New junos rules and decoders

[SitoRBJ]

We have created rules and decoders for Junos IDS.

Examples:

Aug 24 04:58:58 192.168.1.1 junos-ids: 2017-08-24T04:58:58.724Z sis-srx-EUH-03 RT_IDS - RT_SCREEN_IP [junos@2636.1.1.1.2.35 attack-name="IP spoofing!" source-address="192.168.1.1" destination-address="192.168.1.2" protocol-id="17" source-zone-name="mpls-untrust" interface-name="intf2.210" action="drop"]


**Phase 1: Completed pre-decoding.
       full event: 'Aug 24 04:58:58 192.168.1.1 junos-ids: 2017-08-24T04:58:58.724Z sis-srx-EUH-03 RT_IDS - RT_SCREEN_IP [junos@2636.1.1.1.2.35 attack-name="IP spoofing!" source-address="192.168.1.1" destination-address="192.168.1.2" protocol-id="17" source-zone-name="mpls-untrust" interface-name="intf2.210" action="drop"]'
       timestamp: 'Aug 24 04:58:58'
       hostname: '192.168.1.1'
       program_name: 'junos-ids'
       log: '2017-08-24T04:58:58.724Z sis-srx-EUH-03 RT_IDS - RT_SCREEN_IP [junos@2636.1.1.1.2.35 attack-name="IP spoofing!" source-address="192.168.1.1" destination-address="192.168.1.2" protocol-id="17" source-zone-name="mpls-untrust" interface-name="intf2.210" action="drop"]'

**Phase 2: Completed decoding.
       decoder: 'junos-ids'
       firewall_name: 'sis-srx-EUH-03'
       cat: 'RT_IDS'
       sub_cat: 'RT_SCREEN_IP'
       attack.name: 'IP spoofing!'
       srcip: '192.168.1.1'
       dstip: '192.168.1.2'
       protocol_id: '17'
       source_zone: 'mpls-untrust'
       interface: 'intf2.210'
       action: 'drop'

**Phase 3: Completed filtering (rules).
       Rule id: '200101'
       Level: '10'
       Description: 'Junos IDS: IP spoofing!'
**Alert to be generated.

Sep 23 13:54:55 192.168.1.1 junos-flow: 2017-09-23T13:54:54.803Z sis-srx-mic-01 RT_FLOW - RT_FLOW_SESSION_DENY [junos@2636.1.1.1.2.39 source-address="192.168.1.1" source-port="1080" destination-address="192.168.1.2" destination-port="8010" service-name="junos-dns-udp" protocol-id="17" icmp-type="0" policy-name="Local-Default-Deny" source-zone-name="trust" destination-zone-name="untrust" application="UNKNOWN" nested-application="UNKNOWN" username="N/A" roles="N/A" packet-incoming-interface="intf2.302" encrypted="UNKNOWN" reason="policy deny"]


**Phase 1: Completed pre-decoding.
       full event: 'Sep 23 13:54:55 192.168.1.1 junos-flow: 2017-09-23T13:54:54.803Z sis-srx-mic-01 RT_FLOW - RT_FLOW_SESSION_DENY [junos@2636.1.1.1.2.39 source-address="192.168.1.1" source-port="1080" destination-address="192.168.1.2" destination-port="8010" service-name="junos-dns-udp" protocol-id="17" icmp-type="0" policy-name="Local-Default-Deny" source-zone-name="trust" destination-zone-name="untrust" application="UNKNOWN" nested-application="UNKNOWN" username="N/A" roles="N/A" packet-incoming-interface="intf2.302" encrypted="UNKNOWN" reason="policy deny"]'
       timestamp: 'Sep 23 13:54:55'
       hostname: '192.168.1.1'
       program_name: 'junos-flow'
       log: '2017-09-23T13:54:54.803Z sis-srx-mic-01 RT_FLOW - RT_FLOW_SESSION_DENY [junos@2636.1.1.1.2.39 source-address="192.168.1.1" source-port="1080" destination-address="192.168.1.2" destination-port="8010" service-name="junos-dns-udp" protocol-id="17" icmp-type="0" policy-name="Local-Default-Deny" source-zone-name="trust" destination-zone-name="untrust" application="UNKNOWN" nested-application="UNKNOWN" username="N/A" roles="N/A" packet-incoming-interface="intf2.302" encrypted="UNKNOWN" reason="policy deny"]'

**Phase 2: Completed decoding.
       decoder: 'junos-rt-flow'
       firewall_name: 'sis-srx-mic-01'
       cat: 'RT_FLOW'
       subcat: 'RT_FLOW_SESSION_DENY'
       srcip: '192.168.1.1'
       srcport: '1080'
       dstip: '192.168.1.2'
       dstport: '8010'
       service_name: 'junos-dns-udp'
       protocol_id: '17'
       icm_type: '0'
       policy_name: 'Local-Default-Deny'
       source_zone: 'trust'
       destination_zone: 'untrust'
       application: 'UNKNOWN'
       nested_application: 'UNKNOWN'
       username: 'N/A'
       roles: 'N/A'
       packet_incoming_interface: 'intf2.302'
       encrypted: 'UNKNOWN'
       reason: 'policy deny'

**Phase 3: Completed filtering (rules).
       Rule id: '130001'
       Level: '5'
       Description: 'Junos RT flow: RT_FLOW_SESSION_DENY'
**Alert to be generated.

Sep 21 15:25:06 192.168.1.1 junos-flow: 2017-09-21T15:25:06.141Z sis-srx-ICP-01 RT_FLOW - FLOW_MCAST_RPF_FAIL [junos@2636.1.1.1.2.39 interface-name="intf1.326" source-address="192.168.1.1" destination-address="192.168.1.2" protocol-name="udp"]


**Phase 1: Completed pre-decoding.
       full event: 'Sep 21 15:25:06 192.168.1.1 junos-flow: 2017-09-21T15:25:06.141Z sis-srx-ICP-01 RT_FLOW - FLOW_MCAST_RPF_FAIL [junos@2636.1.1.1.2.39 interface-name="intf1.326" source-address="192.168.1.1" destination-address="192.168.1.2" protocol-name="udp"]'
       timestamp: 'Sep 21 15:25:06'
       hostname: '192.168.1.1'
       program_name: 'junos-flow'
       log: '2017-09-21T15:25:06.141Z sis-srx-ICP-01 RT_FLOW - FLOW_MCAST_RPF_FAIL [junos@2636.1.1.1.2.39 interface-name="intf1.326" source-address="192.168.1.1" destination-address="192.168.1.2" protocol-name="udp"]'

**Phase 2: Completed decoding.
       decoder: 'junos-rt-flow'
       firewall_name: 'sis-srx-ICP-01'
       cat: 'RT_FLOW'
       subcat: 'FLOW_MCAST_RPF_FAIL'
       interface: 'intf1.326'
       srcip: '192.168.1.1'
       dstip: '192.168.1.2'
       protocol_name: 'udp'

**Phase 3: Completed filtering (rules).
       Rule id: '130001'
       Level: '5'
       Description: 'Junos RT flow: FLOW_MCAST_RPF_FAIL'
**Alert to be generated.

Kind regards,

Alfonso Ruiz-Bravo

[MiguelCasaresRobles]

Hello,

We opened a new PR to rebase this one: #581

Thank you for your collaboration.