juniper SRX650 设置IDP日志记录按http://junosnotes.blogspot.com/2012/08/srx-idp.html中说明> help syslog | match
juniper SRX650 设置IDP日志记录
按http://junosnotes.blogspot.com/2012/08/srx-idp.html中说明
> help syslog | match IDPIDP_APPDDOS_APP_ATTACK_EVENT_LS IDP: DDOS attack on applicationIDP_APPDDOS_APP_STATE_EVENT IDP: DDOS application state transition eventIDP_APPDDOS_APP_STATE_EVENT_LS IDP: DDOS application state transition eventIDP_ATTACK_LOG_EVENT_LS IDP attack logIDP_COMMIT_COMPLETED IDP policy commit completedIDP_COMMIT_FAILED IDP commit exited with failureIDP_DAEMON_INIT_FAILED Failed to initialize IDP daemonIDP_IGNORED_IPV6_ADDRESSES IDP ingnores IPv6 addressesIDP_INTERNAL_ERROR IDP daemon encountered an internal error.IDP_POLICY_COMPILATION_FAILED IDP policy compilation failedIDP_POLICY_LOAD_FAILED Failed to load an IDP policy在设置syslog是用的match 是 IDP_ATTACK_LOG_EVENT_LS,但一直没有日志记录,后改成RT_IDP
就有了,发现日志中记录的是这样的:
Oct 31 13:51:27 RT_IDP: IDP_ATTACK_LOG_EVENT: IDP: at 1477893086, SIG Attack log <180.173.206.150/19438->43.254.106.11/80> for TCP protocol and service SERVICE_IDP application NONE by rule 3 of rulebase IPS in policy Recommended. attack: repeat=0, action=DROP, threat-severity=HIGH, name=HTTP:APACHE:FILEUPLOAD-CNT-TYPE, NAT <0.0.0.0:0->172.16.50.2:0>, time-elapsed=0, inbytes=0, outbytes=0, inpackets=0, outpackets=0, intf:untrust:ge-0/0/0.0->trust:ae2.0, packet-log-id: 0, alert=no and misc-message -原来并非 IDP_ATTACK_LOG_EVENT_LS, 而是IDP_ATTACK_LOG_EVENT
