[j-nsp] AppSecure AppTrack

Thu Oct 17 01:28:40 EDT 2013

Thanks Asad and Peter.

I can see no traffic is being exported from the SRX by checking the
security flow session.  Below is my configuration just to make sure this
how you make it work with syslog server.

[edit]
admin at RFW1# show security log
mode stream;
format sd-syslog;
source-address 10.0.254.1;
stream IDP-DATA {
    host {
        10.1.112.2;
    }
}

[edit]
admin at RFW1# run show security flow session destination-prefix 10.1.112.2
Total sessions: 0

admin at RFW1# run ping 10.1.112.2 source 10.0.254.1
PING 10.1.112.2 (10.1.112.2): 56 data bytes
64 bytes from 10.1.112.2: icmp_seq=0 ttl=63 time=7.899 ms
64 bytes from 10.1.112.2: icmp_seq=1 ttl=63 time=9.984 ms
64 bytes from 10.1.112.2: icmp_seq=2 ttl=63 time=3.236 ms

the reachability between the syslog and source is working fine. not sure
why it's not exporting.

Regards,

2013/10/17 Asad Raza <asadgardezi at gmail.com>

> Hi,
>
> The configuration you specified is good enough to send APPTRACK logs to
> syslog server. You may verify using wireshark whether you are actually
> receiving those or not.As mentioned by Wood,log message will start with
> APPTRACK_SESSION_.
>
> You may view these logs in any syslog server. however you'll need an SIEM
> like STRM to normalize the events and generate reports based on these logs.
> About NFSEN, I'm not sure as I haven't used it.
>
> Regards,
>
> Asad
> JNCIE-SEC#118
> Juniper Networks.
>
>
> On Wed, Oct 16, 2013 at 7:00 PM, Wood, Peter (ISS) <p.wood at lancaster.ac.uk
> > wrote:
>
>> > 1. Anyone used to setup NFSEN for this ?
>>
>> Nfsen doesn't know how to interpret the syslog data sent by the SRX, in
>> either format (syslog or sd-syslog). Additionally Nfsen doesn't have fields
>> to store the more interesting data on disk (L7 app/nested app).
>>
>> >2. Anyway to see that FW is sending the collected data to server ?
>>
>> monitor traffic will probably show it as it's sourced by the RE, failing
>> that tcpdump on the receiving server.
>>
>> I've been working on a project on and off for about six months which
>> takes this data (well actually the sd-syslog format variant), rebuilds the
>> firewalls flow table and then exports NetFlow v9 from it (though still
>> throws away the AppTrack info). It actually uses RT_FLOW as well as
>> APPTRACK_ messages, and needs logging init/close on all policies it to work
>> well.
>>
>> We're having good success on a SRX 3600 cluster with sd-syslog in stream
>> mode from the SPU's directly, though currently we're waiting for PR#924941
>> to be fixed due to a session-id-32 inconsistency between the message types.
>> 250k concurrent flows with 15k updates/second in a 2Gb java process. I do
>> intend to release it OSS, but the project internals are in a state of flux
>> as I rework ideas and as such I wouldn't curse anyone with it.
>>
>> If you're really keen on nfsen for now jflow would give you the basic IP
>> info, failing that Splunk/greylog might do in the short term?
>>
>> P.
>> --
>> Peter Wood
>> Network Security Specialist
>> Information Systems Services
>> Lancaster University
>>
>> _______________________________________________
>> juniper-nsp mailing list juniper-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/juniper-nsp
>>
>
>