Custom Application Signatures for Application Identification
User-defined custom application signatures can also be used to identify the application regardless of the protocol and port being used. You can create custom signatures using hostnames, IP address ranges, and ports, which allows you to track traffic to specific destinations. For more information, see the following topics:
Understanding Junos OS Application Identification Custom Application Signatures
This topic includes the following sections:
- Custom Application Signatures Overview
- Enhancements to Custom Application Signatures
- Supported Types of Custom Application Signatures
- Benefits of Using Custom Application Signatures
- Limitations
- Additional Configuration Options for Custom Application Signatures
Custom Application Signatures Overview
Junos OS application identification feature provides you the flexibility to create custom signatures to identify any application, whether it is web-based or a client-server application. You can create custom application signatures for applications based on ICMP, IP protocol, IP address, and Layer 7.
In general, custom application signatures are unique to your environment and are mostly used to inspect internal or custom applications. Once you create custom application signatures, AppID classifies and inspects in the same manner as standard applications. Since custom application signatures are not part of the predefined application package, they are saved in the configuration hierarchy, not in the predefined application signature database.
You must download install the application signature package on your device to configure custom signatures. When the custom signatures are configured, you cannot uninstall the application signature package. All custom application signatures are carried forward as-is when you upgrade your system to a new software version.
Enhancements to Custom Application Signatures
Starting in Junos OS Release 20.1R1, we’ve enhanced the custom applications signature functionality by providing a new set of applications and contexts.
Custom application signature contexts are now part of application signature package. If you want to use the newly introduced application and contexts for custom application signatures, you must download and install the latest application signature package version 3248 or later. You can upgrade the application signature package separately without upgrading Junos OS.
Supported Types of Custom Application Signatures
Security devices support the following types of custom signatures:
ICMP-based mapping
Address-based mapping
IP protocol-based mapping
Layer 7-based and TCP/UDP stream-based mapping
In all supported custom application signatures, ICMP-based, IP protocol-based, and address-based custom applications have more priority than Layer 7-based and TCP/UDP stream based custom applications. Custom application signatures priority order is—ICMP-based, IP protocol-based, address-based, and Layer7-based or TCP/UDP stream-based custom applications.
- ICMP-Based Mapping
- Address-Based Mapping
- IP Protocol-Based Mapping
- Layer 7-Based and TCP/UDP Stream-Based Signatures
ICMP-Based Mapping
The ICMP mapping technique maps standard ICMP message types and optional codes to a unique application name. This mapping technique lets you differentiate between various types of ICMP messages. The ICMP mapping technique does not support ICMPv6 traffic.
IDP works only with TCP or UDP traffic. Therefore, ICMP mapping does not apply to IDP and cannot support IDP features such as custom attacks.
Address-Based Mapping
Layer 3 and Layer 4 address mapping defines an application by the IP address and optional port range of the traffic.
For configuring Layer 3 and Layer 4 address-based custom applications, you must match the IP address and port range to destination IP address and port. When both IP address and port are configured, both criteria must match destination IP address and port range of the packet.
Consider a Session Initiation Protocol (SIP) server that initiates sessions from its known port 5060. Because all traffic from this IP address and port is generated only by the SIP application, the SIP application can be mapped to the server’s IP address and port 5060 for application identification. In this way, all traffic with this IP address and port is identified as SIP application traffic.
When you configure an address-based application and a TCP/UDP stream-based application, and if a session matches both applications, the TCP/UDP stream-based application is reported as application and address-based application is reported as extended application.
To ensure adequate security, use address mapping when the configuration of your private network predicts application traffic to or from trusted servers. Address mapping provides efficiency and accuracy in handling traffic from a known application.
IP Protocol-Based Mapping
Standard IP protocol numbers map an application to IP traffic. As with address mapping, to ensure adequate security, use IP protocol mapping only in your private network for the trusted servers.
IDP works only with TCP or UDP traffic. IP protocol mapping, therefore, does not apply to IDP and cannot support IDP features such as custom attacks.
IP protocol based custom application signatures do not work as expected in Junos OS Releases in 19.2 through Junos OS Releases 19.4. Starting in Junos OS Release 20.1R1, you can use IP protocol-based custom application signatures.
Suggested workaround:
If you are configuring unified policy, use service-based application configuration. Example:
user@host#
set applications application application-name protocol IP-proto-numberExample:
user@host#
set applications application A1 protocol 2If you are using legacy application firewall, use predefined IP protocol applications. Example
user@host#
set security application-firewall rule-sets rule-set-name rule rule-name match dynamic-application application-nameExample:
user@host#
set security application-firewall rule-sets RS-1 rule R1 match dynamic-application junos:IPP-IGMP
Layer 7-Based and TCP/UDP Stream-Based Signatures
Layer 7 custom signatures define an application running over TCP or UDP or Layer 7 applications.
Layer 7-based custom application signatures are required for the identification of multiple applications running on the same Layer 7 protocols. For example, applications such as Facebook and Yahoo Messenger can both run over HTTP, but there is a need to identify them as two different applications running on the same Layer 7 protocol.
Layer 7-based custom application signatures detect applications based on the patterns in HTTP contexts. However, some HTTP sessions are encrypted in SSL. Application identification can also extract the server name information or the server certification from the TLS or SSL sessions. It can also detect patterns in TCP or UDP payload in Layer 7 applications.
Benefits of Using Custom Application Signatures
Enforce security policy unique to your networking environment based on specific applications
Bring visibility for unknown or unclassified applications
Identify applications over Layer 7 and transiting or temporary applications, and to achieve further granularity of known applications
Perform quality-of-service (QoS) for any specific application
Limitations
The following features are not supported:
Some of the PCRE-based expressions and unicode-based characters (if not supported in Hyperscan)
Enforcing of order among members in Layer 7-based signatures
The wildcard address for address-based signatures (Layer 3 and Layer 4)
Additional Configuration Options for Custom Application Signatures
Starting in Junos OS Release 20.1R1 and if you are using application signature package version 3248 or later, you can configure the following options for custom application signatures:
- Custom Application Pattern Depth
- Custom Applications Inspection Byte Limit
- Priority for Custom Applications
- Subject Alternative Name
Custom Application Pattern Depth
You can specify the byte limit for AppID to identify the custom application pattern for the applications running over TCP or UDP or Layer 7 applications.
To configure the limit, use the following configuration statements
from the [edit]
hierarchy:
user@host#
set services application-identification application application-name over application signature signature-name member number depth
Example:
user@host#
set services application-identification application my_custom_address over HTTP signature my_addr_sig1 member m01 depth 256
For Layer 7 custom applications, the depth is considered from the beginning of the Layer 7 context. For TCP/UDP stream-based custom applications, depth is considered from the beginning of the TCP/UDP payload.
Custom Applications Inspection Byte Limit
You can set the inspection byte limit for AppID to conclude the classification and identify the custom application in a session. On exceeding the limit, AppID terminates the application classification. You can use this option to improve the application traffic throughput.
To configure the application byte limit, use the following configuration statements from the [edit] hierarchy:
user@host#
set services application-identification custom-application-byte-limit byte-number
Example:
user@host#
set services application-identification custom-application-byte-limit 400
If you have configured a custom application signature over a predefined application and if AppID has already identified the predefined application, DPI continues with the custom signature identification. While the custom signature identification is in-progress, the classification is marked as non-final. If no custom application is identified within the custom application byte limit, and if predefined application is already identified, then AppID concludes the predefined application as final and offloads the session.
Priority for Custom Applications
In releases prior to Junos OS 20.1R1, the default priority for the custom application signatures was high which allowed custom signatures to take precedence over the predefined applications. Starting Junos OS release 20.1R1, the default priority for the custom application signature is low.
When AppID identifies a custom application with low priority before identifying a predefined application, it waits until predefined application classification is final. If there is no predefined application match available and the custom application is identified, then AppID terminates the classification with the identified custom application.
If you want to override the predefined applications priority with custom application signatures, you must explicitly set the priority to high for the custom application signatures.
To configure the high priority for custom applications, use the following configuration statements from the [edit] hierarchy:
user@host#
set services application-identification application application-name priority high
Example:
user@host#
set services application-identification application my_custom_address priority high
Note the following about priority of the custom applications:
For Junos OS Release prior to 20.1R1:
The default priority for the custom applications is high.
The priority of the applications is considered when multiple applications match in the same packet.
When you configure high priority for custom application—Custom applications always have high precedence over the predefined applications.
When you configure low priority for custom application—Custom applications have low precedence over similar pattern-based predefined signatures and high precedence over the other applications. In these releases, no option available to change the behavior.
For Junos OS Release 20.1R1 and later:
The default priority for the custom applications is low.
The priority does not depend on the matches in the same packet.
The priority of Layer 7 and TCP/UDP stream based custom applications work as configured (either high or low) with all predefined applications.
Layer 3 and Layer 4 based custom applications always remains at high priority. In this case, the configured priority is ignored. Layer 3 and Layer 4 based custom applications override all predefined applications; because these applications are triggered on first packet of the session.
Subject Alternative Name
Starting in Junos OS Release 23.4R1, you can create an AppID custom signature using the SAN (Subject Alternative Name) certificate attribute for SSL signatures. An SSL certificate with the SAN attribute allows specifying multiple host names or IP addresses in a single certificate. With this enhancement, custom application signatures can detect applications based on the application’s host names listed in the SAN field of the SSL certificate.
You can configure SAN using the ssl-subject-alt-name
option under
[edit services application-identification application name over SSL
signature name member name context
] hierarchy.
Example: Configuring Junos OS Application Identification Custom Application Signatures
This example shows how to configure custom application signatures for Junos OS application identification.
We recommend that only advanced Junos OS users attempt to customize application signatures.
Before You Begin:
Install a valid application identification feature license on your SRX Series Firewall. See Managing Junos OS Licenses
This configuration example is tested using Junos OS Release 20.1R1.
Ensure that your security device with application signature package installed. See Downloading and Installing the Junos OS Application Signature Package Manually.
To use enhanced custom application signatures, upgrade latest application signature package version 3284 or later. Check your application signature version using the following command:
user@host> show services application-identification version
Application package version: 3248
We recommend that only advanced Junos OS users attempt to customize application signatures.
Overview
Application identification supports custom application signatures to detect applications as they pass through the device. When you configure custom signatures, ensure that your signatures are unique.
Use the following steps to configure custom application signatures:
Define attributes such as context, patterns, direction, port range and so on for your security device to match the application traffic.
Configure inspection limit, pattern depth, and priority (optional configurations) to enhance custom applications application identification process.
Attach the custom application to a security policy that allows or denies the application traffic.
View application signatures and application signature groups by using the
show services application-identification application
andshow services application-identification group
commands.
Examples of Custom Application Configuration
Procedure
Step-by-Step Procedure
Set inspection limit for custom applications.
[edit ] user@host# set services application-identification custom-application-byte-limit 400
Set priority for custom applications.
[edit ] user@host# set services application-identification application test cacheable user@host# set services application-identification application test priority high
Configure TCP stream-based custom signatures:
[edit ] user@host# set services application-identification application my_custom_tcp over TCP signature s1 member m01 context stream user@host# set services application-identification application my_custom_tcp over TCP signature s1 member m01 pattern .*install.* user@host# set services application-identification application my_custom_tcp over TCP signature s1 member m01 direction any user@host# set services application-identification application my_custom_tcp over TCP signature s1 member m01 depth 100
Configure FTP context-based custom signatures:
[edit ] user@host# set services application-identification application my_custom_ftp over FTP signature sig1 member m01 depth 60 user@host# set services application-identification application my_custom_ftp over FTP signature sig1 member m01 context ftp-file-name user@host# set services application-identification application my_custom_ftp over FTP signature sig1 member m01 pattern .*install.* user@host# set services application-identification application my_custom_ftp over FTP signature sig1 member m01 direction client-to-server
Configure HTTP context-based custom signatures.
[edit ] user@host# set services application-identification application my_custom_http over HTTP signature s1 member m01 context http-header-host user@host# set services application-identification application my_custom_http over HTTP signature s1 member m01 pattern .*agent1.* user@host# set services application-identification application my_custom_http over HTTP signature s1 member m01 direction client-to-server user@host# set services application-identification application my_custom_http over HTTP signature s1 member m01 depth 100
Configure SSL context-based custom signatures:
[edit] user@host# set services application-identification application my_custom_ssl over SSL signature s1 member m01 context ssl-server-name user@host# set services application-identification application my_custom_ssl over SSL signature s1 member m01 pattern "example\.com" user@host# set services application-identification application my_custom_ssl over SSL signature s1 member m01 direction client-to-server user@host# set services application-identification application my_custom_ssl over SSL signature s1 member m01 depth 100
Configure ICMP-based custom applications signatures:
[edit ] user@host# set services application-identification application my_custom_icmp icmp-mapping type 100 user@host# set services application-identification application my_custom_icmp icmp-mapping code 1
Configure Layer 3 or Layer 4 address-based custom applications signatures:
[edit ] user@host# set services application-identification application my_custom_address address-mapping ADDR-SAMPLE filter ip 192.0.2.1/24 user@host# set services application-identification application my_custom_address address-mapping ADDR-SAMPLE filter port-range udp 5000-6000
Note:You must provide the appropriate port range and specified IP address to configure address-based custom application signatures.
Configure IP protocol mapping-based custom application signatures.
[edit] user@host# set services application-identification application my_custom_ip_proto ip-protocol-mapping protocol 2
Create a security policy with custom applications as match criteria.
user@host# set security policies from-zone untrust to-zone trust policy 1 match source-address any user@host# set security policies from-zone untrust to-zone trust policy 1 match destination-address any user@host# set security policies from-zone untrust to-zone trust policy 1 match application any user@host# set security policies from-zone untrust to-zone trust policy 1 match dynamic-application my_custom_http user@host# set security policies from-zone untrust to-zone trust policy 1 then permit
We are using my_custom_http for this example. Similarly, you can create different security policies and specify other custom applications such as my_custom_ftp, my_custom_tcp, my_custom_ssl, my_custom_address, my_custom_icmp, my_custom_ip_proto as match condition for the dynamic application as per your requirement.
Enable application tracking.
user@host# set security zones security-zone trust application-tracking
Results
From configuration mode, confirm your configuration
by entering the show services application-identification
command. If the output does not display the intended configuration,
repeat the configuration instructions in this example to correct it.
[edit]
user@host# show services application-identification
custom-application-byte-limit 100; application my_custom_address { address-mapping ADDR-SAMPLE { filter { ip 192.0.2.1/24; port-range { udp 5000-6000; } } } } application my_custom_ftp { over FTP { signature sig1 { member m01 { depth 60; context ftp-file-name; pattern .*install.*; direction client-to-server; } } } } application my_custom_http { over HTTP { signature s1 { member m01 { depth 100; context http-header-host; pattern .*agent1.*; direction client-to-server; } } } } application my_custom_icmp { icmp-mapping { type 100; code 1; } } application my_custom_ip_proto { ip-protocol-mapping { protocol 2; } } application my_custom_ssl { over SSL { signature s1 { member m01 { depth 100; context ssl-server-name; pattern "example\.com"; direction client-to-server; } } } } application my_custom_tcp { over TCP { signature s1 { member m01 { depth 100; context stream; pattern .*install.*; direction any; } } } } application test { cacheable; priority high; }
[edit security policies] user@host# show from-zone untrust to-zone trust { policy 1 { match { source-address any; destination-address any; application any; dynamic-application [my_custom_http]; } then { permit; } } }
If you are done configuring the device, enter commit
from configuration mode.
Verification
Verifying the Custom Application Definitions
Purpose
Display the custom application signatures configured on your device. Note that predefined application signature names use the prefix “junos:”
Action
From configuration mode, enter the show services
application-identification application detail name
command.
user@host> show services application-identification application detail test Application Name: test Application type: TEST Description: N/A Application ID: 16777219 Priority: high
Meaning
The output of the command displays custom application name, type, description, ID, and the priority.