Understanding IDP Service and Application Bindings by Attack Objects

Attack objects can bind to applications and services in different ways:

• Attack objects can bind to an application implicitly and not have a service definition. They bind to an application based on the name of a context or anomaly.
• Attack objects can bind to a service using a service name.
• Attack objects can bind to a service using TCP or UDP ports, ICMP types or codes or RPC program numbers.

Whether the specified application or service binding applies or not depends on the complete attack object definition as well as the IDP policy configuration:

• If you specify an application in an attack object definition, the service field is ignored. The attack object binds to the application instead of the specified service. However, if you specify a service and no application in the attack object definition, the attack object binds to the service. Table 60 summarizes the behavior of application and service bindings with application identification.

  Table 60: Applications and Services with Application Identification

  Attack Object Fields	Binding Behavior	Application Identification
  :application (http) :service (smtp)	Binds to the application HTTP. The service field is ignored.	Enabled
  :service (http)	Binds to the application HTTP.	Enabled
  :service (tcp/80)	Binds to TCP port 80.	Disabled

  For example, in the following attack object definition, the attack object binds to the application HTTP, the application identification is enabled, and the service field SMTP is ignored.

  : (“http-test”
  	  :application (“http”)
  	  :service (“smtp”)
  	  :rectype (signature)
  	  :signature (
  		   :pattern (“.*TERM=xterm; export TERM=xterm; exec bash – i\x0a\x.*”)
  		   :type (stream)
  	  )
  	  :type (attack-ip)
  )
  

• If an attack object is based on service specific contexts (for example, http-url) and anomalies (for example, tftp_file_name_too_long), both application and service fields are ignored. Service contexts and anomalies imply application; thus when you specify these in the attack object, application identification is applied.
• If you configure a specific application in a policy, you overwrite the application binding specified in an attack object. Table 61 summarizes the binding with the application configuration in the IDP policy.

  Table 61: Application Configuration in an IDP Policy

  Application Type in the Policy	Binding Behavior	Application Identification
  Default	Binds to the application or service configured in the attack object definition.	Enabled for application-based attack objects Disabled for service-based attack objects
  Specific application	Binds to the application specified in the attack object definition.	Disabled
  Any	Binds to all applications.	Disabled

• If you specify an application in an IDP policy, the application type configured in the attack object definition and in the IDP policy must match. The policy rule cannot specify two different applications (one in the attack object and the other in the policy).

Related Topics

• JUNOS Software Feature Support Reference for SRX Series and J Series Devices
• IDP Policies Overview
• Understanding the IDP Signature Database
• Understanding IDP Application Identification
• Disabling JUNOS Software Application Identification (CLI Procedure)
• Example: Configuring IDP Policies for Application Identification (CLI)