Rulebase Exempt – Continuing from the Previous Post

No Comments

Hi,

Now that its pretty clear on how we define our IDP to detect attacks, let us also see how we can turn that off for specific set of applications/traffic/pattern if you wish for, be it the company policy or be it for any other reason (A custom application set which mimics a suspicious behavior and you want it to allow), to put it straight , anything if you think that is good (true-positive) but IDP senses bad and drops (false-positive)

Topology

1_toplogy

Initially the attack triggered is detected and scan could not get through, here are the outputs just for reference

2_idp

As we can see above attack was well detected by SRX and its blocking

3_srx_detecting

Lets add a rule-base exempt and see if that bypasses and SRX this time should not detect any of these attacks

4_rulebase-exempt-srx

Re-scanning will reveal that I am running a Ubuntu machine and scores of Vulnerability options that people might really be interested in 🙂

5_bypassing_attack

Always weigh your options especially when you are bypassing anything from Normal IDP, that might prove to be very costly

Regards

Rakesh M

Using VSRX IDP to detect pre-triggered Attack – Metasploit Frame-Work – SCAN:MISC:HTTP:VTI-BIN-PROBE

No Comments

Hi,

I was studying about IDP and as always I wanted to test the feature out. First of all, Its VSRX , so do not expect that it detects everything out of the box, but it did fairly a nice job to start with.

Topology

1_topology

Exploit

2_Metasploit_frame_work_attack_search

SCAN:MISC:HTTP:VTI-BIN-PROBE

Description: This signature detects requests to a URL that can execute a denial of service (DoS) on Microsoft IIS with FrontPage extensions.

No attack detected as of yet and attack-Table is Empty

3_empty_attack_table

Configuring VSRX so that i has IDP capabilities, for more you can have look at the below post about installation Details

https://r2079.wordpress.com/2015/09/16/appsecure-suite-installing-license-evaluation-version-on-vsrx-firefly/

4_configuration

I have used Metasploit to attack my home lab device

5_attacking_lan

As we can clearly see, SRX has detected the attack and displayed the appropriate attack-Type.

6_srx_detecting_Attack

Regards

Rakesh M

Quick Series 7 – SOURCE-NAT – INTERFACE-BASED NAT

No Comments

Hi,

This is the 7th post in the Quick-Series and this is on SRX-SOURCE-NAT using interface.

Requirement

All Lan traffic (172.20.101.0/24) trying to reach to other-end router 172.18.2.2 should be natted to 172.18.1.2 address.

 

Topology

topology

 

First thing is to verify our srx interface and zone definitions

 

pic-1_zones

Verify if proper policies are in place, also make sure you have to write a policy for traffic from trust zone to untrust zone in order for this traffic to flow.

pic-2-srx_nat_config

Final Verification

 

As we can see 172.20.101.1o is being translated to 172.18.1.2

pic-3-srx_verification

 

Regards

Rakesh M

 

 

 

 

Close Bitnami banner
Bitnami