Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Defining New Applications

 

To define new applications, edit the application configuration file.

When you define new applications, the application ID number must not exist in the apps.conf file. Assign numbers that are in the 15,000 - 20,000 range for custom applications.

The format of the entry uses the following syntax:

The application name <appname> is used in the Network Activity and Offenses tabs. You can specify an application name with up to five application levels. However, JSA uses only three levels of the application name. Use a number sign (#) to separate each level of the application name.

The following example defines the Authentication.Radius-1646 application with an application ID of 51343:

Authentication#Radius-1646####51343

Five application levels are represented in the application ID. Application levels are separated by number sign (#). If an application ID contains fewer than five levels, include the number signs for all five levels.

For example, to add Authentication#Radius-1646####51343as an application ID, insert the application ID as follows:

  1. Using SSH, log in to JSA as the root user.
  2. Open the following file:

    /store/configservices/staging/globalconfig/apps.conf

  3. Insert new applications and ensure that you insert the new application ID in alphabetical order.
  4. Save and exit the file.
  5. Log in to JSA as an administrator.
  6. Click the Admin tab.
  7. On the toolbar, click Deploy Changes.

Choose one of the following options:

Defining Application Mappings

To identify application signatures, create user-defined application mappings that are based on the IP address and port number.

You must add the new application IDs. For more information, see Defining New Applications.

When you update the application mapping file, follow these guidelines:

  • Each line in the file indicates a mapped application. You can specify multiple mappings, each on a separate line, for the same application.

  • You can specify a wildcard character (*) for any field. Use the wildcard character alone, and not as part of a comma-separated list. The wildcard character indicates that the field applies to all flows.

  • You can associate a flow with multiple mappings. A flow is mapped to an application ID based on the mapping order in the file. The first mapping that applies in the file is assigned to the flow.

  • When you add new application ID numbers, you must create a new and unique application ID number. The application ID number must not exist in the apps.conf file. Apply numbers that range 15,000 - 20,000 for custom applications.

  • The format of the entry must resemble the following syntax:

    <New_ID> specifies the application ID you want to assign to the flow. A value of 1 indicates an unknown application. If the ID you want to assign does not exist, you must create the ID in the apps.conf file. For more information, see Defining New Applications.

    <Old_ID> specifies the default application ID of the flow, as assigned by JSA. A value of * indicates a wildcard character. If multiple application IDs are assigned, the application IDs are separated by commas.

Table 1: Application IDs

Option

Description

Values

Source_IP_Address

Specifies the source IP address of the flow.

Can contain either a comma-separated list of addresses or CIDR values. A value of * indicates a wildcard character, which means that this field applies to all flows.

<Source_Port>

Specifies the associated port.

Can contain a comma-separated list of values or ranges that are specified in the format: <lower_port_number>-<upper_port_number>. A value of * indicates a wildcard character, which means that this field applies to all flows.

<Dest_IP_Address>

Specifies the destination IP address of the flow.

Can contain either a comma-separated list of addresses or CIDR values. A value of * indicates a wildcard character, which means that this field applies to all flows.

<Dest_Port>

Specifies the associated destination port.

Can contain a comma-separated list of values or ranges that are specified in the format: <lower_port_number>-<upper_port_number>. A value of * indicates a wildcard character, which means that this field applies to all flows.

<Name>

Specifies a name that you want to assign to this mapping.

Optional

The following example of mapping file /user_application_mapping.conf maps all flows that match the IP addresses and ports for which the JSA flow processor assigned to the old ID of 1010. It assigns the new ID of 15000 when it originates from either of two subnets in 10.100.*, and when designated for a specific address and either of two destination ports:

15000 1010 10.100.100/24,10.100.50.10:* 172.14.33.33:80,443

The following example overrides the assigned name for application ID 1010. It specifies a new application, ID 15100, based on any traffic that is going to port 33333 or a range of destination ports for specific addresses or application overrides.

Note

Due to PDF formatting, do not copy and paste the message formats directly into the interface. Instead, paste into a text editor, remove any carriage return or line feed characters, and then copy and paste into the interface.

The following example shows the assignment of new application names and IDs, based on matching three application IDs, one of which is the application identifier (1). These application IDs match on a basic hit of a specified destination port, for any traffic:

  1. Use SSH to log in to JSA as the root user.
  2. Access the Network Activity tab.
  3. To determine the default application IDs, hover your mouse pointer over the application field for a flow that is associated with the application you want to update.
  4. Choose one of the following options:
    • Open the following file:

      /store/configservices/staging/globalconfig/user_application_mapping.conf

    • If the user_application_mapping.conf does not exist in your system, create the file and place the empty file in the following directory: /store/configservices/staging/globalconfig/

  5. Update the file, as necessary.
  6. Save and exit the file.
  7. Log in to the JSA user interface.
  8. Click the Admin tab.
  9. Click Deploy Changes.

Defining Application Signatures

Use the application signatures file to create IP address and content-based rules that assign application IDs to flows that JSA does not automatically detect.

The application signatures file is a definition file that is distributed to all JSA Flow Processor by the primary JSA console. The file includes source and destination ports, and ranges.

The application signatures file includes the following characteristics:

  • Hex content is delimited with the pipe character (|):

  • A flow can be associated with multiple signatures. A flow is mapped to an application ID based on the signature order in the file. The first signature that applies in the file is assigned to the flow.

  • When you edit the signatures.xml file, the data that is inserted between the XML tags is case-sensitive. For example, when you specify TCP within the XML tags, enter the value with all capital letters.

  • Include the user-defined parameter in your new or updated signature. This parameter ensures that all modifications are maintained after an automatic update.

The following code is an example of a Signatures.xml file:

  1. Use SSH to log in to JSA as the root user.
  2. To change to the globalconfig directory, type the following command:

    cd /store/configservices/staging/globalconfig

  3. Open the following file:

    signatures.xml

  4. Make the necessary changes using the following parameters:

    Table 2: Application Signatures Default Parameters

    Parameter

    Description

    appid

    A unique ID for each application that you want to define. Use numbers in the 15,000 - 20,000 range for custom applications.

    appname

    The name of the application. The application name is used in the Network Activity and Offenses tabs.

    groupname

    The group name for the application. Used only with the automatic generation script.

    description

    The long description of the application and any required notes for the particular signature.

    revisi on

    Use for version control.

    protocol

    If the same signature is required for more than one protocol, define the second signature.

    srcip

    The specific source IP address. Use multiple application identifications when more than one source IP address is required.

    srcport

    The specific source port for the signature. Use multiple application identifications when more than one source port is required.

    dstip

    The specific destination IP address. Use multiple application identifications when more destination IP addresses are required.

    dstport

    The specific destination port for the signature to execute. Use multiple application identifications when more than one destination port is required.

    commondstport

    The destination port that is most commonly associated with the application.

    commonsrcport

    The source port that is most commonly associated with the application.

    scrcontent <offset> <depth>

    <offset> is the offset in the payload where you want to begin searching for the source content. If no value is specified, the default is 0.

    <depth> is the offset in the payload you want to stop the search.

    For example, if you configure the following value, the payload is searched 5-15 bytes:

    scrcontent 5 10

    dstcontent <offset> <depth>

    <offset> is the offset in the payload where you want to begin searching for the destination content. If no value is specified, the default is 0.

    <depth> is the offset in the payload you want to stop the search.

    For example, if you configure the following the value, the payload is searched 5-15 bytes:

    scrcontent 5 10

    weight

    The weight that you want to assign this application. The weight influences any potential rules and offenses created based on data using this application. Increasing the value of the weight increases the magnitude of the offense when it is created.

    user_defined

    You must specify to ensure that a new or updated signature is maintained after an automatic update.

  5. Save and exit the file.
  6. Log in to JSA.
  7. Click the Admin tab.
  8. Click Deploy Changes.