juniper SRX650 设置IDP日志记录
按http://junosnotes.blogspot.com/2012/08/srx-idp.html中说明
> help syslog | match IDP
IDP_APPDDOS_APP_ATTACK_EVENT_LS IDP: DDOS attack on application
IDP_APPDDOS_APP_STATE_EVENT IDP: DDOS application state transition event
IDP_APPDDOS_APP_STATE_EVENT_LS IDP: DDOS application state transition event
IDP_ATTACK_LOG_EVENT_LS IDP attack log
IDP_COMMIT_COMPLETED IDP policy commit completed
IDP_COMMIT_FAILED IDP commit exited with failure
IDP_DAEMON_INIT_FAILED Failed to initialize IDP daemon
IDP_IGNORED_IPV6_ADDRESSES IDP ingnores IPv6 addresses
IDP_INTERNAL_ERROR IDP daemon encountered an internal error.
IDP_POLICY_COMPILATION_FAILED IDP policy compilation failed
IDP_POLICY_LOAD_FAILED Failed to load an IDP policy
在设置syslog是用的match 是 IDP_ATTACK_LOG_EVENT_LS,但一直没有日志记录,后改成RT_IDP
就有了,发现日志中记录的是这样的:
Oct 31 13:51:27 RT_IDP: IDP_ATTACK_LOG_EVENT: IDP: at 1477893086, SIG Attack log <180.173.206.150/19438->43.254.106.11/80>
for TCP protocol and service SERVICE_IDP application NONE by rule 3 of rulebase IPS in policy Recommended. attack: repeat=0, action=DROP,
threat-severity=HIGH, name=HTTP:APACHE:FILEUPLOAD-CNT-TYPE, NAT <0.0.0.0:0->172.16.50.2:0>, time-elapsed=0, inbytes=0, outbytes=0,
inpackets=0, outpackets=0, intf:untrust:ge-0/0/0.0->trust:ae2.0, packet-log-id: 0, alert=no and misc-message -
原来并非 IDP_ATTACK_LOG_EVENT_LS, 而是IDP_ATTACK_LOG_EVENT