Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Custom Application Signatures for Application Identification

 

User-defined custom application signatures can also be used to identify the application regardless of the protocol and port being used. You can create custom signatures using hostnames, IP address ranges, and ports, which allows you to track traffic to specific destinations. For more information, see the following topics:

Understanding Junos OS Application Identification Custom Application Signatures

Application identification supports user-defined custom application signatures and signature groups. Custom application signatures are unique to your environment and are not part of the predefined application package. You must install application signature package on your device to use custom signatures. When the custom signatures are configured, you cannot uninstall the application signature package.

Custom application signatures are required:

  • To control traffic particular to an environment

  • To bring visibility for unknown or unclassified applications by developing custom applications.

  • To identify applications over Layer 7 and transiting or temporary applications, and to achieve further granularity of known applications

  • To perform QoS for your specific application

You can create custom application signatures using CLI by specifying a name, protocol, port where the application runs, and match criteria. For more details, see Example: Configuring Junos OS Application Identification Custom Application Signatures.

Caution

We recommend that only advanced Junos OS users attempt to customize application signatures.

You can view application signatures and application signature groups by using the show services application-identification application and show services application-identification group commands.

Note

The following features are not supported:

  • Prioritizing custom signatures over a specific predefined custom signature

  • Complete Perl Compatible Regular Expressions (PCRE)-based character set, and unicode-based characters

  • Enforcing of order among members in Layer 7-based signatures

  • The wildcard address for address-based signatures (Layer 3 and Layer 4)

Unlike predefined signatures and groups, custom application signatures and groups are saved in the configuration hierarchy, not in the predefined application signature database. Custom application signatures and signature groups are located in the [services application-identification] hierarchy.

Security devices support the following types of custom signatures:

ICMP-Based Mapping

The ICMP mapping technique maps standard ICMP message types and optional codes to a unique application name. This mapping technique lets you differentiate between various types of ICMP messages.

Note

IDP works only with TCP or UDP traffic. ICMP mapping, therefore, does not apply to IDP and cannot support IDP features such as custom attacks.

Note

The ICMP mapping technique used for mapping standard ICMP message types and optional codes are not supported for ICMPv6 traffic.

Address-Based Mapping

Layer 3 and Layer 4 address mapping defines an application by the IP address and optional port range of the traffic.

To ensure adequate security, use address mapping when the configuration of your private network predicts application traffic to or from trusted servers. Address mapping provides efficiency and accuracy in handling traffic from a known application.

Layer 3 and Layer 4 address-based custom applications, you can match the IP address and port range to destination IP address and port. When both IP address and port are configured, both should match destination tuples (IP address and port range) of the packet.

Consider a Session Initiation Protocol (SIP) server that initiates sessions from its known port 5060. Because all traffic from this IP address and port is generated by only the SIP application, the SIP application can be mapped to the server’s IP address and port 5060 for application identification. In this way, all traffic with this IP address and port is identified as SIP application traffic.

Note

When you configure an address-based application and a TCP/UDP stream-based application, and a session matches both applications, the TCP/UDP stream-based application is reported as application and address-based application is reported as extended application.

IP Protocol-Based Mapping

Standard IP protocol numbers can map an application to IP traffic. As with address mapping, to ensure adequate security, use IP protocol mapping only in your private network for trusted servers.

Note

IDP works only with TCP or UDP traffic. IP protocol mapping, therefore, does not apply to IDP and cannot support IDP features such as custom attacks.

Layer 7-Based Signatures

Layer 7 custom signatures define an application running over TCP or UDP or Layer 7 applications. Layer 7-based custom application signatures are required for the identification of multiple applications running on the same Layer 7 protocols. For example, applications such as Facebook and Yahoo Messenger can both run over HTTP, but there is a need to identify them as two different applications running on the same Layer 7 protocol.

Layer 7-based custom application signatures detect applications based on the patterns in HTTP contexts. However, some HTTP sessions are encrypted in SSL, also called Transport Layer Security (TLS). Application identification can also extract the server name information or the server certification from the TLS or SSL sessions. It can also detect patterns in TCP or UDP payload in Layer 7 applications.

Example: Configuring Junos OS Application Identification Custom Application Signatures

This example shows how to configure custom application signatures for Junos OS application identification.

Caution

We recommend that only advanced Junos OS users attempt to customize application signatures.

Requirements

Before you begin:

Overview

Application identification supports custom application signatures to detect applications as they pass through the device. When you configure custom signatures, make sure that your signatures are unique.

In this example, you create custom application signatures for applications based on ICMP, IP protocol, IP address, and Layer 7.

For information about specify context for matching application, see context (Application Identification).

Configuration

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

HTTP Context-Based Custom Signatures

SSL Context-Based Custom Signatures

TCP Stream-Based Custom Signatures

ICMP-Based

Layer 3/Layer 4 Address-Based

IP Protocol-Based

Step-by-Step Procedure

The following examples require you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see CLI User Guide.

To configure HTTP context-based custom signatures:

  1. Configure an application based on HTTP context. Define an application signature to match the pattern, a unique application signature identifier, application signature member identifier, and set the context to be matched.
  2. Configure a pattern to match the context.
  3. Configure the connection direction of the packets to apply pattern matching.

Step-by-Step Procedure

To configure SSL context-based custom signatures:

  1. Configure an application based on SSL. Define an application signature to match the pattern, a unique application signature identifier, application signature member identifier, and set the context to be matched.
  2. Configure a pattern to match the context.
  3. Configure the connection direction of the packets to apply pattern matching.

Step-by-Step Procedure

To configure TCP stream-based custom signatures:

  1. Configure an application based on TCP. Define an application signature to match the pattern, a unique application signature identifier, application signature member identifier, and set the context to be matched.
  2. Configure a pattern to match the context.
  3. Configure the connection direction of the packets to apply pattern matching.

Step-by-Step Procedure

To configure ICMP-based custom applications signatures:

  1. Define the type of ICMP mapping. The type field identifies the ICMP message.
  2. Define the code for ICMP mapping. The code field provides further information about the associated type field.

Step-by-Step Procedure

To configure Layer 3 or Layer 4 address-based custom applications signatures:

  1. Configure the application to match the specified IP address.
  2. Configure the port range for TCP or UDP.
    Note

    You must provide the appropriate port range and specified IP address to configure address-based custom application signatures.

Step-by-Step Procedure

To configure IP protocol mapping-based custom application signatures:

  • Specify the IP protocol value for an application to match.

Results

From configuration mode, confirm your configuration by entering the show services application-identification command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

If you are done configuring the device, enter commit from configuration mode.

Verification

Verifying the Custom Application Definitions

Purpose

Display predefined and custom application signatures and settings that are configured on your device. Note that predefined application signature names use the prefix “junos:”

Action

From configuration mode, enter the show services application-identification application detail name command.

See show services application-identification application