[j-nsp] AppSecure AppTrack

Asad Raza asadgardezi at gmail.com
Wed Oct 16 20:08:49 EDT 2013 

Hi,

The configuration you specified is good enough to send APPTRACK logs to
syslog server. You may verify using wireshark whether you are actually
receiving those or not.As mentioned by Wood,log message will start with
APPTRACK_SESSION_.

You may view these logs in any syslog server. however you'll need an SIEM
like STRM to normalize the events and generate reports based on these logs.
About NFSEN, I'm not sure as I haven't used it.

Regards,

Asad
JNCIE-SEC#118
Juniper Networks.


On Wed, Oct 16, 2013 at 7:00 PM, Wood, Peter (ISS)
<p.wood at lancaster.ac.uk>wrote:

> > 1. Anyone used to setup NFSEN for this ?
>
> Nfsen doesn't know how to interpret the syslog data sent by the SRX, in
> either format (syslog or sd-syslog). Additionally Nfsen doesn't have fields
> to store the more interesting data on disk (L7 app/nested app).
>
> >2. Anyway to see that FW is sending the collected data to server ?
>
> monitor traffic will probably show it as it's sourced by the RE, failing
> that tcpdump on the receiving server.
>
> I've been working on a project on and off for about six months which takes
> this data (well actually the sd-syslog format variant), rebuilds the
> firewalls flow table and then exports NetFlow v9 from it (though still
> throws away the AppTrack info). It actually uses RT_FLOW as well as
> APPTRACK_ messages, and needs logging init/close on all policies it to work
> well.
>
> We're having good success on a SRX 3600 cluster with sd-syslog in stream
> mode from the SPU's directly, though currently we're waiting for PR#924941
> to be fixed due to a session-id-32 inconsistency between the message types.
> 250k concurrent flows with 15k updates/second in a 2Gb java process. I do
> intend to release it OSS, but the project internals are in a state of flux
> as I rework ideas and as such I wouldn't curse anyone with it.
>
> If you're really keen on nfsen for now jflow would give you the basic IP
> info, failing that Splunk/greylog might do in the short term?
>
> P.
> --
> Peter Wood
> Network Security Specialist
> Information Systems Services
> Lancaster University
>
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>

More information about the juniper-nsp mailing list