]SMTP - Critical" "[Recommended]Response_SMTP - Critical" "[Recommended]SMTP - Major" "[Recommended]Response_SMTP - Major" "[Recommended]SMTP - Minor" "[Recommended]Response_SMTP - Minor" "[Recommended]SMTP - Warning" "[Recommended]Response_SMTP - Warning" "[Recommended]SMTP - Info" "[Recommended]Response_SMTP - Info" ];
}
}
then {
action {
recommended;
}
notification {
log-attacks;
}
}
}
rule Internal-Services {
/* This rule is designed to protect your clients against common internal attacks. */
match {
from-zone any;
source-address any;
to-zone any;
destination-address any;
application default;
attacks {
predefined-attack-groups [ "[Recommended]SMB" "[Recommended]Response_SMB" "[Recommended]MS-RPC" "[Recommended]Response_MS-RPC" "[Recommended]LDAP" "[Recommended]Response_LDAP" "[Recommended]NETBIOS" "[Recommended]Response_NETBIOS" "[Recommended]RADIUS" "[Recommended]Response_RADIUS" "[Recommended]SSH" "[Recommended]Response_SSH" "[Recommended]TELNET" "[Recommended]Response_TELNET" "[Recommended]DB" "[Recommended]Response_DB" "[Recommended]VNC" "[Recommended]Response_VNC" "[Recommended]NFS" "[Recommended]Response_NFS"
"[Recommended]NTP" "[Recommended]Response_NTP" "[Recommended]PORTMAPPER" "[Recommended]Response_PORTMAPPER" "[Recommended]DHCP" "[Recommended]Response_DHCP" "[Recommended]RPC" "[Recommended]Response_RPC" "[Recommended]SNMP" "[Recommended]Response_SNMP" "[Recommended]SNMPTRAP" "[Recommended]Response_SNMPTRAP" ];
}
}
then {
action {
recommended;
}
notification {
log-attacks;
}
}
}
rule Malicious-Activity {
/* This rule is designed to protect your clients against common malware attacks and other malicious activity. This is a very important rule and should be kept enabled. */
match {
from-zone any;
source-address any;
to-zone any;
destination-address any;
application default;
attacks {
predefined-attack-groups [ "[Recommended]SPYWARE" "[Recommended]Response_SPYWARE" "[Recommended]Misc_SPYWARE" "[Recommended]TROJAN" "[Recommended]Response_TROJAN" "[Recommended]Misc_TROJAN" "[Recommended]VIRUS" "[Recommended]Response_VIRUS" "[Recommended]Misc_VIRUS" "[Recommended]WORM" "[Recommended]Misc_WORM" "[Recommended]Response_WORM" "[Recommended]SHELLCODE" "[Recommended]Response_SHELLCODE" "[Recommended]Misc_SHELLCODE" "[Recommended]SCAN" "[Recommended]Response_SCAN" "[Recommended]Misc_SCAN" "[Recommended]DOS"
"[Recommended]Response_DOS" "[Recommended]Misc_DOS" "[Recommended]DDOS" "[Recommended]Response_DDOS" "[Recommended]Misc_DDOS" ];
}
}
then {
action {
recommended;
}
notification {
log-attacks;
}
}
}
rule Other-Activity {
/* This rule is designed to protect your clients against other common attacks. This rule is useful if your organization is concerned about chat, P2P, and similar activity. If not, this rule can be disabled or removed from your policy for a minor increase in performance. */
match {
from-zone any;
source-address any;
to-zone any;
destination-address any;
application default;
attacks {
predefined-attack-groups [ "[Recommended]VOIP" "[Recommended]Response_VOIP" "[Recommended]CHAT" "[Recommended]Response_CHAT" "[Recommended]P2P" "[Recommended]Response_P2P" "[Recommended]APP" "[Recommended]Response_APP" "[Recommended]RTSP" "[Recommended]Response_RTSP" ];
}
}
then {
action {
recommended;
}
}
}
rule Transport-Services {
/* This rule is designed to protect your clients against common transport attacks. Triggers against this rule could indicate an attacker is attempting to evade your IDP. Unusual network configurations can also sometimes trigger attacks in this rule. */
match {
from-zone any;
source-address any;
to-zone any;
destination-address any;
application default;
attacks {
predefined-attack-groups [ "[Recommended]IP" "[Recommended]Response_IP" "[Recommended]TCP" "[Recommended]Response_TCP" "[Recommended]UDP" "[Recommended]Response_UDP" "[Recommended]ICMP" "[Recommended]Response_ICMP" ];
}
}
then {
action {
recommended;
}
notification {
log-attacks;
}
}
}
}
}
idp-policy Client-And-Server-Protection-1G {
/* This template policy is designed to protect both clients and servers. This template is supported on all platforms, including Branch devices with 1G of memory. */
rulebase-ips {
rule Web-Services-Essential {
/* This rule is designed to protect your clients against common internet attacks. It includes Critical and Major severities. This is an essential rule. */
match {
from-zone any;
source-address any;
to-zone any;
destination-address any;
application default;
attacks {
predefined-attack-groups [ "[Recommended]HTTP - Critical" "[Recommended]Response_HTTP - Critical" "[Recommended]HTTP - Major" "[Recommended]Response_HTTP - Major" "[Recommended]SSL - Critical" "[Recommended]Response_SSL - Critical" "[Recommended]SSL - Major" "[Recommended]Response_SSL - Major" "[Recommended]DNS - Critical" "[Recommended]Response_DNS - Critical" "[Recommended]DNS - Major" "[Recommended]Response_DNS - Major" "[Recommended]FTP - Critical" "[Recommended]Response_FTP - Critical" "[Recommended]FTP - Major"
"[Recommended]Response_FTP - Major" ];
}
}
then {
action {
recommended;
}
notification {
log-attacks;
}
}
}
rule Web-Services-Low-Performance {
/* This rule is designed to protect your clients against common internet attacks. It includes performance-impacting signatures. If IDP performance is low, this rule can be disabled to improve performance at the cost of security. Alternatively, you may remove the lower-severity groups from your policy for a small increase in performance, with a lower cost of security impact. */
match {
from-zone any;
source-address any;
to-zone any;
destination-address any;
application default;
attacks {
predefined-attack-groups [ "[Recommended]Misc_HTTP - Critical" "[Recommended]Misc_HTTP - Major" "[Recommended]Misc_SSL - Critical" "[Recommended]Misc_SSL - Major" "[Recommended]Misc_DNS - Critical" "[Recommended]Misc_DNS - Major" "[Recommended]Misc_FTP - Critical" "[Recommended]Misc_FTP - Major" ];
}
}
then {
action {
recommended;
}
notification {
log-attacks;
}
}
}
rule Mail-Services {
/* This rule is designed to protect your clients against common mail attacks. */
match {
from-zone any;
source-address any;
to-zone any;
destination-address any;
application default;
attacks {
predefined-attack-groups [ "[Recommended]IMAP - Critical" "[Recommended]Response_IMAP - Critical" "[Recommended]IMAP - Major" "[Recommended]Response_IMAP - Major" "[Recommended]POP3 - Critical" "[Recommended]Response_POP3 - Critical" "[Recommended]POP3 - Major" "[Recommended]Response_POP3 - Major" "[Recommended]SMTP - Critical" "[Recommended]Response_SMTP - Critical" "[Recommended]SMTP - Major" "[Recommended]Response_SMTP - Major" ];
}
}
then {
action {
recommended;
}
notification {
log-attacks;
}
}
}
rule Internal-Services {
/* This rule is designed to protect your clients against common internal attacks. */
match {
from-zone any;
source-address any;
to-zone any;
destination-address any;
application default;
attacks {
predefined-attack-groups [ "[Recommended]SMB - Critical" "[Recommended]Response_SMB - Critical" "[Recommended]SMB - Major" "[Recommended]Response_SMB - Major" "[Recommended]MS-RPC - Critical" "[Recommended]Response_MS-RPC - Critical" "[Recommended]MS-RPC - Major" "[Recommended]Response_MS-RPC - Major" "[Recommended]NETBIOS - Critical" "[Recommended]Response_NETBIOS - Critical" "[Recommended]NETBIOS - Major" "[Recommended]Response_NETBIOS - Major" "[Recommended]SSH - Critical" "[Recommended]Response_SSH - Critical"
"[Recommended]SSH - Major" "[Recommended]Response_SSH - Major" "[Recommended]DB - Critical" "[Recommended]Response_DB - Critical" "[Recommended]DB - Major" "[Recommended]Response_DB - Major" "[Recommended]NTP - Critical" "[Recommended]Response_NTP - Critical" "[Recommended]NTP - Major" ];
}
}
then {
action {
recommended;
}
notification {
log-attacks;
}
}
}
rule Malicious-Activity {
/* This rule is designed to protect your clients against common malware attacks and other malicious activity. This is a very important rule and should be kept enabled. */
match {
from-zone any;
source-address any;
to-zone any;
destination-address any;
application default;
attacks {
predefined-attack-groups [ "[Recommended]SPYWARE - Critical" "[Recommended]Response_SPYWARE - Critical" "[Recommended]Misc_SPYWARE - Critical" "[Recommended]SPYWARE - Major" "[Recommended]Response_SPYWARE - Major" "[Recommended]Misc_SPYWARE - Major" "[Recommended]TROJAN - Critical" "[Recommended]Response_TROJAN - Critical" "[Recommended]Misc_TROJAN - Critical" "[Recommended]TROJAN - Major" "[Recommended]Response_TROJAN - Major" "[Recommended]Misc_TROJAN - Major" "[Recommended]VIRUS - Critical" "[Recommended]Response_VIRUS - Critical"
"[Recommended]Misc_VIRUS - Critical" "[Recommended]VIRUS - Major" "[Recommended]Response_VIRUS - Major" "[Recommended]Misc_VIRUS - Major" "[Recommended]WORM - Critical" "[Recommended]Misc_WORM - Critical" "[Recommended]Response_WORM - Critical" "[Recommended]WORM - Major" "[Recommended]Misc_WORM - Major" "[Recommended]Response_WORM - Major" ];
}
}
then {
action {
recommended;
}
notification {
log-attacks;
}
}
}
rule Transport-Services {
/* This rule is designed to protect your clients against common transport attacks. Triggers against this rule could indicate an attacker is attempting to evade your IDP. Unusual network configurations can also sometimes trigger attacks in this rule. */
match {
from-zone any;
source-address any;
to-zone any;
destination-address any;
application default;
attacks {
predefined-attack-groups [ "[Recommended]IP" "[Recommended]Response_IP" "[Recommended]TCP" "[Recommended]Response_TCP" "[Recommended]UDP" "[Recommended]Response_UDP" "[Recommended]ICMP" "[Recommended]Response_ICMP" ];
}
}
then {
action {
recommended;
}
notification {
log-attacks;
}
}
}
}
}
idp-policy Web_Server {
/* This template policy is designed to protect commonly used HTTP servers from remote attacks. */
rulebase-ips {
rule 1 {
/* This rule drops all packets that should not occur on a clean network, and can be used by attackers to evade IDSs. This rule is necessary to harden the IDP against evasion attempts. */
match {
from-zone any;
source-address any;
to-zone any;
destination-address any;
application default;
attacks {
predefined-attack-groups [ "IP - Major" "IP - Critical" "TCP - Critical" "TCP - Major" ];
}
}
then {
action {
drop-packet;
}
notification {
log-attacks;
}
}
}
rule 2 {
/* This rule drops all DNS and DHCP packets that contain critical severity attacks and logs them as alarms. Enable this rule if you are running your IDP in "in-line" mode, and wish to protect your network against critical DNS and DHCP attacks. */
match {
from-zone any;
source-address any;
to-zone any;
destination-address any;
application default;
attacks {
predefined-attack-groups [ "DNS - Critical" "DNS - Major" ];
}
}
then {
action {
drop-packet;
}
notification {
log-attacks;
}
}
}
rule 3 {
/* This rule drops critical and high severity attacks against common web and IIS services and logs them as alarms. Enable this rule if you are running your IDP in "in-line" mode, and wish to protect your network against critical and high severity attacks. */
match {
from-zone any;
source-address any;
to-zone any;
destination-address any;
application default;
attacks {
predefined-attack-groups [ "FINGER - Critical" "FINGER - Major" "GOPHER - Critical" "GOPHER - Major" "FTP - Critical" "FTP - Major" "HTTP - Critical" "HTTP - Major" "SHELLCODE - Major" "SHELLCODE - Critical" "NNTP - Critical" "NNTP - Major" ];
}
}
then {
action {
drop-packet;
}
notification {
log-attacks;
}
}
}
rule 4 {
/* This rule logs medium severity attacks. Enable this rule if you are running your IDP in "in-line" mode, and wish to monitor your network for attacks and IDS evasion attempts. */
match {
from-zone any;
source-address any;
to-zone any;
destination-address any;
application default;
attacks {
predefined-attack-groups [ "DNS - Minor" "FINGER - Minor" "FTP - Minor" "GOPHER - Minor" "HTTP - Minor" "NNTP - Minor" "SHELLCODE - Minor" ];
}
}
then {
action {
no-action;
}
notification {
log-attacks;
}
}
}
inactive: rule 5 {
/* This rule logs low severity attacks. The rule is disabled by default, as some networks contain many low severity events, which results in many logs. */
match {
from-zone any;
source-address any;
to-zone any;
destination-address any;
application default;
attacks {
predefined-attack-groups [ "Anomaly - Warning" "Signature - Warning" ];
}
}
then {
action {
no-action;
}
notification {
log-attacks;
}
}
}
inactive: rule 6 {
/* This rule logs informational events. This rule is disabled by default as it generates many logs. Informational signatures are included not to necessarily detect attacks, but to provide additional understanding of your network's traffic. */
match {
from-zone any;
source-address any;
to-zone any;
destination-address any;
application default;
attacks {
predefined-attack-groups [ "Anomaly - Info" "Signature - Info" ];
}
}
then {
action {
no-action;
}
notification {
log-attacks;
}
}
}
}
}
idp-policy DMZ_Services {
/* This template policy is designed to be used to protect a typical DMZ environment. */
rulebase-ips {
rule 1 {
/* This rule drops all packets that should not occur on a clean network, and can be used by attackers to evade IDSs. This rule is necessary to harden the IDP against evasion attempts. */
match {
from-zone any;
source-address any;
to-zone any;
destination-address any;
application default;
attacks {
predefined-attack-groups [ "IP - Major" "IP - Critical" "TCP - Critical" "TCP - Major" ];
}
}
then {
action {
drop-packet;
}
notification {
log-attacks {
alert;
}
}
}
}
rule 2 {
/* This rule drops all DNS and DHCP packets that contain critical severity attacks and logs them as alarms. Enable this rule if you are running your IDP in \"in-line\" mode, and wish to protect your network against critical DNS and DHCP attacks. */
match {
from-zone any;
source-address any;
to-zone any;
destination-address any;
application default;
attacks {
predefined-attack-groups [ "DNS - Critical" "DNS - Major" ];
}
}
then {
action {
drop-packet;
}
notification {
log-attacks {
alert;
}
}
}
}
rule 3 {
/* This rule drops critical and high severity attacks against common DMZ services and logs them as alarms. Enable this rule if you are running your IDP in \"in-line\" mode, and wish to protect your network against critical and high severity attacks. */
match {
from-zone any;
source-address any;
to-zone any;
destination-address any;
application default;
attacks {
predefined-attack-groups [ "FINGER - Critical" "FINGER - Major" "GOPHER - Critical" "GOPHER - Major" "FTP - Critical" "FTP - Major" "HTTP - Critical" "HTTP - Major" "SHELLCODE - Major" "SHELLCODE - Critical" "NNTP - Critical" "NNTP - Major" "IMAP - Critical" "IMAP - Major" "POP3 - Critical" "POP3 - Major" "SMTP - Critical" "SMTP - Major" "SSH - Critical" "SSH - Major" ];
}
}
then {
action {
drop-packet;
}
notification {
log-attacks {
alert;
}
}
}
}
rule 4 {
/* This rule logs medium severity attacks. Enable this rule if you are running your IDP in "in-line" mode, and wish to monitor your network for attacks and IDS evasion attempts. */
match {
from-zone any;
source-address any;
to-zone any;
destination-address any;
application default;
attacks {
predefined-attack-groups [ "FINGER - Minor" "FTP - Minor" "GOPHER - Minor" "HTTP - Minor" "IMAP - Minor" "NNTP - Minor" "POP3 - Minor" "SHELLCODE - Minor" "SMTP - Minor" "SSH - Minor" ];
}
}
then {
action {
no-action;
}
notification {
log-attacks;
}
}
}
inactive: rule 5 {
/* This rule logs low severity attacks. The rule is disabled by default, as some networks contain many low severity events, which results in many logs. */
match {
from-zone any;
source-address any;
to-zone any;
destination-address any;
application default;
attacks {
predefined-attack-groups [ "Anomaly - Warning" "Signature - Warning" ];
}
}
then {
action {
no-action;
}
notification {
log-attacks;
}
}
}
inactive: rule 6 {
/* This rule logs informational events. This rule is disabled by default as it generates many logs. Informational signatures are included not to necessarily detect attacks, but to provide additional understanding of your network's traffic. */
match {
from-zone any;
source-address any;
to-zone any;
destination-address any;
application default;
attacks {
predefined-attack-groups [ "Anomaly - Info" "Signature - Info" ];
}
}
then {
action {
no-action;
}
notification {
log-attacks;
}
}
}
}
}
idp-policy DNS_Service {
/* This template policy is designed to protect DNS services. Use this template as a starting point to customize your desired level of protection. */
rulebase-ips {
rule 1 {
/* This rule drops all packets that should not occur on a clean network, and can be used by attackers to evade IDSs. This rule is necessary to harden the IDP against evasion attempts. */
match {
from-zone any;
source-address any;
to-zone any;
destination-address any;
application default;
attacks {
predefined-attack-groups [ "IP - Major" "IP - Critical" "TCP - Critical" "TCP - Major" ];
}
}
then {
action {
drop-packet;
}
notification {
log-attacks {
alert;
}
}
}
}
rule 2 {
/* This rule drops all DNS and DHCP packets that contain critical severity attacks and logs them as alarms. Enable this rule if you are running your IDP in "in-line" mode, and wish to protect your network against critical DNS and DHCP attacks. */
match {
from-zone any;
source-address any;
to-zone any;
destination-address any;
application default;
attacks {
predefined-attack-groups [ "DNS - Critical" "DNS - Major" ];
}
}
then {
action {
drop-packet;
}
notification {
log-attacks {
alert;
}
}
}
}
rule 3 {
/* This rule logs medium severity DNS attacks. Enable this rule to investigate possible threats against Domain Name Services. */
match {
from-zone any;
source-address any;
to-zone any;
destination-address any;
application default;
attacks {
predefined-attack-groups "DNS - Minor";
}
}
then {
action {
no-action;
}
notification {
log-attacks;
}
}
}
inactive: rule 4 {
/* This rule logs low severity attacks. The rule is disabled by default, as some networks contain many low severity events, which results in many logs. */
match {
from-zone any;
source-address any;
to-zone any;
destination-address any;
application default;
attacks {
predefined-attack-groups [ "Anomaly - Warning" "Signature - Warning" ];
}
}
then {
action {
no-action;
}
notification {
log-attacks;
}
}
}
inactive: rule 5 {
/* This rule logs informational events. This rule is disabled by default as it generates many logs. Informational signatures are included not to necessarily detect attacks, but to provide additional understanding of your network's traffic. */
match {
from-zone any;
source-address any;
to-zone any;
destination-address any;
application default;
attacks {
predefined-attack-groups [ "Anomaly - Info" "Signature - Info" ];
}
}
then {
action {
no-action;
}
notification {
log-attacks;
}
}
}
}
}
idp-policy File_Server {
/* This template policy is designed to provide protection to various file sharing services such as AMB, NFS, FTP, and others. */
rulebase-ips {
rule 1 {
/* This rule drops all packets that should not occur on a clean network, and can be used by attackers to evade IDSs. This rule is necessary to harden the IDP against evasion attempts. */
match {
from-zone any;
source-address any;
to-zone any;
destination-address any;
application default;
attacks {
predefined-attack-groups [ "IP - Major" "IP - Critical" "TCP - Critical" "TCP - Major" ];
}
}
then {
action {
drop-packet;
}
notification {
log-attacks {
alert;
}
}
}
}
rule 2 {
/* This rule drops all DNS and DHCP packets that contain critical severity attacks and logs them as alarms. Enable this rule if you are running your IDP in \"in-line\" mode, and wish to protect your network against critical DNS and DHCP attacks. */
match {
from-zone any;
source-address any;
to-zone any;
destination-address any;
application default;
attacks {
predefined-attack-groups [ "DNS - Critical" "DNS - Major" "DHCP - Critical" "DHCP - Major" "SHELLCODE - Critical" "SHELLCODE - Major" ];
}
}
then {
action {
drop-packet;
}
notification {
log-attacks {
alert;
}
}
}
}
rule 3 {
/* This rule drops critical and high severity attacks against common DMZ services and logs them as alarms. Enable this rule if you are running your IDP in "in-line" mode, and wish to protect your network against critical and high severity attacks. */
match {
from-zone any;
source-address any;
to-zone any;
destination-address any;
application default;
attacks {
predefined-attack-groups [ "FTP - Critical" "FTP - Major" "SSH - Critical" "SSH - Major" "NFS - Critical" "NFS - Major" "PORTMAPPER - Critical" "PORTMAPPER - Major" "RPC - Critical" "RPC - Major" "SMB - Critical" "SMB - Major" "MS-RPC - Critical" "MS-RPC - Major" "NETBIOS - Critical" "NETBIOS - Major" "TFTP - Critical" "TFTP - Major" ];
}
}
then {
action {
drop-packet;
}
notification {
log-attacks {
alert;
}
}
}
}
rule 4 {
/* This rule logs medium severity file service attacks. Enable this rule to investigate possible threats against file sharing services. */
match {
from-zone any;
source-address any;
to-zone any;
destination-address any;
application default;
attacks {
predefined-attack-groups [ "FTP - Minor" "SSH - Minor" "MS-RPC - Minor" "NETBIOS - Minor" "NFS - Minor" "PORTMAPPER - Minor" "RPC - Minor" "SMB - Minor" "TFTP - Minor" ];
}
}
then {
action {
no-action;
}
notification {
log-attacks;
}
}
}
inactive: rule 5 {
/* This rule logs low severity attacks. The rule is disabled by default, as some networks contain many low severity events, which results in many logs. */
match {
from-zone any;
source-address any;
to-zone any;
destination-address any;
application default;
attacks {
predefined-attack-groups [ "Anomaly - Warning" "Signature - Warning" ];
}
}
then {
action {
no-action;
}
notification {
log-attacks;
}
}
}
inactive: rule 6 {
/* This rule logs informational events. This rule is disabled by default as it generates many logs. Informational signatures are included not to necessarily detect attacks, but to provide additional understanding of your network's traffic. */
match {
from-zone any;
source-address any;
to-zone any;
destination-address any;
application default;
attacks {
predefined-attack-groups [ "Anomaly - Info" "Signature - Info" ];
}
}
then {
action {
no-action;
}
notification {
log-attacks;
}
}
}
}
}
idp-policy Getting_Started {
/* This template is a good starting point for learning how to create IDP policies. */
rulebase-ips {
rule 1 {
match {
from-zone any;
source-address any;
to-zone any;
destination-address any;
application default;
attacks {
predefined-attack-groups [ "IP - Major" "IP - Critical" "IP - Minor" "TCP - Critical" "TCP - Major" "TCP - Minor" ];
}
}
then {
action {
no-action;
}
notification {
log-attacks;
}
}
}
rule 2 {
match {
from-zone any;
source-address any;
to-zone any;
destination-address any;
application default;
attacks {
predefined-attack-groups [ "ICMP - Critical" "ICMP - Major" "ICMP - Minor" ];
}
}
then {
action {
no-action;
}
notification {
log-attacks;
}
}
}
rule 3 {
match {
from-zone any;
source-address any;
to-zone any;
destination-address any;
application default;
attacks {
predefined-attack-groups [ "HTTP - Critical" "HTTP - Major" "HTTP - Minor" ];
}
}
then {
action {
no-action;
}
notification {
log-attacks;
}
}
}
rule 4 {
match {
from-zone any;
source-address any;
to-zone any;
destination-address any;
application default;
attacks {
predefined-attack-groups [ "SMTP - Critical" "SMTP - Major" "SMTP - Minor" ];
}
}
then {
action {
no-action;
}
notification {
log-attacks;
}
}
}
rule 5 {
match {
from-zone any;
source-address any;
to-zone any;
destination-address any;
application default;
attacks {
predefined-attack-groups [ "DNS - Critical" "DNS - Major" "DNS - Minor" ];
}
}
then {
action {
no-action;
}
notification {
log-attacks;
}
}
}
rule 6 {
match {
from-zone any;
source-address any;
to-zone any;
destination-address any;
application default;
attacks {
predefined-attack-groups [ "FTP - Critical" "FTP - Major" "FTP - Minor" ];
}
}
then {
action {
no-action;
}
notification {
log-attacks;
}
}
}
rule 7 {
match {
from-zone any;
source-address any;
to-zone any;
destination-address any;
application default;
attacks {
predefined-attack-groups [ "POP3 - Critical" "POP3 - Major" "POP3 - Minor" ];
}
}
then {
action {
no-action;
}
notification {
log-attacks;
}
}
}
rule 8 {
match {
from-zone any;
source-address any;
to-zone any;
destination-address any;
application default;
attacks {
predefined-attack-groups [ "IMAP - Critical" "IMAP - Major" "IMAP - Minor" ];
}
}
then {
action {
no-action;
}
notification {
log-attacks;
}
}
}
rule 9 {
match {
from-zone any;
source-address any;
to-zone any;
destination-address any;
application default;
attacks {
predefined-attack-groups [ "TROJAN - Critical" "TROJAN - Major" "TROJAN - Minor" "VIRUS - Critical" "VIRUS - Major" "VIRUS - Minor" "WORM - Critical" "WORM - Major" "WORM - Minor" ];
}
}
then {
action {
no-action;
}
notification {
log-attacks;
}
}
}
}
}
idp-policy IDP_Default {
/* This template policy represents a good blend od security and performance. Use this template for "in-line" mode. */
rulebase-ips {
rule 1 {
/* This rule drops all packets that should not occur on a clean network, and can be used by attackers to evade IDSs. This rule is necessary to harden the IDP against evasion attempts. */
match {
from-zone any;
source-address any;
to-zone any;
destination-address any;
application default;
attacks {
predefined-attack-groups [ "IP - Major" "IP - Critical" "TCP - Critical" "TCP - Major" ];
}
}
then {
action {
drop-packet;
}
notification {
log-attacks {
alert;
}
}
}
}
rule 2 {
/* This rule drops high severity attacks and logs them as alarms. Enable this rule if you are running your IDP in "in-line" mode, and wish to protect your network against critical attacks and IDS evasion attempts. */
match {
from-zone any;
source-address any;
to-zone any;
destination-address any;
application default;
attacks {
predefined-attack-groups [ "DB - Critical" "DB - Major" "DDOS - Critical" "DDOS - Major" "DHCP - Critical" "DHCP - Major" "DNS - Critical" "DNS - Major" "DOS - Critical" "DOS - Major" "FTP - Critical" "FTP - Major" "HTTP - Critical" "HTTP - Major" "ICMP - Critical" "ICMP - Major" "IMAP - Critical" "IMAP - Major" "NETBIOS - Critical" "NETBIOS - Major" "MS-RPC - Critical" "MS-RPC - Major" "NFS - Critical" "NFS - Major" "POP3 - Critical" "POP3 - Major" "PORTMAPPER - Critical" "PORTMAPPER - Major" "RPC - Critical"
"RPC - Major" "SCAN - Critical" "SCAN - Major" "SHELLCODE - Critical" "SHELLCODE - Major" "SMB - Critical" "SMB - Major" "SMTP - Critical" "SMTP - Major" "SSH - Critical" "SSH - Major" "TELNET - Critical" "TELNET - Major" "TROJAN - Critical" "TROJAN - Major" "WORM - Critical" "WORM - Major" "APP - Critical" "APP - Major" ];
}
}
then {
action {
drop-packet;
}
notification {
log-attacks {
alert;
}
}
}
}
rule 3 {
/* This rule logs medium severity attacks. Enable this rule if you are running your IDP in "in-line" mode, and wish to monitor your network for attacks and IDS evasion attempts. */
match {
from-zone any;
source-address any;
to-zone any;
destination-address any;
application default;
attacks {
predefined-attack-groups [ "DB - Minor" "DDOS - Minor" "DHCP - Minor" "DNS - Minor" "DOS - Minor" "FTP - Minor" "HTTP - Minor" "ICMP - Minor" "IMAP - Minor" "NETBIOS - Minor" "MS-RPC - Minor" "NFS - Minor" "POP3 - Minor" "PORTMAPPER - Minor" "RPC - Minor" "SCAN - Minor" "SHELLCODE - Minor" "SMB - Minor" "SMTP - Minor" "SSH - Minor" "TELNET - Minor" "TROJAN - Minor" "WORM - Minor" "APP - Minor" ];
}
}
then {
action {
no-action;
}
notification {
log-attacks;
}
}
}
inactive: rule 4 {
/* This rule logs low severity attacks. The rule is disabled by default, as some networks contain many low severity events, which results in many logs. */
match {
from-zone any;
source-address any;
to-zone any;
destination-address any;
application default;
attacks {
predefined-attack-groups [ "Anomaly - Warning" "Signature - Warning" ];
}
}
then {
action {
no-action;
}
notification {
log-attacks;
}
}
}
inactive: rule 5 {
/* This rule logs informational events. This rule is disabled by default as it generates many logs. Informational signatures are included not to necessarily detect attacks, but to provide additional understanding of your network's traffic. */
match {
from-zone any;
source-address any;
to-zone any;
destination-address any;
application default;
attacks {
predefined-attack-groups [ "Anomaly - Info" "Signature - Info" ];
}
}
then {
action {
no-action;
}
notification {
log-attacks;
}
}
}
}
}
idp-policy Recommended {
/* This legacy template policy covers most current vulnerabilities. This template is supported on all platforms, including Branch devices with 1G of memory. */
rulebase-ips {
rule 1 {
/* This rule is designed to protect your networks against important TCP/IP attacks. */
match {
from-zone any;
source-address any;
to-zone any;
destination-address any;
application default;
attacks {
predefined-attack-groups [ "[Recommended]IP - Critical" "[Recommended]IP - Minor" "[Recommended]IP - Major" "[Recommended]TCP - Critical" "[Recommended]TCP - Minor" "[Recommended]TCP - Major" ];
}
}
then {
action {
recommended;
}
notification {
log-attacks;
}
}
}
rule 2 {
/* This rule is designed to protect your network against important ICMP attacks. */
match {
from-zone any;
source-address any;
to-zone any;
destination-address any;
application default;
attacks {
predefined-attack-groups [ "[Recommended]ICMP - Major" "[Recommended]ICMP - Minor" ];
}
}
then {
action {
recommended;
}
notification {
log-attacks;
}
}
}
rule 3 {
/* This rule is designed to protect your network against important HTTP attacks. */
match {
from-zone any;
source-address any;
to-zone any;
destination-address any;
application default;
attacks {
predefined-attack-groups [ "[Recommended]HTTP - Critical" "[Recommended]HTTP - Major" "[Recommended]HTTP - Minor" ];
}
}
then {
action {
recommended;
}
notification {
log-attacks;
}
}
}
rule 4 {
/* This rule is designed to protect your network against important SMTP attacks. */
match {
from-zone any;
source-address any;
to-zone any;
destination-address any;
application default;
attacks {
predefined-attack-groups [ "[Recommended]SMTP - Critical" "[Recommended]SMTP - Major" "[Recommended]SMTP - Minor" ];
}
}
then {
action {
recommended;
}
notification {
log-attacks;
}
}
}
rule 5 {
/* This rule is designed to protect your network against important DNS attacks. */
match {
from-zone any;
source-address any;
to-zone any;
destination-address any;
application default;
attacks {
predefined-attack-groups [ "[Recommended]DNS - Critical" "[Recommended]DNS - Minor" "[Recommended]DNS - Major" ];
}
}
then {
action {
recommended;
}
notification {
log-attacks;
}
}
}
rule 6 {
/* This rule is designed to protect your network against important FTP attacks. */
match {
from-zone any;
source-address any;
to-zone any;
destination-address any;
application default;
attacks {
predefined-attack-groups [ "[Recommended]FTP - Critical" "[Recommended]FTP - Minor" "[Recommended]FTP - Major" ];
}
}
then {
action {
recommended;
}
notification {
log-attacks;
}
}
}
rule 7 {
/* This rule is designed to protect your network against important POP3 attacks. */
match {
from-zone any;
source-address any;
to-zone any;
destination-address any;
application default;
attacks {
predefined-attack-groups [ "[Recommended]POP3 - Critical" "[Recommended]POP3 - Minor" "[Recommended]POP3 - Major" ];
}
}
then {
action {
recommended;
}
notification {
log-attacks;
}
}
}
rule 8 {
/* This rule is designed to protect your network against important IMAP attacks. */
match {
from-zone any;
source-address any;
to-zone any;
destination-address any;
application default;
attacks {
predefined-attack-groups [ "[Recommended]IMAP - Critical" "[Recommended]IMAP - Major" ];
}
}
then {
action {
recommended;
}
notification {
log-attacks;
}
}
}
rule 9 {
/* This rule is designed to protect your network against common internet malware. */
match {
from-zone any;
source-address any;
to-zone any;
destination-address any;
application default;
attacks {
predefined-attack-groups [ "[Recommended]TROJAN - Critical" "[Recommended]TROJAN - Major" "[Recommended]TROJAN - Minor" "[Recommended]VIRUS - Critical" "[Recommended]VIRUS - Major" "[Recommended]VIRUS - Minor" "[Recommended]WORM - Critical" "[Recommended]WORM - Major" "[Recommended]WORM - Minor" ];
}
}
then {
action {
recommended;
}
notification {
log-attacks;
}
}
}
rule TCP/IP {
/* This rule is designed to protect your networks against important TCP/IP attacks. */
match {
from-zone any;
source-address any;
to-zone any;
destination-address any;
application default;
attacks {
predefined-attack-groups [ "[Recommended]IP - Critical" "[Recommended]IP - Minor" "[Recommended]IP - Major" "[Recommended]TCP - Critical" "[Recommended]TCP - Minor" "[Recommended]TCP - Major" ];
}
}
then {
action {
recommended;
}
notification {
log-attacks;
}
}
}
rule ICMP {
/* This rule is designed to protect your network against important ICMP attacks. */
match {
from-zone any;
source-address any;
to-zone any;
destination-address any;
application default;
attacks {
predefined-attack-groups [ "[Recommended]ICMP - Major" "[Recommended]ICMP - Minor" ];
}
}
then {
action {
recommended;
}
notification {
log-attacks;
}
}
}
rule HTTP {
/* This rule is designed to protect your network against important HTTP attacks. */
match {
from-zone any;
source-address any;
to-zone any;
destination-address any;
application default;
attacks {
predefined-attack-groups [ "[Recommended]HTTP - Critical" "[Recommended]HTTP - Major" "[Recommended]HTTP - Minor" ];
}
}
then {
action {
recommended;
}
notification {
log-attacks;
}
}
}
rule SMTP {
/* This rule is designed to protect your network against important SMTP attacks. */
match {
from-zone any;
source-address any;
to-zone any;
destination-address any;
application default;
attacks {
predefined-attack-groups [ "[Recommended]SMTP - Critical" "[Recommended]SMTP - Major" "[Recommended]SMTP - Minor" ];
}
}
then {
action {
recommended;
}
notification {
log-attacks;
}
}
}
rule DNS {
/* This rule is designed to protect your network against important DNS attacks. */
match {
from-zone any;
source-address any;
to-zone any;
destination-address any;
application default;
attacks {
predefined-attack-groups [ "[Recommended]DNS - Critical" "[Recommended]DNS - Minor" "[Recommended]DNS - Major" ];
}
}
then {
action {
recommended;
}
notification {
log-attacks;
}
}
}
rule FTP {
/* This rule is designed to protect your network against important FTP attacks. */
match {
from-zone any;
source-address any;
to-zone any;
destination-address any;
application default;
attacks {
predefined-attack-groups [ "[Recommended]FTP - Critical" "[Recommended]FTP - Minor" "[Recommended]FTP - Major" ];
}
}
then {
action {
recommended;
}
notification {
log-attacks;
}
}
}
rule POP3 {
/* This rule is designed to protect your network against important POP3 attacks. */
match {
from-zone any;
source-address any;
to-zone any;
destination-address any;
application default;
attacks {
predefined-attack-groups [ "[Recommended]POP3 - Critical" "[Recommended]POP3 - Minor" "[Recommended]POP3 - Major" ];
}
}
then {
action {
recommended;
}
notification {
log-attacks;
}
}
}
rule IMAP {
/* This rule is designed to protect your network against important IMAP attacks. */
match {
from-zone any;
source-address any;
to-zone any;
destination-address any;
application default;
attacks {
predefined-attack-groups [ "[Recommended]IMAP - Critical" "[Recommended]IMAP - Major" ];
}
}
then {
action {
recommended;
}
notification {
log-attacks;
}
}
}
rule Malware {
/* This rule is designed to protect your network against common internet malware. */
match {
from-zone any;
source-address any;
to-zone any;
destination-address any;
application default;
attacks {
predefined-attack-groups [ "[Recommended]TROJAN - Critical" "[Recommended]TROJAN - Major" "[Recommended]TROJAN - Minor" "[Recommended]VIRUS - Critical" "[Recommended]VIRUS - Major" "[Recommended]VIRUS - Minor" "[Recommended]WORM - Critical" "[Recommended]WORM - Major" "[Recommended]WORM - Minor" ];
}
}
then {
action {
recommended;
}
notification {
log-attacks;
}
}
}
}
}
active-policy Recommended;
custom-attack Block_Flooder {
recommended-action drop-packet;
severity major;
time-binding {
count 100;
scope source;
}
attack-type {
signature {
context packet;
direction any;
shellcode intel;
}
}
}
custom-attack Block_TTL {
recommended-action drop-packet;
severity major;
time-binding {
count 10;
scope source;
}
attack-type {
signature {
protocol-binding {
udp {
minimum-port 0 maximum-port 65535;
}
}
context packet;
direction any;
shellcode intel;
protocol {
ipv4 {
ttl {
match equal;
value 62;
}
}
}
}
}
}
custom-attack Block_Size {
recommended-action drop-packet;
severity major;
time-binding {
count 10;
scope source;
}
attack-type {
signature {
protocol-binding {
udp {
minimum-port 0 maximum-port 65535;
}
}
context packet;
direction any;
shellcode intel;
protocol {
ipv4 {
total-length {
match equal;
value 29;
}
}
}
}
}
}
custom-attack Block_Length {
recommended-action drop-packet;
severity major;
time-binding {
count 10;
scope source;
}
attack-type {
signature {
context packet;
direction any;
shellcode intel;
protocol {
udp {
data-length {
match equal;
value 1;
}
}
}
}
}
}
custom-attack Block_Flag {
recommended-action drop-packet;
severity major;
time-binding {
count 10;
scope source;
}
attack-type {
signature {
protocol-binding {
udp {
minimum-port 0 maximum-port 65535;
}
}
context packet;
direction any;
shellcode intel;
protocol {
ipv4 {
ip-flags df;
}
}
}
}
}
application-ddos dns-server-1 {
service dns;
connection-rate-threshold 1200;
context dns-type-name {
hit-rate-threshold 72000;
value-hit-rate-threshold 2400;
max-context-values 100;
time-binding-count 10;
time-binding-period 30;
exclude-context-values [ .*google.com .*yahoo.com ];
}
}
application-ddos Protect-HTTP-Server {
service http;
connection-rate-threshold 100;
context http-url-parsed {
hit-rate-threshold 200;
value-hit-rate-threshold 20;
max-context-values 20;
time-binding-count 3;
time-binding-period 60;
}
}
security-package {
url http://services.netscreen.com/cgi-bin/index.cgi;
automatic {
start-time "2015-4-4.21:50:00 +0000";
interval 24;
enable;
}
}
sensor-configuration {
log {
cache-size 32000;
suppression {
include-destination-address;
start-log 1;
max-logs-operate 32000;
max-time-report 30;
}
}
flow {
log-errors;
no-allow-icmp-without-flow;
}
re-assembler {
no-ignore-memory-overflow;
no-ignore-reassembly-memory-overflow;
ignore-reassembly-overflow;
max-flow-mem 3200000;
max-packet-mem-ratio 20;
}
ips {
no-process-override;
detect-shellcode;
no-process-ignore-s2c;
ignore-regular-expression;
log-supercede-min 32000;
}
global {
enable-packet-pool;
enable-all-qmodules;
no-policy-lookup-cache;
memory-limit-percent 70;
}
}
}
address-book {
web-server {
address SPD 185.9.157.15/32;
address SALAY 178.20.231.5/32;
}
TeamSpeak {
address Veli 178.20.231.165/32;
attach {
zone DisNetwork;
zone IcNetwork;
}
}
}
alg {
ftp ftps-extension;
mgcp disable;
rtsp;
sccp disable;
ike-esp-nat {
enable;
}
}
application-firewall {
rule-sets TeamSpeak {
rule TeamSpeak {
match {
dynamic-application junos:TEAMSPEAK;
}
then {
permit;
}
}
rule SSH {
match {
dynamic-application junos:SSH;
}
then {
permit;
}
}
default-rule {
deny;
}
}
}
utm {
custom-objects {
url-pattern {
ip-black-list {
value [ http://*.sex.com http://*.gamble.com http://*.flashgames.com ];
}
ip-white-list {
value [ http://*.work.com http://*.taxes.com http://*.networking.com ];
}
}
}
feature-profile {
anti-spam {
address-whitelist ip-white-list;
address-blacklist ip-black-list;
sbl {
profile local-profile {
no-sbl-default-server;
spam-action tag-subject;
custom-tag-string ***YEP*SPAM***;
}
}
}
}
utm-policy spam-block {
anti-spam {
smtp-profile local-profile;
}
}
}
flow {
allow-dns-reply;
syn-flood-protection-mode syn-cookie;
aging {
early-ageout 50;
low-watermark 80;
high-watermark 90;
}
tcp-mss {
all-tcp {
mss 1460;
}
}
tcp-session {
rst-invalidate-session;
rst-sequence-check;
strict-syn-check;
no-sequence-check;
tcp-initial-timeout 10;
}
}
screen {
ids-option internet-screen {
icmp {
ip-sweep threshold 10000;
fragment;
large;
flood threshold 1000;
ping-death;
}
ip {
bad-option;
record-route-option;
timestamp-option;
security-option;
stream-option;
spoofing;
source-route-option;
loose-source-route-option;
strict-source-route-option;
unknown-protocol;
tear-drop;
}
tcp {
syn-fin;
fin-no-ack;
tcp-no-flag;
syn-frag;
port-scan threshold 5000;
syn-ack-ack-proxy threshold 50;
syn-flood {
alarm-threshold 512;
attack-threshold 200;
source-threshold 4000;
destination-threshold 4000;
queue-size 2000;
timeout 30;
}
land;
winnuke;
}
udp {
flood threshold 50000;
udp-sweep threshold 1000;
}
limit-session {
source-ip-based 100;
destination-ip-based 2000;
}
}
}
policies {
from-zone IcNetwork to-zone DisNetwork {
policy default-permit {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone DisNetwork to-zone IcNetwork {
policy default-permit {
match {
source-address any;
destination-address any;
application [ TCPDefault UDPDefault ICMPDefault ];
}
then {
permit {
application-services {
idp;
}
}
log {
session-init;
session-close;
}
}
}
policy BlockOther {
match {
source-address any;
destination-address any;
application any;
}
then {
deny;
}
}
policy spam-tag {
match {
source-address any;
destination-address any;
application any;
}
then {
permit {
application-services {
utm-policy spam-block;
}
}
}
}
policy TeamSpeak {
description "TeamSpeak Ozel";
match {
source-address any;
destination-address Veli;
application any;
}
then {
permit {
application-services {
application-firewall {
rule-set TeamSpeak;
}
}
}
}
}
}
default-policy {
permit-all;
}
}
datapath-debug {
capture-file PCAP;
maximum-capture-size 10000;
action-profile {
Capture {
event np-ingress {
packet-dump;
}
}
}
packet-filter 1 {
action-profile Capture;
}
}
zones {
security-zone trust {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
ge-0/0/1.0;
}
}
security-zone DisNetwork {
tcp-rst;
screen internet-screen;
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
xe-1/0/0.0;
}
}
security-zone IcNetwork {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
xe-1/0/1.0;
}
}
}
}
firewall {
family inet {
filter BlokKural {
term 1 {
from {
packet-length 0-30;
protocol udp;
}
then {
count dns-jova;
log;
syslog;
discard;
}
}
term 2 {
then accept;
}
}
filter blocked.IP {
term 1 {
from {
prefix-list {
block.zeusCC;
unblock.zeusCC except;
}
}
then {
syslog;
discard;
}
}
term 2 {
then accept;
}
}
}
filter rpf-filter {
term default {
then {
count rpf-failed-count;
reject;
}
}
}
}
applications {
application TTPBlocker protocol 84;
application TCPDefault protocol tcp;
application UDPDefault protocol udp;
application ICMPDefault protocol icmp;
}
Looks other stated URFP in SRX to reduce source ip spoofed which is usually in the DDoS flooding
otherwise if it has some unique port can consider blocking it
or application idp filter
Apparently not viable for the filter and application id...so better URFP and rate limit but src ip can chg which DoS tends to be shortlived with various source negating you policy...has to start engage your ISP too and I was even thinking of DMS/CDN services like CLoudFlare, Akamai and DosArrest sort ...
When incoming packet fails the unicast RPF check, the packet is not accepted on the interface.https://kb.juniper.net/InfoCenter/index?page=content&id=KB27278
When a packet is not accepted on an interface,it is sent to an optional fail filter.
If the fail filter is not configured, the default action is to silently discard the packet.
otherwise if it has some unique port can consider blocking it
output firewall filter assigned to interfaces:http://forums.juniper.net/t5/SRX-Services-Gateway/blocking-torrent-and-p2p-traffic/td-p/43192
set firewall family inet filter blk1 term 1 from destination-port 10001-65535
set firewall family inet filter blk1 term 1 then discard
set firewall family inet filter blk1 term 2 then accept
or application idp filter
IDP policy should look likehttp://forums.juniper.net/t5/SRX-Services-Gateway/SRX-has-feature-like-NBAR/td-p/35066
set security idp idp-policy <policy-name> rulebase-ips rule <rule-name> match attacks predefined-attack-groups <predefined P2P attack group name from list above>
set security idp idp-policy <policy-name> rulebase-ips rule <rule-name> match application default
set security idp idp-policy <policy-name> rulebase-ips rule <rule-name> then action drop-packet
Apparently not viable for the filter and application id...so better URFP and rate limit but src ip can chg which DoS tends to be shortlived with various source negating you policy...has to start engage your ISP too and I was even thinking of DMS/CDN services like CLoudFlare, Akamai and DosArrest sort ...
ASKER
They are hitting direct a port but the main point is it is not change the result
- filter
- policy
- ids
was modified thousands of time at the end we remove all nothing change , when we remove udp thereshold from the zone screen SRX locking down.
Another strange thing is we tryed ip drop packet on IDP it has listed the attacker ip on the flow blocked list but it still goes on to hit to IDP rules counter while it was blocked by flow :/
After that we decide to remove udp thereshold because we checked on the victim server with tcpdump it was really blocked no package was coming. But all sessions was gone . When we remove the thereshold SRX locked again and no zone was not available to connect and any of the servers too.
we also tested each rule given above firstly with there shold limit 10K all of them working and blocking , when remove the thereshold srx locking with no chance
Total attack is 100 - 120K pps and 200 - 250 mbps nearly
- filter
- policy
- ids
was modified thousands of time at the end we remove all nothing change , when we remove udp thereshold from the zone screen SRX locking down.
Another strange thing is we tryed ip drop packet on IDP it has listed the attacker ip on the flow blocked list but it still goes on to hit to IDP rules counter while it was blocked by flow :/
After that we decide to remove udp thereshold because we checked on the victim server with tcpdump it was really blocked no package was coming. But all sessions was gone . When we remove the thereshold SRX locked again and no zone was not available to connect and any of the servers too.
we also tested each rule given above firstly with there shold limit 10K all of them working and blocking , when remove the thereshold srx locking with no chance
Total attack is 100 - 120K pps and 200 - 250 mbps nearly
I've been watching all of your new Questions about the SRX3600. Which I think you now have 3 new ones open all dealing with the same issue. For the UDP floods it has been suggested multiple times to use URFP, as suggested in your original question.
https://www.experts-exchange.com/questions/28654202/Do-not-TRUST-the-juniper-for-Firewall.html
Have you contacted Juniper support yet? It is obvious that you are new to this firewall and they are going to be your best bet to get it configured to support blocking the attacks you are seeing.
https://www.experts-exchange.com/questions/28654202/Do-not-TRUST-the-juniper-for-Firewall.html
Have you contacted Juniper support yet? It is obvious that you are new to this firewall and they are going to be your best bet to get it configured to support blocking the attacks you are seeing.
ASKER
Yes we have contacted but still waiting for device registrations for one week. But i need a solution asap
The impression I am getting is that the SRX3600 is new to your environment. What were you using before you had it?
Based on my reading of the spec's of the box, I think you might be pushing the limits of the box at 100K pps of udp. Yes, the box is rated higher than that, but that is based on having 3 NPC's, which you only have one.
It's hard to tell. The specs talk about new connections per second, but that is TCP 3-way handshake. Where as UDP has no connections, so I can tell what performance to expect.
Based on my reading of the spec's of the box, I think you might be pushing the limits of the box at 100K pps of udp. Yes, the box is rated higher than that, but that is based on having 3 NPC's, which you only have one.
It's hard to tell. The specs talk about new connections per second, but that is TCP 3-way handshake. Where as UDP has no connections, so I can tell what performance to expect.
ASKER
but now it gives a performance under 1/10 of per npc capacity
it says on datasheets 1M pps for an npc.
We have tested with Syn unprotocoled attacks it has dropped in 100K pps , we decide to block unprotocoled attacks on router.
Now main problem is UDP we are looking for sflow scripts to block flooders from router again but i do not understand what we will use the juniper for 200mbps getting it down , a load balancer citrix netscaler more capable then this
it says on datasheets 1M pps for an npc.
We have tested with Syn unprotocoled attacks it has dropped in 100K pps , we decide to block unprotocoled attacks on router.
Now main problem is UDP we are looking for sflow scripts to block flooders from router again but i do not understand what we will use the juniper for 200mbps getting it down , a load balancer citrix netscaler more capable then this
Looking more into how the SRX3600 works, the firewall and IDP processing occurs on the SPC card. You can have up to 7 SPC's in the chassis and you have one. To me this implies that the total throughput for anything that get processed by the SPC you would need to divide by 7. So the firewall/IPD throughput is 15Gbps max, that is with 7 SPC's. Which means your max. possible throughput would be just barely over 2 Gbps. This is a BIG assumption on my part.
I also found this:
https://kb.juniper.net/InfoCenter/index?page=content&id=KB25257
Which implies that without the "extreme" license that you might get about 1/2 of the rated through-put when traffic volume is high.
Again, a good reason to have a pre-sales engineer invloved in purchases of this size.
I also found this:
https://kb.juniper.net/InfoCenter/index?page=content&id=KB25257
Which implies that without the "extreme" license that you might get about 1/2 of the rated through-put when traffic volume is high.
Again, a good reason to have a pre-sales engineer invloved in purchases of this size.
Looked at your config, you may want to look at changing:
udp {
flood threshold 50000;
udp-sweep threshold 1000;
}
This says that you don't want udp flood protection to be enabled until you see 50,000 udp packets to the same target IP address and target port.
udp {
flood threshold 50000;
udp-sweep threshold 1000;
}
This says that you don't want udp flood protection to be enabled until you see 50,000 udp packets to the same target IP address and target port.
As per giltjr and to the link to show existing. The value unit is UDP packets per second, or pps. The default value is 1000 pps. You specify the zone where a flood might originate.
also the udp sweep stated earlier
user@host# show security screen.http://www.juniper.net/techpubs/en_US/junos12.3x48/topics/example/denial-of-service-network-udp-flood-protection-enabling-cli.html
ids-option 1000-udp-flood {
udp {
flood threshold 1000;
}
}
[edit]
user@host# show security zones
security-zone external {
screen 1000-udp-flood;
}
also the udp sweep stated earlier
To protect against UDP flood attacks the following option can be used. This limits the number of UDP packets allowed on a per second basis.https://www.fir3net.com/Firewalls/Juniper/srx-screen.html
set security screen ids-option untrust-screen udp flood threshold 50000
ASKER
but i think you might have a misunderstanding flood thereshold is not a protection it just a block limit which blocks to destination.
for example if victim getting 50001 pps then juniper dropping nex packages in this second. So real visitors could not be able to connect to the streams. This is not a protection
for example if victim getting 50001 pps then juniper dropping nex packages in this second. So real visitors could not be able to connect to the streams. This is not a protection
ASKER
on the other hand if it is about the NPC or SPC why the cpu process showing under 50% usage while it is locked the connections to the outside ?
And also screen works perfect to drop connections more then 100K
And also screen works perfect to drop connections more then 100K
indeed it is not preventive means but the idea is not flood your origin server and throttle the incoming traffic.
As for Services Processing Card (SPC), it is mainly for supporting near linear scalability. It ensures that there are no idle resources based on specific services in operation—maximizing hardware utilization. In a way, it is upping the capacity and performance. So together with additional I/O cards (IOCs), network processing cards (NPCs) on top of the SPC, SRX3600 can be configured to support more than 100 Gbps interfaces with choices of Gigabit Ethernet or 10-Gigabit Ethernet ports; firewall performance from 10 to 30 Gbps;
It is increasing SRX resource ... but not preventive as well....
I do suggest exploring into the Netscalar LB which can also further rate limit (asume the juniper just fall in fail safe and let the traffic run through since most do not want to have single failure ...) http://support.citrix.com/article/CTX127917
all in the spirit of defence in depth as we cannot assume each layer will withstand and be resilience everlasting.
As for Services Processing Card (SPC), it is mainly for supporting near linear scalability. It ensures that there are no idle resources based on specific services in operation—maximizing hardware utilization. In a way, it is upping the capacity and performance. So together with additional I/O cards (IOCs), network processing cards (NPCs) on top of the SPC, SRX3600 can be configured to support more than 100 Gbps interfaces with choices of Gigabit Ethernet or 10-Gigabit Ethernet ports; firewall performance from 10 to 30 Gbps;
Networks Licenses: Expanded Performance and Capacity License for SRX 3000http://www.networkscreen.com/SRX3600.asp
Note: Requires Junos 10.4 or later
Line Components: Network Processing Card for SRX 3000, Services Processing Card for SRX 3000, Single Processor, 1Ghz, 4GB Memory/CPU
It is increasing SRX resource ... but not preventive as well....
I do suggest exploring into the Netscalar LB which can also further rate limit (asume the juniper just fall in fail safe and let the traffic run through since most do not want to have single failure ...) http://support.citrix.com/article/CTX127917
all in the spirit of defence in depth as we cannot assume each layer will withstand and be resilience everlasting.
@ "but i think you might have a misunderstanding flood thereshold is not a protection it just a block limit which blocks to destination. "
No I understand it perfectly. The flood protection is to prevent the destination from being flooded with request, period. I think you misunderstand and you think that it is to protect against non-valid request. This is wrong, flood protection is to prevent the server from being sent more request that it can handle, it does not matter if the requests are valid or non-valid.
You don't want your server flooded with valid requests as too many valid requests will lock up your server just as quickly as non-valid requests.
If you are truly under a DDoS (distributed denial of service) that means that all the requests are coming from different source IP address, so NO box can tell the difference between a valid request and an attack request. I am assuming that you are just under a DoS.
As for the Netscaler, it is a different device with a different purpose, so it will do things different.
I would also suggest that you STOP opening up new questions on the same problem, as I see you have opened yet another question about this issue. Again, you best bet will be to talk to Juniper.
No I understand it perfectly. The flood protection is to prevent the destination from being flooded with request, period. I think you misunderstand and you think that it is to protect against non-valid request. This is wrong, flood protection is to prevent the server from being sent more request that it can handle, it does not matter if the requests are valid or non-valid.
You don't want your server flooded with valid requests as too many valid requests will lock up your server just as quickly as non-valid requests.
If you are truly under a DDoS (distributed denial of service) that means that all the requests are coming from different source IP address, so NO box can tell the difference between a valid request and an attack request. I am assuming that you are just under a DoS.
As for the Netscaler, it is a different device with a different purpose, so it will do things different.
I would also suggest that you STOP opening up new questions on the same problem, as I see you have opened yet another question about this issue. Again, you best bet will be to talk to Juniper.
ASKER
This is a typeofattack only sends 29 byte packets from same ip
How should we block the destination ip address on srx without having any packet drops on udp
How should we block the destination ip address on srx without having any packet drops on udp
Then it is not a DDoS it is a DoS. Is the target IP address the same also?
From what I can tell you are using the IDP policy name "Recommended". If you look at your configuration file and search for the string "idp-policy Recommended" you can read what that does.
From what I can tell, there is nothing in the policy to protect against any UDP attacks. Now I may be missing something,
You may want to look at trying to use the idp-policy Server-Protection. But you should review each idp-policy and see what may best suit your situation.
From what I can tell, there is nothing in the policy to protect against any UDP attacks. Now I may be missing something,
You may want to look at trying to use the idp-policy Server-Protection. But you should review each idp-policy and see what may best suit your situation.
Here is a link from the Juniper site on how to protect against UDP floods attacks:
http://www.juniper.net/techpubs/en_US/junos12.3x48/topics/example/denial-of-service-network-udp-flood-protection-enabling-cli.html
Some of which we have already talked about, setting the limit to 1000 pps.
http://www.juniper.net/techpubs/en_US/junos12.3x48/topics/example/denial-of-service-network-udp-flood-protection-enabling-cli.html
Some of which we have already talked about, setting the limit to 1000 pps.
ASKER
We tryed to block the ip address with firewall term but nothing changed srx locking down after 200k pps
And very strangely it apply screen rules before filter
And very strangely it apply screen rules before filter
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
so i really do not understand what limit the connections when an attack comes with the same ip address
because we checked the CPU usages and sessions they were so normal
SRX dropping connectiones because of ?
CPS -> i am not sure because actually we have filter for the attacker ip and it does not create sessions
SPC CPU -> they seems so normal never ended %50
NPC -> it says 1M pps supported and also it seems normal
Routing Engine -> It never give an higher value then %26
because we checked the CPU usages and sessions they were so normal
SRX dropping connectiones because of ?
CPS -> i am not sure because actually we have filter for the attacker ip and it does not create sessions
SPC CPU -> they seems so normal never ended %50
NPC -> it says 1M pps supported and also it seems normal
Routing Engine -> It never give an higher value then %26
In general, your SPC gives you more bandwidth while NPC gives more sessions. Should looks at those metric to drill into the use of those card (besides the no obtained) and then beef up, since the config to threshold, filter, handle udp sweep is supposed to be set as discussed in this forum (already) - and I must agree with your multiple juniper related qns created, it is more worth to get into juniper support asap for the clarification..
http://forums.juniper.net/t5/SRX-Services-Gateway/SRX-SPC-and-NPC-Modules-and-Throughput-of-SRX-Firewall/m-p/197329#M24835
You can also run these commads to check the CPU and session details on SRX3600
show security monitoring performance spu
show security monitoring performance session
show security monitoring fpc x ( spc slot number)
based on these outputs , verify if the utilization are high and if they use additional SPC card to distribute as required for the session (or expected "surges"). Netscalar can also handle DoS if that is the intent as shared earlier but better check your spec and focus on one since it is getting you so many doubts already...
http://forums.juniper.net/t5/SRX-Services-Gateway/SRX-SPC-and-NPC-Modules-and-Throughput-of-SRX-Firewall/m-p/197329#M24835
Example: Packet (a ->b) arrives at NPU1 from IOC1. NPU1 performs sanity checks and applies DoS screens to the packet. NPU1 checks its session table for a tuple match and no existing session is found. NPU1 forwards the packet to the central point on SPU1 for assignment to an SPU...http://www.juniper.net/techpubs/en_US/junos11.4/topics/concept/session-based-processing-for-srx3000-line-overview.html
You can also run these commads to check the CPU and session details on SRX3600
show security monitoring performance spu
show security monitoring performance session
show security monitoring fpc x ( spc slot number)
based on these outputs , verify if the utilization are high and if they use additional SPC card to distribute as required for the session (or expected "surges"). Netscalar can also handle DoS if that is the intent as shared earlier but better check your spec and focus on one since it is getting you so many doubts already...
ASKER
while an attack goes on we checked from the serial connection :
elay: 0/0/68
Interface: ge-0/0/1, Enabled, Link is Up
Encapsulation: Ethernet, Speed: 1000mbps
Traffic statistics: Current delta
Input bytes: 8882410078 (482358664 bps) [473343620]
Output bytes: 99109988 (0 bps) [0]
Input packets: 142247660 (972491 pps) [7634523]
Output packets: 590560 (0 pps) [0]
Error statistics:
Input errors: 0 [0]
Input drops: 0 [0]
Input framing errors: 0 [0]
Policed discards: 0 [0]
L3 incompletes: 0 [0]
L2 channel errors: 0 [0]
L2 mismatch timeouts: 0 Carrier transiti [0]
Next='n', Quit='q' or ESC, Freeze='f', Thaw='t', Clear='c', Interface='i'Valid sessions: 112
Pending sessions: 562421
Invalidated sessions: 545656
Sessions in other states: 0
Total sessions: 1108189
Maximum sessions: 2359296
http://www.juniper.net/techpubs/en_US/junos10.2/topics/reference/configuration-statement/connection-limit-edit-system.html
e.g. set system services telnet connection-limit 3 (http://kb.juniper.net/InfoCenter/index?page=content&id=KB28135)
Rather probably is to explore rate limit per se
e.g. ICMP rate limit on the system for Host Inbound connections
(http://kb.juniper.net/InfoCenter/index?page=content&id=KB28184)
e.g. Use of a policer to rate limit is supported only when using simple-filter http://kb.juniper.net/InfoCenter/index?page=content&id=KB22712