My Juniper SRX devices are configured to send packet captures to a Linux server for further analysis. I have the Linux server exporting its share via NFS which I mount on my PC, that allows me to then browse through the packet captures of attacks using my PC directly and open them in Wireshark.
Packet Capture Server Setup
My packet capture server is running Debian Linux. These instructions will worth for other distro’s with some small modifications.
Prepare the Host
Install the required packages with apt-get:
apt-get install python2.7 python-pip python-dpkt
You will also need to install the twisted network engine which can be installed by using pip:
pip install twisted
Packet Capture Daemon
The actual daemon that listens to collect the packet captures makes use of the “SRX PCAP Receiver” script, originally sourced from GitHub user craigdods. I have created a fork of this available here. The fork has some extra scripts added for a systemd service file and a cronjob to clean up old packet captures.
All packet captures on my host are stored in /captures (this can be a separate disk if you desire). If you choose to install it in a different directory, you will need to change the paths in the systemd init script, cron tab file and any other commands provided below.
Create the captures directory and check out the repo from GitHub:
mkdir /captures cd /captures git clone git@github.com:sysadminblog/SRX_PCAP_Receiver.git .
Add the systemd service and allow it to start on boot:
cp /captures/packetcap.service /etc/systemd/system/packetcap.service systemctl daemon-reload systemctl enable packetcap.service
Verify that you can run the packet capture script:
cd /captures && /captures/srx_pcap_receiver.py
If you do not get any errors from running that command, use Control + C to exit.
Start the packet capture service:
service packetcap start
Add the cron to clean up old packet captures:
cp /captures/packetcap.cron /etc/cron.d/packetcap
You can now send the packet captures to 2050 on this server from the SRX device.
NFS Server
If you want the packet captures to be available via NFS, follow these steps.
- Install the NFS server packages:
apt-get install nfs-common nfs-kernel-server
- Configure the NFS server to export the share. For this example, my PC IP is 192.168.34.231. You must replace the IP below with the source that will be mounting the NFS share:
cat << EOF >> /etc/exports /captures/Juniper_IDP_PCAP_Storage 192.168.34.231(ro,sync,fsid=0,no_subtree_check,no_root_squash) EOF
- Export the share:
exportfs -a
The share is now exported. The directory can be mounted as usual, eg. for Windows hosts (with the NFS feature installed), use mount \\linux-host\captures\Juniper_IDP_PCAP_Storage G:.
SRX Setup
The SRX device needs to be configured to send the packet captures for IDP attacks to the packet capture server.
Global Setup
The packet capture host needs to be configured in the sensor-configuration section:
set security idp sensor-configuration packet-log source-address 'SOURCE-IP' set security idp sensor-configuration packet-log host 'PACKETCAP-SERVER-IP' set security idp sensor-configuration packet-log host port 2050
Rule Setup
For any IDP rules that you have configured that you would like to have packets captured for, you must set the packet-log notification action.
As an example, for the rule Packet-Cap in the IDP policy Default.Policy:
set security idp idp-policy Default.Policy rulebase-ips rule Packet-Cap then notification packet-log pre-attack 5 set security idp idp-policy Default.Policy rulebase-ips rule Packet-Cap then notification packet-log post-attack 20 set security idp idp-policy Default.Policy rulebase-ips rule Packet-Cap then notification packet-log post-attack-timeout 5
Verification
Once an attack with the packet-log action has been triggered, you should be able to browse to /captures/Juniper_IDP_PCAP_Storage on the packet capture server and see the available packet captures.