Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

external-header-nav
keyboard_arrow_up
close
keyboard_arrow_left
list Table of Contents
file_download PDF
keyboard_arrow_right

Defining New Applications

date_range 29-Jul-21

JSA shows the name of the flow application on the Network Activity and Offenses tabs. You can define new applications or change the name that is shown for existing applications.

When you specify an application, the <appid> number must be unique. For custom applications, assign numbers that are in the 15,000 - 20,000 range. Within each application, you can define up to five levels of categorization, but JSA displays only the first three categories.

You can use the new flow applications API to manage the mapping of application IDs to application name.

Always configure the applications in the staged configuration area, which can be accessed by using the following API endpoint:

  • staged_config/flow/applications/active_applications

After you update the application configuration in the staged configuration area, you must deploy the changes to propagate the updates to the system. After the changes are deployed, you can use the following endpoints to access the flow applications in the deployed configuration:

  • config/flow/applications/active_applications

    The active configuration shows the list of applications that are currently in use.

  • config/flow/applications/default_applications

    The default application list is read-only. Default applications are provided as a system backup in case the configuration for an active flow application is deleted or changed.

To manage the flow application mappings in earlier versions of JSA, you must manually edit the apps.conf file. When you define new applications in the apps.conf file, use the following syntax:

content_copy zoom_out_map
<appname><appid>

For each application, you can define up to five levels of categorization, and each subcategory is separated by a number sign (#). If an application contains fewer than five categories, include a number sign in place of each missing subcategory.

For example, to add Authentication#Radius-1646####51343as an application ID, insert the application ID as follows:

content_copy zoom_out_map
Authentication#Radius-1645####51342
Authentication#Radius-1646####51343 <- inserted application
Authentication#Radius-1812####51344
Authentication#Radius-1813####51345
  1. To change the application mappings in JSA 7.4.3, use the RESTful API.

    1. Access the interactive API documentation interface by entering the following URL in your web browser:

      content_copy zoom_out_map
      https://ConsoleIPaddress/api_doc/
    2. Select API version 16, and go to the staged configuration endpoint:

      content_copy zoom_out_map
      /api/staged_config/flow/applications/active_applications
    3. Complete the request parameters.

      For example, you might POST the following parameters:

      content_copy zoom_out_map
      {​
        "id": 15001,​
        "level_one": "String",​
        "level_two": "String",​
        "level_three": "String",​
        "level_four": "String",​
        "level_five": "String",​
      }​
    4. Click Try it out to send the API request to your console and receive a properly formatted HTTPS response.

      Note:

      When you click Try it out, the action runs in the staging area on the JSA system. Active applications that are in the staged configuration area are not yet deployed.

  2. To change application mappings in JSA 7.4.2 and earlier, edit the apps.conf file.

    1. Using SSH, log in to JSA as the root user.

    2. Edit the following file:

      /store/configservices/staging/globalconfig/apps.conf

    3. Insert the new applications, in alphabetical order.

    4. Save and exit the file.

  3. Log in to JSA as an administrator.

  4. Click the Admin tab.

  5. On the toolbar, click Deploy Changes.

Update the application mapping and applications signature files.

Defining Application Mappings

To identify application signatures, create user-defined application mappings that are based on the IP address and port number.

You must add the new application IDs. For more information, see Defining New Applications.

When you update the application mapping file, follow these guidelines:

  • Each line in the file indicates a mapped application. You can specify multiple mappings, each on a separate line, for the same application.

  • You can specify a wildcard character (*) for any field. Use the wildcard character alone, and not as part of a comma-separated list. The wildcard character indicates that the field applies to all flows.

  • You can associate a flow with multiple mappings. A flow is mapped to an application ID based on the mapping order in the file. The first mapping that applies in the file is assigned to the flow.

  • When you add new application ID numbers, you must create a new and unique application ID number. The application ID number must not exist in the apps.conf file. Apply numbers that range 15,000 - 20,000 for custom applications.

  • The format of the entry must resemble the following syntax:

    content_copy zoom_out_map
    <New_ID> <Old_ID> <Source_IP_Address>:<Source_Port> <Dest IP Address>:
    <Dest_Port> <Name>

    <New_ID> specifies the application ID you want to assign to the flow. A value of 1 indicates an unknown application. If the ID you want to assign does not exist, you must create the ID in the apps.conf file. For more information, see Defining New Applications.

    <Old_ID> specifies the default application ID of the flow, as assigned by JSA. A value of * indicates a wildcard character. If multiple application IDs are assigned, the application IDs are separated by commas.

    <Old_ID> specifies the default application ID of the flow, as assigned by JSA. A value of * indicates a wildcard character. A value of 0 or 1 indicates an application that has not been identified by another algorithm. If multiple application IDs are assigned, the application IDs are separated by commas.

  • If using wildcard characters for <Old_ID> is inapplicable or the application is currently being classified, determine the application ID in the following these steps:

    1. Log in to the JSA interface.

    2. Click the Network Activity tab.

    3. Pause the live stream and filter to find the flow that is misclassified.

    4. Double-click the affected flow.

    5. Hover over the value for the Application field to see ID and Desc. This ID can then be used in application mapping rules.

Table 1: Application IDs

Option

Description

Values

Source_IP_Address

Specifies the source IP address of the flow.

Can contain either a comma-separated list of addresses or CIDR values. A value of * indicates a wildcard character, which means that this field applies to all flows.

<Source_Port>

Specifies the associated port.

Can contain a comma-separated list of values or ranges that are specified in the format: <lower_port_number>-<upper_port_number>. A value of * indicates a wildcard character, which means that this field applies to all flows.

<Dest_IP_Address>

Specifies the destination IP address of the flow.

Can contain either a comma-separated list of addresses or CIDR values. A value of * indicates a wildcard character, which means that this field applies to all flows.

<Dest_Port>

Specifies the associated destination port.

Can contain a comma-separated list of values or ranges that are specified in the format: <lower_port_number>-<upper_port_number>. A value of * indicates a wildcard character, which means that this field applies to all flows.

<Name>

Specifies a name that you want to assign to this mapping.

Optional

The following example of mapping file /user_application_mapping.conf maps all flows that match the IP addresses and ports for which the JSA flow processor assigned to the old ID of 1010. It assigns the new ID of 15000 when it originates from either of two subnets in 10.100.*, and when designated for a specific address and either of two destination ports:

15000 1010 10.100.100/24,10.100.50.10:* 172.14.33.33:80,443

The following example overrides the assigned name for application ID 1010. It specifies a new application, ID 15100, based on any traffic that is going to port 33333 or a range of destination ports for specific addresses or application overrides.

Note:

Due to PDF formatting, do not copy and paste the message formats directly into the interface. Instead, paste into a text editor, remove any carriage return or line feed characters, and then copy and paste into the interface.

content_copy zoom_out_map
15000 1010 10.100.100/24,10.100.50.10:* 172.14.33.33:80,443 AllowedWebTypeA
15000 1010 10.100.30/24:* 172.14.33.20:80 AllowedWebTypeA
15100 * *:33333
10.35.20/24,10.33/16,10.77.34.12:33333,33350-33400 GameX
15100 1,34803,34809 *:33333 *:33333,33350-33400 GameX

The following example shows the assignment of new application names and IDs, based on matching three application IDs, one of which is the application identifier (1). These application IDs match on a basic hit of a specified destination port, for any traffic:

content_copy zoom_out_map
21200 1,34803,34809 *:* *:123 ntp
34731 1,34803,34809 *:* *:1241 Nessus
2001 1,34803,34809 *:* *:1214 Kazaa
  1. Use SSH to log in to JSA as the root user.

  2. Access the Network Activity tab.

  3. To determine the default application IDs, hover your mouse pointer over the application field for a flow that is associated with the application you want to update.

  4. Choose one of the following options:

    • Open the following file:

      /store/configservices/staging/globalconfig/user_application_mapping.conf

    • If the user_application_mapping.conf does not exist in your system, create the file and place the empty file in the following directory: /store/configservices/staging/globalconfig/

  5. Update the file, as necessary.

  6. Save and exit the file.

  7. Log in to the JSA user interface.

  8. Click the Admin tab.

  9. Click Deploy Changes.

Defining Application Signatures

Use the application signatures file to create IP address and content-based rules that assign application IDs to flows that JSA does not automatically detect.

The application signatures file is a definition file that is distributed to all JSA Flow Processor by the primary JSA console. The file includes source and destination ports, and ranges.

The application signatures file includes the following characteristics:

  • Hex content is delimited with the pipe character (|):

    content_copy zoom_out_map
     <dstcontent offset="0" depth="4">|45 54|</dstcontent> 
    content_copy zoom_out_map
    <dstcontent offset="0" depth="4">GET</dstcontent>
  • A flow can be associated with multiple signatures. A flow is mapped to an application ID based on the signature order in the file. The first signature that applies in the file is assigned to the flow.

  • When you edit the signatures.xml file, the data that is inserted between the XML tags is case-sensitive. For example, when you specify TCP within the XML tags, enter the value with all capital letters.

  • Modifying or removing existing signatures is not supported. Any changes made to the signatures will be restored on the next JSA Auto Update. If any signature is consistently classifying flows incorrectly, please contact Juniper Customer Support.

  • To make a signature unique and not to be overwritten by JSA Auto Update, the "appid" and "sigid" pair should be unique.

The following code is an example of a Signatures.xml file:

content_copy zoom_out_map
<signatures> 
  <signature>
   <appid>1009</appid> 
   <appname>IMAP</appname>
   <groupname>Mail</groupname>   
   <colour>#ff0000</colour>  
   <description>IMAP traffic</description>
   <revision>1</revision>
   <protocol>TCP</protocol>
   <srcip>any</srcip>
   <srcport>any</srcport>
   <dstip>any</dstip>
   <dstport>any</dstport>
   <commondstport>143</commondstport>
   <srccontent offset="0" depth="128" ignorecase="true">LOGIN</srccontent>
   <dstcontent offset="0" depth="5">* OK</dstcontent>
   <weight>30</weight> 
  </signature>
</signatures>
  1. Use SSH to log in to JSA as the root user.

  2. To change to the globalconfig directory, type the following command:

    cd /store/configservices/staging/globalconfig

  3. Open the following file:

    signatures.xml

  4. Make the necessary changes using the following parameters:

    Table 2: Application Signatures Default Parameters

    Parameter

    Description

    appid

    A unique ID for each application that you want to define. Use numbers in the 15,000 - 20,000 range for custom applications.

    appname

    The name of the application. The application name is used in the Network Activity and Offenses tabs.

    groupname

    The group name for the application. Used only with the automatic generation script.

    description

    The long description of the application and any required notes for the particular signature.

    revisi on

    Use for version control.

    protocol

    If the same signature is required for more than one protocol, define the second signature.

    srcip

    The specific source IP address. Use multiple application identifications when more than one source IP address is required.

    srcport

    The specific source port for the signature. Use multiple application identifications when more than one source port is required.

    dstip

    The specific destination IP address. Use multiple application identifications when more destination IP addresses are required.

    dstport

    The specific destination port for the signature to execute. Use multiple application identifications when more than one destination port is required.

    commondstport

    The destination port that is most commonly associated with the application.

    commonsrcport

    The source port that is most commonly associated with the application.

    scrcontent <offset> <depth>

    <offset> is the offset in the payload where you want to begin searching for the source content. If no value is specified, the default is 0.

    <depth> is the offset in the payload you want to stop the search.

    For example, if you configure the following value, the payload is searched 5-15 bytes:

    scrcontent 5 10

    dstcontent <offset> <depth>

    <offset> is the offset in the payload where you want to begin searching for the destination content. If no value is specified, the default is 0.

    <depth> is the offset in the payload you want to stop the search.

    For example, if you configure the following the value, the payload is searched 5-15 bytes:

    scrcontent 5 10

    weight

    The weight that you want to assign this application. The weight influences any potential rules and offenses created based on data using this application. Increasing the value of the weight increases the magnitude of the offense when it is created.

  5. Save and exit the file.

  6. Log in to JSA.

  7. Click the Admin tab.

  8. Click Deploy Changes.

external-footer-nav