Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Custom Application Signatures for Application Identification

User-defined custom application signatures can also be used to identify the application regardless of the protocol and port being used. You can create custom signatures using hostnames, IP address ranges, and ports, which allows you to track traffic to specific destinations. For more information, see the following topics:

Understanding Junos OS Application Identification Custom Application Signatures

This topic includes the following sections:

Custom Application Signatures Overview

Junos OS application identification feature provides you the flexibility to create custom signatures to identify any application, whether it is web-based or a client-server application. You can create custom application signatures for applications based on ICMP, IP protocol, IP address, and Layer 7.

In general, custom application signatures are unique to your environment and are mostly used to inspect internal or custom applications. Once you create custom application signatures, AppID classifies and inspects in the same manner as standard applications. Since custom application signatures are not part of the predefined application package, they are saved in the configuration hierarchy, not in the predefined application signature database.

You must download install the application signature package on your device to configure custom signatures. When the custom signatures are configured, you cannot uninstall the application signature package. All custom application signatures are carried forward as-is when you upgrade your system to a new software version.

Enhancements to Custom Application Signatures

Starting in Junos OS Release 20.1R1, we’ve enhanced the custom applications signature functionality by providing a new set of applications and contexts.

Custom application signature contexts are now part of application signature package. If you want to use the newly introduced application and contexts for custom application signatures, you must download and install the latest application signature package version 3248 or later. You can upgrade the application signature package separately without upgrading Junos OS.

Supported Types of Custom Application Signatures

Security devices support the following types of custom signatures:

  • ICMP-based mapping

  • Address-based mapping

  • IP protocol-based mapping

  • Layer 7-based and TCP/UDP stream-based mapping

In all supported custom application signatures, ICMP-based, IP protocol-based, and address-based custom applications have more priority than Layer 7-based and TCP/UDP stream based custom applications. Custom application signatures priority order is—ICMP-based, IP protocol-based, address-based, and Layer7-based or TCP/UDP stream-based custom applications.

ICMP-Based Mapping

  • The ICMP mapping technique maps standard ICMP message types and optional codes to a unique application name. This mapping technique lets you differentiate between various types of ICMP messages. The ICMP mapping technique does not support ICMPv6 traffic.

  • IDP works only with TCP or UDP traffic. Therefore, ICMP mapping does not apply to IDP and cannot support IDP features such as custom attacks.

Address-Based Mapping

  • Layer 3 and Layer 4 address mapping defines an application by the IP address and optional port range of the traffic.

  • For configuring Layer 3 and Layer 4 address-based custom applications, you must match the IP address and port range to destination IP address and port. When both IP address and port are configured, both criteria must match destination IP address and port range of the packet.

    Consider a Session Initiation Protocol (SIP) server that initiates sessions from its known port 5060. Because all traffic from this IP address and port is generated only by the SIP application, the SIP application can be mapped to the server’s IP address and port 5060 for application identification. In this way, all traffic with this IP address and port is identified as SIP application traffic.

  • When you configure an address-based application and a TCP/UDP stream-based application, and if a session matches both applications, the TCP/UDP stream-based application is reported as application and address-based application is reported as extended application.

CAUTION:

To ensure adequate security, use address mapping when the configuration of your private network predicts application traffic to or from trusted servers. Address mapping provides efficiency and accuracy in handling traffic from a known application.

IP Protocol-Based Mapping

  • Standard IP protocol numbers map an application to IP traffic. As with address mapping, to ensure adequate security, use IP protocol mapping only in your private network for the trusted servers.

  • IDP works only with TCP or UDP traffic. IP protocol mapping, therefore, does not apply to IDP and cannot support IDP features such as custom attacks.

IP protocol based custom application signatures do not work as expected in Junos OS Releases in 19.2 through Junos OS Releases 19.4. Starting in Junos OS Release 20.1R1, you can use IP protocol-based custom application signatures.

Suggested workaround:

  • If you are configuring unified policy, use service-based application configuration. Example:

    Example:

  • If you are using legacy application firewall, use predefined IP protocol applications. Example

    Example:

Layer 7-Based and TCP/UDP Stream-Based Signatures

  • Layer 7 custom signatures define an application running over TCP or UDP or Layer 7 applications.

  • Layer 7-based custom application signatures are required for the identification of multiple applications running on the same Layer 7 protocols. For example, applications such as Facebook and Yahoo Messenger can both run over HTTP, but there is a need to identify them as two different applications running on the same Layer 7 protocol.

  • Layer 7-based custom application signatures detect applications based on the patterns in HTTP contexts. However, some HTTP sessions are encrypted in SSL. Application identification can also extract the server name information or the server certification from the TLS or SSL sessions. It can also detect patterns in TCP or UDP payload in Layer 7 applications.

Benefits of Using Custom Application Signatures

  • Enforce security policy unique to your networking environment based on specific applications

  • Bring visibility for unknown or unclassified applications

  • Identify applications over Layer 7 and transiting or temporary applications, and to achieve further granularity of known applications

  • Perform quality-of-service (QoS) for any specific application

Limitations

The following features are not supported:

  • Some of the PCRE-based expressions and unicode-based characters (if not supported in Hyperscan)

  • Enforcing of order among members in Layer 7-based signatures

  • The wildcard address for address-based signatures (Layer 3 and Layer 4)

Additional Configuration Options for Custom Application Signatures

Starting in Junos OS Release 20.1R1 and if you are using application signature package version 3248 or later, you can configure the following options for custom application signatures:

Custom Application Pattern Depth

You can specify the byte limit for AppID to identify the custom application pattern for the applications running over TCP or UDP or Layer 7 applications.

To configure the limit, use the following configuration statements from the [edit] hierarchy:

Example:

For Layer 7 custom applications, the depth is considered from the beginning of the Layer 7 context. For TCP/UDP stream-based custom applications, depth is considered from the beginning of the TCP/UDP payload.

Custom Applications Inspection Byte Limit

You can set the inspection byte limit for AppID to conclude the classification and identify the custom application in a session. On exceeding the limit, AppID terminates the application classification. You can use this option to improve the application traffic throughput.

To configure the application byte limit, use the following configuration statements from the [edit] hierarchy:

Example:

If you have configured a custom application signature over a predefined application and if AppID has already identified the predefined application, DPI continues with the custom signature identification. While the custom signature identification is in-progress, the classification is marked as non-final. If no custom application is identified within the custom application byte limit, and if predefined application is already identified, then AppID concludes the predefined application as final and offloads the session.

Priority for Custom Applications

In releases prior to Junos OS 20.1R1, the default priority for the custom application signatures was high which allowed custom signatures to take precedence over the predefined applications. Starting Junos OS release 20.1R1, the default priority for the custom application signature is low.

When AppID identifies a custom application with low priority before identifying a predefined application, it waits until predefined application classification is final. If there is no predefined application match available and the custom application is identified, then AppID terminates the classification with the identified custom application.

If you want to override the predefined applications priority with custom application signatures, you must explicitly set the priority to high for the custom application signatures.

To configure the high priority for custom applications, use the following configuration statements from the [edit] hierarchy:

Example:

Note the following about priority of the custom applications:

  • For Junos OS Release prior to 20.1R1:

    • The default priority for the custom applications is high.

    • The priority of the applications is considered when multiple applications match in the same packet.

    • When you configure high priority for custom application—Custom applications always have high precedence over the predefined applications.

      When you configure low priority for custom application—Custom applications have low precedence over similar pattern-based predefined signatures and high precedence over the other applications. In these releases, no option available to change the behavior.

  • For Junos OS Release 20.1R1 and later:

    • The default priority for the custom applications is low.

    • The priority does not depend on the matches in the same packet.

    • The priority of Layer 7 and TCP/UDP stream based custom applications work as configured (either high or low) with all predefined applications.

    • Layer 3 and Layer 4 based custom applications always remains at high priority. In this case, the configured priority is ignored. Layer 3 and Layer 4 based custom applications override all predefined applications; because these applications are triggered on first packet of the session.

Subject Alternative Name

Starting in Junos OS Release 23.4R1, you can create an AppID custom signature using the SAN (Subject Alternative Name) certificate attribute for SSL signatures. An SSL certificate with the SAN attribute allows specifying multiple host names or IP addresses in a single certificate. With this enhancement, custom application signatures can detect applications based on the application’s host names listed in the SAN field of the SSL certificate.

You can configure SAN using the ssl-subject-alt-name option under [edit services application-identification application name over SSL signature name member name context] hierarchy.

Example: Configuring Junos OS Application Identification Custom Application Signatures

This example shows how to configure custom application signatures for Junos OS application identification.

CAUTION:

We recommend that only advanced Junos OS users attempt to customize application signatures.

Before You Begin:

  • Install a valid application identification feature license on your SRX Series Firewall. See Managing Junos OS Licenses

  • This configuration example is tested using Junos OS Release 20.1R1.

  • Ensure that your security device with application signature package installed. See Downloading and Installing the Junos OS Application Signature Package Manually.

  • To use enhanced custom application signatures, upgrade latest application signature package version 3284 or later. Check your application signature version using the following command:

CAUTION:

We recommend that only advanced Junos OS users attempt to customize application signatures.

Overview

Application identification supports custom application signatures to detect applications as they pass through the device. When you configure custom signatures, ensure that your signatures are unique.

Use the following steps to configure custom application signatures:

  1. Define attributes such as context, patterns, direction, port range and so on for your security device to match the application traffic.

  2. Configure inspection limit, pattern depth, and priority (optional configurations) to enhance custom applications application identification process.

  3. Attach the custom application to a security policy that allows or denies the application traffic.

  4. View application signatures and application signature groups by using the show services application-identification application and show services application-identification group commands.

Examples of Custom Application Configuration

Procedure

Step-by-Step Procedure

  • Set inspection limit for custom applications.

  • Set priority for custom applications.

  • Configure TCP stream-based custom signatures:

  • Configure FTP context-based custom signatures:

  • Configure HTTP context-based custom signatures.

  • Configure SSL context-based custom signatures:

  • Configure ICMP-based custom applications signatures:

  • Configure Layer 3 or Layer 4 address-based custom applications signatures:

    Note:

    You must provide the appropriate port range and specified IP address to configure address-based custom application signatures.

  • Configure IP protocol mapping-based custom application signatures.

  • Create a security policy with custom applications as match criteria.

    We are using my_custom_http for this example. Similarly, you can create different security policies and specify other custom applications such as my_custom_ftp, my_custom_tcp, my_custom_ssl, my_custom_address, my_custom_icmp, my_custom_ip_proto as match condition for the dynamic application as per your requirement.

  • Enable application tracking.

Results

From configuration mode, confirm your configuration by entering the show services application-identification command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

If you are done configuring the device, enter commit from configuration mode.

Verification

Verifying the Custom Application Definitions

Purpose

Display the custom application signatures configured on your device. Note that predefined application signature names use the prefix “junos:”

Action

From configuration mode, enter the show services application-identification application detail name command.

Meaning

The output of the command displays custom application name, type, description, ID, and the priority.

See show services application-identification application