LogLogic Juniper Networks Intrusion Detection and Prevention (IDP) Log Configuration Guide

Transcription

1 LogLogic Juniper Networks Intrusion Detection and Prevention (IDP) Log Configuration Guide Document Release: September 2011 Part Number: LL ELS This manual supports LogLogic Juniper Networks IDP Release 1.0 and later, and LogLogic Software Release 5.1 and later until replaced by a new edition.

2 2011 LogLogic, Inc. Proprietary Information Trademarks This document contains proprietary and confidential information of LogLogic, Inc. and its licensors. In accordance with the license, this document may not be copied, disclosed, modified, transmitted, or translated except as permitted in writing by LogLogic, Inc. LogLogic and the LogLogic logo are trademarks or registered trademarks of LogLogic, Inc. in the United States and/or foreign countries. All other company or product names are trademarks or registered trademarks of their respective owners. Notice The information contained in this document is subject to change at any time without notice. All warranties with respect to the software and accompanying documentation are set our exclusively in the Software License Agreement or in the Product Purchase Agreement that covers the documentation. LogLogic, Inc. 110 Rose Orchard Way, Suite 200 San Jose, CA Tel: Fax: U.S. Toll Free:

3 Contents Preface About This Guide Technical Support Documentation Support Conventions Chapter 1 Configuring Juniper Networks IDP and the LogLogic Appliance Introduction to Juniper Networks IDP Prerequisites Configuring Juniper Networks IDP Configuring the Juniper Networks Management Server Configuring a Sensor Policy Installing a Sensor Policy Enabling the LogLogic Appliance to Capture Log Data Adding a Juniper Networks IDP Device Verifying the Configuration Chapter 2 How LogLogic Supports Juniper Networks IDP How LogLogic Captures Juniper Networks IDP Data LogLogic Real-Time Reports Chapter 3 Troubleshooting and FAQ Troubleshooting Frequently Asked Questions Appendix A Event Reference LogLogic Support for Juniper Networks IDP Alerts Supported Log Formats Sample Log Messages Juniper Networks IDP Log Configuration Guide 3

4 4 Juniper Networks IDP Log Configuration Guide

5 Preface About This Guide The LogLogic Appliance-based solution lets you capture and manage log data from all types of log sources in your enterprise. The LogLogic support for Juniper Networks Intrusion Detection and Prevention (IDP) enables LogLogic Appliances to capture logs from machines running Juniper Networks IDP. Once the logs are captured and parsed, you can generate reports and create alerts on Juniper Networks IDP s operations. For more information on creating reports and alerts, see the LogLogic User Guide and LogLogic Online Help. Technical Support LogLogic is committed to the success of our customers and to ensuring our products improve customers' ability to maintain secure, reliable networks. Although LogLogic products are easy to use and maintain, occasional assistance might be necessary. LogLogic provides timely and comprehensive customer support and technical assistance from highly knowledgeable, experienced engineers who can help you maximize the performance of your LogLogic Appliances. To reach LogLogic Customer Support: Telephone: Toll Free LOGS Local EMEA or APAC: + 44 (0) or +44 (0) support@loglogic.com You can also visit the LogLogic Support website at: When contacting Customer Support, be prepared to provide: Your name, address, phone number, and fax number Your company name and company address Your machine type and release version A description of the problem and the content of pertinent error messages (if any) Documentation Support Your feedback on LogLogic documentation is important to us. Send to DocComments@loglogic.com if you have questions or comments. Your comments will be reviewed and addressed by the LogLogic technical writing team. In your message, please indicate the software name and version you are using, as well as the title and document date of your documentation. Juniper Networks IDP Log Configuration Guide 5

6 Conventions LogLogic documentation uses the following conventions to highlight code and command-line elements: A monospace font is used for programming elements (such as code fragments, objects, methods, parameters, and HTML tags) and system elements (such as filenames, directories, paths, and URLs). A monospace bold font is used to distinguish system prompts or screen output from user responses, as in this example: username: system home directory: home\app A monospace italic font is used for placeholders, which are general names that you replace with names specific to your site, as in this example: LogLogic_home_directory\upgrade\ Straight brackets signal options in command-line syntax. For example: ls [-AabCcdFfgiLlmnopqRrstux1] [-X attr] [path...] 6 Juniper Networks IDP Log Configuration Guide

7 Chapter 1 Configuring Juniper Networks IDP and the LogLogic Appliance This chapter describes the configuration steps that enable a LogLogic Appliance to capture Juniper Networks IDP logs. The configuration steps assume that you have a functioning LogLogic Appliance that can be configured to capture Juniper Networks IDP log data. Introduction to Juniper Networks IDP Prerequisites Configuring Juniper Networks IDP Enabling the LogLogic Appliance to Capture Log Data Verifying the Configuration Introduction to Juniper Networks IDP The Juniper IDP policy consists of specific traffic filters enabled with syslog as a log forwarding action to send log data towards the LogLogic Appliance. These IPS events will be auto-identified, if enabled, and parsed into the LogLogic report tables for later review. Juniper Networks IDP system consists of a Management Server and network sensors. The LogLogic Appliance supports Juniper Networks IDP logs in syslog format. However, enabling syslog within the IDP system is a three-step process that includes: 1. Configuring the Juniper Networks Management Server to enable syslog and define a Syslog Server The Syslog Server can be a remote host machine or the LogLogic Appliance itself. 2. Configuring a sensor policy to enable syslog 3. Installing the new policy on the sensors The configuration procedures for Juniper Networks IDP and the LogLogic Appliance depends upon the deployment method you select for your environment. For more information, see How LogLogic Captures Juniper Networks IDP Data on page 18. Prerequisites Prior to configuring the Juniper Networks IDP and LogLogic Appliance, ensure that you meet the following prerequisites: Juniper IDP version 3.1, 4.x and 5.0 Proper access permissions to make configuration changes LogLogic Appliance running Release 5.1 or later with a Log Source Package that includes Juniper IDP support Administrative access on the LogLogic Appliance Juniper Networks IDP Log Configuration Guide 7

8 Configuring Juniper Networks IDP This section describes how to enable Juniper Networks IDP to send alerts to a Syslog Server (i.e., a LogLogic Appliance). You must enable and configure Syslog on Juniper NSM managing the IDP prior to configuring the LogLogic Appliance. Note: This document does not describe all features and functionality within Juniper IDP regarding configuration and Syslog. For more information on these areas, see Juniper IDP and Juniper NSM Product Documentation. IMPORTANT! The procedures in this section describe an installation for a single policy on a single Management Server. The steps must be repeated for each Management Server and sensor policy where syslog alerting is needed. Configuring the Juniper Networks Management Server To configure the management server: 1. Log in to the Juniper Networks Management Server as the administrator (i.e., admin). The Dashboard appears. 2. Select Tools > Preferences. The Preference Settings window appears. Figure 1 Juniper Networks IDP Management Server - Dashboard 8 Juniper Networks IDP Log Configuration Guide

9 3. Select Management Server. The Management Server configuration options appear on the right side of the window. 4. Under the Syslog area, in the Host text field, type in the IP address of the Syslog Server. You can specify the LogLogic Appliance as the Syslog Server. Alternatively, you can specify a separate Syslog Server and have the LogLogic Appliance capture the logs from there. For more information, see How LogLogic Captures Juniper Networks IDP Data on page 18. Note: The Management Server configuration only permits one Syslog Server (i.e., one LogLogic Appliance). Also, the server address must be an IP address. 5. Under the Global Logging area, select the Using Syslog checkbox. Figure 2 Preference Settings > Management Server 6. Click OK. The Confirm Changes dialog box appears. 7. Click Yes. Figure 3 Confirm Changes Juniper Networks IDP Log Configuration Guide 9

10 Configuring a Sensor Policy To configure a sensor policy: 1. Log in to the Juniper Networks Management Server as the administrator (i.e., admin). The Dashboard appears. 2. In the IDP Components pane on the left, select Security Policies. A list of security policies are displayed. 3. Select the security policy you want to configure. Figure 4 Security Policies The area to the right of the IDP Components pane changes to the rules configured for the selected security policy. Tabs appear at the top of the window for each configuration type. 4. Select the Main tab. 5. For each rule in the security policy, right-click in the Notification column and select Configure. 10 Juniper Networks IDP Log Configuration Guide

11 Figure 5 Security Policies > Main > Configure The Configure Notification window appears. 6. In the Configure Notification window, complete the following steps: a. Make sure that the enable logging checkbox is selected. b. Select the syslog checkbox. c. Click OK. Juniper Networks IDP Log Configuration Guide 11

12 Figure 6 Configure Notification Window On the Main tab, in the Notification column, appears for the rule selected. If isn't visible a more... link might exist. If it does, select it. should be visible. If not, repeat the rule configuration steps and verify the set up is correct. 7. Repeat Step 2 through Step 6 for each security policy and each rule that generates a syslog message. To configure syslog forwarding for a single IDP 4.x/5 device: 1. In the NSM Device Manager, double-click the IDP device to display the device configuration editor (Figure 7). 2. Click Report Settings 3. Select Enable Syslog 4. Specify the LogLogic Appliance IP address 5. Click OK 12 Juniper Networks IDP Log Configuration Guide

13 Figure 7 Configure Log Settings Page Installing a Sensor Policy After a sensor policy configuration is completed, the policy must be installed on the sensors. To install policy on a sensor: 1. Log in to the Juniper Networks Management Server as the administrator (i.e., admin). The Dashboard appears. 2. In the IDP Components pane on the left, select Security Policies. A list of security policies are displayed. 3. Select the security policy you want to install. 4. From the menu bar, select Policy > Install. Tip: You can also select the Install Policy icon from the icon bar. Juniper Networks IDP Log Configuration Guide 13

14 Figure 8 Security Policies > Policy > Install The Policy Editor - Install dialog box appears. 5. Click Yes to save the policy before proceeding with the install. Figure 9 Policy Editor - Install Dialog Box The Policy Install Status window appears with a list of sensors where the policy can be installed. 6. In the Install On column, select the checkbox for all the sensors where you want to install the policy. 14 Juniper Networks IDP Log Configuration Guide

15 Figure 10 Policy Install Status Window 7. Click OK. The installation progress for each sensor is displayed in the Policy Install Status window. 8. When the installation is complete, click OK. Figure 11 Policy Install Status - Installation Complete Juniper Networks IDP Log Configuration Guide 15

16 Enabling the LogLogic Appliance to Capture Log Data The following sections describe how to enable the LogLogic Appliance to capture Juniper Networks IDP log data. Adding a Juniper Networks IDP Device To add Juniper Networks IDP as a new device: 1. Log in to the LogLogic Appliance. 2. From the navigation menu, select Management > Devices. The Devices tab appears. 3. Click Add New. The Add Device tab appears. 4. Type in the following information for the device: Name Name for the Juniper Networks IDP device Description (optional) Description of the Juniper Networks IDP device Device Type Select Juniper Networks IDP from the drop-down menu Host IP IP address of the Juniper Networks IDP appliance Enable Data Collection Select the Yes radio button Refresh Device Name through DNS Lookups (optional) Select this checkbox to enable the Name field to be automatically updated. The name is obtained using a reverse DNS lookup on the configured refresh interval. The DNS name overrides any manual name you assign. Figure 12 LogLogic Appliance Add Devices Tab 5. Click Add. 6. Verify that your new device appears in the Devices tab and that Enabled is set to Yes. When the logs arrive from the specified Juniper Networks Management Server (or remote Syslog Server depending on your environment), the LogLogic Appliance uses the device you just added if the IP address matches. 16 Juniper Networks IDP Log Configuration Guide

17 Verifying the Configuration The section describes how to verify that the configuration changes made to Juniper Networks IDP and the LogLogic Appliance are applied correctly. To verify the configuration: 1. Log in to the LogLogic Appliance. 2. From the navigation menu, select Dashboards > Log Source Status. The Log Source Status tab appears. 3. Locate the IP for Juniper Networks IDP. If traffic was detected soon after the policy was installed on the sensor, a Juniper IDP entry appears in the Type column (see Figure 13 on page 17). Figure 13 Verification of the Juniper Networks IDP Configuration If the device does not appear in the Log Source Status tab, check the Juniper Network IDP logs for events that should have been sent. If traffic was detected and events are still not appearing on the LogLogic Appliance, verify the Juniper Networks Management Server configuration, sensor policy configuration, and the LogLogic Appliance configuration. Also make sure that the sensor policy was properly installed on all of the sensors where you want to capture events. Note: If you are using a machine other that the LogLogic Appliance as your Syslog Server, make sure that you have properly configured the Management Server and the Appliance to access that server. You can also verify that the LogLogic Appliance is properly capturing log data from Juniper Networks IDP by trying to view the data in the reports. LogLogic recommends checking the reports to make sure that the data obtained is valid and matches expectations. For more information, see LogLogic Real-Time Reports on page 19. If the device name appears in the list of devices but event data for the device is not appearing within your reports, see Troubleshooting on page 20 for more information. Juniper Networks IDP Log Configuration Guide 17

18 Chapter 2 How LogLogic Supports Juniper Networks IDP This chapter describes LogLogic's support for Juniper Networks IDP. LogLogic enables you to capture Juniper Networks IDP log data to monitor events. How LogLogic Captures Juniper Networks IDP Data LogLogic Real-Time Reports How LogLogic Captures Juniper Networks IDP Data The Juniper Networks Management Server administers all of the sensors within the IDP system. The sensors send events in syslog format to the Management Server, and the Management Server then sends the logs to a specified Syslog Server. The LogLogic Appliance can act as the Syslog Server for IDP, and the logs are sent, via UDP or TCP, to the Syslog Listener on the Appliance. Figure 14 Juniper Networks IDP with LogLogic Appliance as the Syslog Server You can also configure a separate machine as the Syslog Server and have the LogLogic Appliance capture the logs from there. In this case, logs are sent from the Management Server to the Syslog Server, and then from the Syslog Server to the LogLogic Appliance. Once the data is captured and parsed, you can generate reports. In addition, you can create alerts to notify you of issues on Juniper Networks IDP. For more information on creating reports and alerts, see the LogLogic User Guide and LogLogic Online Help. Note: LogLogic Support for Juniper Networks IDP Alerts on page 21 contains a more detailed description of the LogLogic-supported log format for Juniper Network IDP messages and provides sample logs. Note: The LogLogic Appliance captures all messages from the Juniper IDP logs, but includes only specific messages for report/alert generation. For more information, see Juniper IDP v4.x/5 Event on page 24 for a sample log message. 18 Juniper Networks IDP Log Configuration Guide

19 LogLogic Real-Time Reports LogLogic provides pre-configured Real-Time Reports for Juniper Networks IDP log data. The following Real-Time Reports are available: All Unparsed Events Displays data for all events retrieved from the Juniper Networks IDP log for a specified time interval IDS Activity Displays Source and Destination IP address, Destination port number, and Signature intrusion detection information for a specified time interval To access LMI 5 Real-Time Reports: 1. In the top navigation pane, click Reports. 2. Select Threat Management. The following Real-Time Report is available: IDS/IPS Activity 3. Select Operational. The following Real-Time Report is available: All Unparsed Events You can create custom reports from the existing Real-Time Report templates. For more information, see the LogLogic User Guide and LogLogic Online Help. Juniper Networks IDP Log Configuration Guide 19

20 Chapter 3 Troubleshooting and FAQ This chapter contains troubleshooting regarding the configuration and/or use of log collection for Juniper Networks IDP. It also contains Frequently Asked Questions (FAQ), providing quick answers to common questions. Troubleshooting Frequently Asked Questions Troubleshooting Juniper Networks IDP events are not appearing on the LogLogic Appliance even after traffic was detected You can verify that your log files are received by viewing the File Transfer History. You can view the history from the Administration > File Transfer History tab. The Juniper Networks Management Server or the sensor policy might not be configured correctly. Also make sure that the policy was properly installed on all of the sensors where you want to capture events. To configure the Management Server, see Configuring the Juniper Networks Management Server on page 8. To configure a sensor policy, see Configuring a Sensor Policy on page 10 and Installing a Sensor Policy on page 13. Events are not displaying on the LogLogic Appliance even after configuring Juniper Networks IDP correctly Juniper Networks IDP sends the logs, via UDP or TCP, in Syslog format, to the LogLogic Appliance. Make sure that the UDP or TCP port is enabled on the Juniper Networks Management Server. For more information about supported protocols and ports, see the LogLogic Administration Guide. Frequently Asked Questions How does the LogLogic Appliance collect logs from Juniper Networks IDP? Juniper Networks IDP forwards logs in Syslog format, via UDP or TCP, to the LogLogic Appliance. The Juniper Networks Management Server can use the LogLogic Appliance or a separate host machine as its Syslog Server. For more information, see How LogLogic Captures Juniper Networks IDP Data on page 18. What access permissions are required? To configure syslog on Juniper Networks IDP, the Juniper Networks Management Server user needs to have administrative permissions. How do I configure Syslog on Juniper Networks IDP? Follow the procedures on Configuring Juniper Networks IDP on page 8. Also make sure that you verify your configuration changes on the LogLogic Appliance (Verifying the Configuration on page 17). 20 Juniper Networks IDP Log Configuration Guide

21 Appendix A Event Reference This appendix lists the LogLogic-supported Juniper Networks IDP log formats and provides sample log messages for each format. LogLogic Support for Juniper Networks IDP Alerts This section describes the Juniper Networks IDP alert log formats supported by the LogLogic Appliance and provides sample log messages that follow those formats. All sample log messages were captured by LogLogic s Syslog listener. Supported Log Formats Only the following log formats are supported by the LogLogic Appliance: Code Example 1 Support Log Format v3.1 <day id>-<record id> <timestamp> <sensor addr> <src addr>:<src port> <dst addr>:<dst port> <nat src addr>:<nat src port> <nat dst addr>:<nat dst port> <user> <in nic> <out nic> <sensor vin> <virtual dev> <attack> <policy name>:<policy ver> <rulebase> <rule number> <bytes> <packets> <elapsed> <protocol> <category>-<subcategory> <action> <session id1>-<session id2> <is hidden> <is duplicate> <is alert> <severity> <run script> <send > <send snmp> <send syslog> Code Example 2 Code Example 2: Support Log Format v4.x/5 <day id>, <record id>, <timereceived>, <timegenerated>, <domain>,<domainversion>, <devicename>, <deviceipaddress>, <category>, <subcategory>, <src zone>, <src intface>, <src addr>, <src port>, <nat src addr>, <nat src port>, <dst zone>, <dst intface>, <dst addr>, <dst port>, <nat dst addr>, <nat dst port>, <protocol>, <rule domain>, <rule domainversion>, <policyname>, <rulebase>, <rulenumber>, <action>, <severity>, <is alert>, <elapsed>, <bytes in>, <bytes out>, <bytestotal>, <packet in>, <packet out>, <packet total>, <repeatcount>, <haspacketdata>, <vardata Enum>, <misc-str>, <user str>, <application str>, <uri str> Log Format Parameters The lesser than and greater than brackets (<>) are only used to improve the readability of the text. The brackets do not appear in the actual logs. For more information on any of these parameters, see the Juniper Networks IDP Product Documentation. day id-record id The day ID and record ID column displays the unique ID for the log record, this is derived from the combination of the date and log number timestamp The timestamp column displays the date and time that the sensor generated the log record sensor addr The device address column displays the IP address or host name of the sensor that generated the log record Juniper Networks IDP Log Configuration Guide 21

22 src addr:src port The source address column displays the IP address of the machine that generated the matching traffic. The source port column displays the port number of the traffic for TCP/UDP or the ICMP ID of the traffic for ICMP. dst addr:dst port The destination address column displays the IP address or hostname that was the target of the matching traffic. The destination port column displays the port number of the traffic for TCP/UDP or the ICMP type of the traffic for ICMP. nat src addr:nat src port The natted source address and natted source port columns display the IP address and port number of the machine that generated the matching traffic nat dst addr:nat dst port The natted destination address and natted destination port columns display the IP address or hostname and the port number that was the target of the matching traffic user Username associated with the log in nic The inbound Network Interface Card (NIC) column displays the NIC on the sensor that the traffic used to enter the network, such as eth0 or eth1 out nic The outbound NIC column displays the NIC on the sensor that the traffic used to depart the network, such as eth0 or eth1 sensor vin The device vin column displays the VIN of the sensor that generated the log record. Each sensor has a unique VIN that is given to you during the Sensor configuration process on the IDP system. If you are using multiple sensors, you can use the device VIN to help determine what sensor generated the log record. virtual dev The virtual device column displays the virtual device on the Sensor that the traffic crossed, such as s0 or s1 attack The attack column displays the name of the signature or protocol anomaly Attack Object that triggered the log record policy name:policy ver The policy name column displays the ID of the security policy that generated the log record. The policy version column displays the version of the security policy that generated the log record. rulebase The rulebase column displays the security policy rulebase that generated the log record (i.e., Main, Backdoor Detection, Network Honeypot, SYN-Protector, Traffic Anomalies, or Sensor Settings) rule number The rule number column displays the number of the security policy rule that generated the log record bytes The bytes column displays the number of bytes present during a session packets The packets column displays the number of packets transmitted during a session elapsed The elapsed column displays the elapsed time for a session; it appears only for a session end log record protocol The protocol column displays the IP protocol of the traffic that generated the log record (i.e., TCP, UDP, ICMP, etc.) category The category column displays the log record category, ATTACK or TRAFFIC: The ATTACK category includes security events that threaten the network The TRAFFIC category includes log records generated by rules in the SYN-Protector Rulebase, the Backdoor Detection Rulebase, and implied rules in the Sensor Settings Rulebase 22 Juniper Networks IDP Log Configuration Guide

23 subcategory The subcategory column displays the log record s sub-category. ATTACK subcategory examples: IDP_ATTACK_MATCH Indicates a traffic match with a signature Attack Object in a security policy rule All other entries indicate a traffic match with a protocol anomaly Attack Object in a security policy rule TRAFFIC subcategory examples: SCAN_DIST_PORT_SCAN IDP has detected a distributed port scan SCAN_DIST_PORT_SCAN_IN_PROGRESS IDP has detected a distributed port scan in progress SCAN_TCP_PORT_SCAN IDP has detected a TCP scan SCAN_TCP_PORT_SCAN_IN_PROGRESS IDP has detected a TCP scan in progress SCAN_UDP_PORT_SCAN IDP has detected a UDP scan SCAN_UDP_PORT_SCAN_IN_PROGRESS IDP has detected a UDP scan in progress BACKDOOR_DETECTED The IDP Backdoor Detection mechanism has detected a backdoor connection SYN_SYNACK_RST The IDP SYN-Protector mechanism has detected a TCP connection attempt that was immediately followed by a Reset (RST) packet from the client SYN_SYNACK_TIMEOUT The IDP SYN-Protector mechanism has detected a half-open TCP connection STP_ENTER_BLOCKING_STATE IDP has detected that one of the interfaces participating in Spanning Tree Protocol (STP) has entered the blocking state STP_ENTER_LISTENING_STATE IDP has detected that one of the interfaces participating in STP has entered the listening state STP_ENTER_DISABLED_STATE IDP has detected that one of the interfaces participating in STP has entered the disabled state ARP_INVALID_SENDER_IP IDP has detected an Address Resolution Protocol (ARP) request/response that has a sender IP in the ARP header of , , or ARP_TARGET_HW_MISMATCH IDP has detected an ARP response that has a target Media Access Control (MAC) address in the Ethernet frame that does not match the target MAC address in the ARP header action The action column displays the action that the sensor performed when it generated the log record session id1-session id2 Internal tracking numbers for the log is hidden The hidden column displays values yes or no. If value is yes then the generated log is hidden; if no, then it is not. is duplicate The is duplicate column displays values yes or no. If value is yes then the generated log is duplicate; if no, then it is not. is alert The alert column displays values yes or no. If value is yes then the generated log is an alert; if no, then it is not. severity The severity column displays the severity of the Attack Object in the log record. If the log record does not contain a matching Attack Object, this column is empty. Juniper Networks IDP Log Configuration Guide 23

24 run script The script column displays values yes or no. If value is yes, the sensor ran a script when it generated the log record; if no, a script was not run. send The column displays values yes or no. If value is yes, the sensor automatically sent an to a user-specified address when it generated the log record; if no, an was not sent. send snmp The snmp column displays values yes or no. If value is yes, the sensor sent an SNMP trap when it generated the log record; if no, an SNMP trap was not sent. send syslog The syslog column displays values yes or no. If value is yes, the sensor generated a syslog event when it generated the log record; if no, then a syslog event was not generated. Sample Log Messages The following sample log messages represent events in the ATTACK or TRAFFIC log record category. Both samples adhere to the Supported Log Format (Code Example 1 on page 21). Example 1 Sample Log in the ATTACK Category for IDP v /08/26 21:56: : : : :0 eth2 F3CC-B1DC-D9E2-6AA7 s0 TCP:AUDIT:S2C-LASTACK-ACK LogTest :1 IDS TCP ATTACK-TCP_S2C_LASTACK_ACK NONE 0,0 no no yes INFO no no no yes Example 2 Sample Log in the TRAFFIC Category for IDP v /08/26 21:52: : : : :0 eth1 F3CC-B1DC-D9E2-6AA7 s0 LogTest :1 TSIG TCP TRAFFIC-SCAN_TCP_PORT_SCAN_IN_PROGRESS NONE 0,0 no no yes NONE no no yes yes Example 3 Juniper IDP v4.x/5 Event <26> T15:48: Jnpr Syslog [syslog@juniper.net dayid=" " recordid="0" timerecv="2010/11/30 15:48:54" timegen="2010/11/30 15:48:54" domain="" devdomver2="0" device_ip=" " cat="predefined" attack=" srczn="null" srcintf=" eth1" srcaddr=" " srcport="1495" natsrcaddr="null" natsrcport="0" dstzn="null" dstintf="null" dstaddr=" " dstport="80" natdstaddr="null" natdstport="0" protocol="tcp" ruledomain="" rulever="0" policy="recommended" rulebase="ids" ruleno="3" action="drop" severity="major" alert="no" elaspedtime="0" inbytes="0" outbytes="0" totbytes="0" inpak="0" outpak="0" totpak="0" repcount="0" packetdata="no" varenum="31" misc="'interface=eth1'" user="null" app="null" uri="null"] 24 Juniper Networks IDP Log Configuration Guide