Follow

After an install, how can I test that ThreatSTOP is working?

There are 5 specific functions that can be tested to make sure that the ThreatSTOP solution is working properly:

  1. Does your system pull IPs from our database
  2. Are the IPs applied to firewall rules
  3. Do the blocked IPs get logged
  4. Can the logs be uploaded to our database.
  5. Can 1-4 be done automatically

For all these commands, it's suggested you log into your device using Putty via ssh or console

  1. Does your system pull IPs from our database?

    To see a list of the current IPs uploaded from our system, you can run:

    root@Juniper-SRX% cli
    root@Juniper-SRX> show configuration policy-options | hold
    


    This will pull up all the IP addresses in your ThreatSTOP prefix rules. Find the ThreatSTOP-block-XX groups. The lower level groups tend to contain the singular IPs, (/32) that are being blocked by our system. You have now verified that your system can pull IPs from our database. Take a note of one of these IPs, you will use it for step 3.

  2. Are the IPs applied to firewall rules?

    This is a simple

    root@Juniper-SRX> show configuration firewall filter ThreatSTOP
    


    which should result in something similar to: (please note that this is the default filter name for the ThreatSTOP installation. If you changed the name of the filter, use the name in above command)

  3. Do the blocked IPs get logged?

    Now run:

    root@Juniper-SRX> show configuration system syslog
    


    and the output should be similar to:


    in this case, the file 12.10.10.146.log is the name of the log file.

    Then run:

    root@Juniper-SRX% ls -l /cf/var/log
    


    and note the size of the log file, in this case 12.10.10.146.log. Run a ping to the IP address you wrote down from your ThreatSTOP-block-XX group. You should get 100% packet loss.

    To see if the block as been logged, you can now run

    root@Juniper-SRX% ls -l /cf/var/log
    


    again to check the the log file has grown in size.

  4. Can the logs be uploaded to our database?

    Unlike most other devices, Juniper has a function that allows for syslogs to be uploaded to an ftp site as we saw in the syslog configuration. We will now temporarily change the interval to Juniper's minimum: five minutes. Please note your log file name will be different on your device. You should run:

    root@Juniper-SRX> configure
    root@Juniper-SRX# edit system syslog file 12.10.10.146.log
    [edit system syslog file 12.10.10.146.log]
    root@Juniper-SRX# set archive transfer-interval 5
    [edit system syslog file 12.10.10.146.log]
    root@Juniper-SRX# commit confirmed 8
    [edit system syslog file 12.10.10.146.log]
    root@Juniper-SRX# exit
    root@Juniper-SRX# exit
    

     

    To verify the change has been committed:

    root@Juniper-SRX> show configuration system syslog


    After five minutes, you can check that there's been a log rotation run:

    root@Juniper-SRX> exit
    root@Juniper-SRX% ls -l /cf/var/log
    


    You should notice something similar to:

    Where there are now multiple files beginning with, in this case, 12.10.10.146.log. The file with the .0.gz was the most recently uploaded file. The original transfer interval will revert after 8 minutes.

     

  5. Can 1-4 be done automatically?

    As we have seen from the previous test, logs are uploaded at regular intervals. To see if the Juniper device can update its filters should there be a change in your policy. You can run:

    root@Juniper-SRX% crontab -l
    


    With the result being similar to:

     

    To make sure the script can run, you can copy the command and run it in DEBUG mode. Running

    root@Juniper-SRX% /bin/sh /root/ts-jfilter/tsupdate.sh DEBUG
    

    You have now completed the Juniper testing activities. Should any of the steps not work, please email support@threatstop.com.

Back to Top

Was this article helpful?
0 out of 0 found this helpful

Comments