Juniper

Review configuration options for Juniper firewalls in RocketCyber

Reputation Lookup on connecting IPs This will monitor traffic and inform you only of unexpected traffic or traffic coming from unusual locations (e.g. countries on the Enabled Countries list).
IDS/IPS detections Monitors and reports malicious network based intrusion attacks on Firewall.
Login Authentication Failures Monitors and reports suspicious Login (ftp, telnet, web, http) failures.
Administrative logins Monitors and reports any Logins to firewall from users with administrative or root permissions.

 

Log Format

Expected format for Juniper Logs:

IDS Event: <19>Feb 3 03:30:05 SRX-2 RT_IDS: RT_SCREEN_ICMP: Large ICMP packet! ource:172.xxx.xxx.213, destination: 185.xxx.xx.76, zone name: manage, interface name: ge-0/0/0.0

IDP Event: <19>Dec 28 15:09:30 ankara RT_IDP: IDP_ATTACK_LOG_EVENT: IDP: at 1325084969, TRAFFIC Attack log <192.xxx.xxx.2/37731->212.xxx.xxx.78/443> for TCP protocol and service SERVICE_NONE application NONE by rule 1 of rulebase IPS in policy My_Policy. attack: repeat=0, action=TRAFFIC_IPACTION_DROP, threat-severity=INFO, name=_, NAT <172.xxx.xxx.219:42029->0.0.0.0:0>, time-elapsed=0, inbytes=0, outbytes=0, inpackets=0, outpackets=0, intf:lan:fe-0/0/1.0->wan:fe-0/0/0.0, packet-log-id: 0 and misc-message -

IP Traffic Event: <19>Dec 17 08:04:45 srx-firewall RT_FLOW: RT_FLOW_SESSION_CREATE: session created xx.xx.xx.xx/53836->xx.xx.xx.xx/22 junos-ssh xx.xx.xx.xx/53836->10.10.10.1/22 None None 6 log-host-traffic untrust junos-host 5 N/A(N/A) ge-0/0/1.0

Authorization Event: <19>Jun 15 02:46:39 srx-firewall mgd[8265]: FWAUTH_TELNET_USER_AUTH_FAIL: User 'tsmith' at 'xx.xx.xx.123' is rejected.