Juniper SRX IDP Packet Capture

My Juniper SRX devices are configured to send packet captures to a Linux server for further analysis. I have the Linux server exporting its share via NFS which I mount on my PC, that allows me to then browse through the packet captures of attacks using my PC directly and open them in Wireshark.

Packet Capture Server Setup

My packet capture server is running Debian Linux. These instructions will worth for other distro’s with some small modifications.

Prepare the Host

Install the required packages with apt-get:

apt-get install python2.7 python-pip python-dpkt

You will also need to install the twisted network engine which can be installed by using pip:

pip install twisted

Packet Capture Daemon

The actual daemon that listens to collect the packet captures makes use of the “SRX PCAP Receiver” script, originally sourced from GitHub user craigdods. I have created a fork of this available here. The fork has some extra scripts added for a systemd service file and a cronjob to clean up old packet captures.

All packet captures on my host are stored in /captures (this can be a separate disk if you desire). If you choose to install it in a different directory, you will need to change the paths in the systemd init script, cron tab file and any other commands provided below.

Create the captures directory and check out the repo from GitHub:

mkdir /captures
cd /captures
git clone git@github.com:sysadminblog/SRX_PCAP_Receiver.git .

Add the systemd service and allow it to start on boot:

cp /captures/packetcap.service /etc/systemd/system/packetcap.service
systemctl daemon-reload
systemctl enable packetcap.service

Verify that you can run the packet capture script:

cd /captures && /captures/srx_pcap_receiver.py

If you do not get any errors from running that command, use Control + C to exit.

Start the packet capture service:

service packetcap start

Add the cron to clean up old packet captures:

cp /captures/packetcap.cron /etc/cron.d/packetcap

You can now send the packet captures to 2050 on this server from the SRX device.

NFS Server

If you want the packet captures to be available via NFS, follow these steps.

  1. Install the NFS server packages:
apt-get install nfs-common nfs-kernel-server
  1. Configure the NFS server to export the share. For this example, my PC IP is 192.168.34.231. You must replace the IP below with the source that will be mounting the NFS share:
cat << EOF >> /etc/exports
/captures/Juniper_IDP_PCAP_Storage         192.168.34.231(ro,sync,fsid=0,no_subtree_check,no_root_squash)
EOF
  1. Export the share:
exportfs -a

The share is now exported. The directory can be mounted as usual, eg. for Windows hosts (with the NFS feature installed), use mount \\linux-host\captures\Juniper_IDP_PCAP_Storage G:.

SRX Setup

The SRX device needs to be configured to send the packet captures for IDP attacks to the packet capture server.

Global Setup

The packet capture host needs to be configured in the sensor-configuration section:

set security idp sensor-configuration packet-log source-address 'SOURCE-IP'
set security idp sensor-configuration packet-log host 'PACKETCAP-SERVER-IP'
set security idp sensor-configuration packet-log host port 2050 

Rule Setup

For any IDP rules that you have configured that you would like to have packets captured for, you must set the packet-log notification action.

As an example, for the rule Packet-Cap in the IDP policy Default.Policy:

set security idp idp-policy Default.Policy rulebase-ips rule Packet-Cap then notification packet-log pre-attack 5
set security idp idp-policy Default.Policy rulebase-ips rule Packet-Cap then notification packet-log post-attack 20
set security idp idp-policy Default.Policy rulebase-ips rule Packet-Cap then notification packet-log post-attack-timeout 5

Verification

Once an attack with the packet-log action has been triggered, you should be able to browse to /captures/Juniper_IDP_PCAP_Storage on the packet capture server and see the available packet captures.

Leave a Reply

Your email address will not be published.