TechLibrary

Navigation

Table of Contents

Guide That Contains This Content

[+] Expand All

[-] Collapse All

Example: Configuring Junos OS Application Identification Custom Application Definitions

This example shows how to configure custom application signatures for Junos OS application identification.

Requirements

No special configuration beyond device initialization is required before configuring this feature.

Overview

Application identification supports custom application signatures to detect applications as they pass through the device. When you configure custom signatures, make sure that your signatures are unique.

In this example, you create an application signature named my-app. This application operates over the HTTP protocol from port 6400, a port within the TCP port range of 0 through 65,535. You want to check the first two packets of all traffic in both directions for the dfa pattern of \xff\x[\xfa-\xff].*.

Configuration

CLI Quick Configuration

To quickly configure custom application signatures, copy the following commands and paste them into the CLI:

[edit]set services application-identification application my-HTTP signature port-range tcp 0–65535set services application-identification application my-HTTP signature client-to-server dfa-pattern \xff\x[\xfa-\xff].* set services application-identification application my-HTTP signature server-to-client dfa-pattern \xff\x[\xfa-\xff].* set services application-identification application my-HTTP signature min-data 2 set services application-identification application my-HTTP signature insert-before facebook-access

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the Junos OS CLI User Guide .

To configure custom application signatures:

Set the name for the custom application. Do not use the “junos” prefix, because this prefix is reserved for predefined application signatures.
[edit services application-identification]user@host# set application my-HTTP
Set the signature information by starting with the signature port range.
[edit services application-identification]user@host# set application my-HTTP signature port-range tcp 0–65535.
Set the signature client-to-server dfa pattern.
[edit services application-identification]user@host# set application my-HTTP signature client-to-server dfa-pattern \xff\x[\xfa-\xff].*
Set the signature server-to-client dfa pattern.
[edit services application-identification]user@host# set application my-HTTP signature server-to-client dfa-pattern \xff\x[\xfa-\xff].*
Set the signature minimum data value.
[edit services application-identification]user@host# set application my-HTTP signature min-data 2
If desired, insert the custom signature to be matched before another application in the configuration.
[edit services application-identification]user@host# set application my-HTTP signature insert-before junos:facebook-access

Results

From configuration mode, confirm your configuration by entering the show services application-identification command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

[edit]user@host# show services application-identification

application my-HTTP {signature {port-range {tcp 0-65535;}client-to-server {dfa-pattern "\xff\x[\xfa-\xff].*";}server-to-client {dfa-pattern "\xff\x[\xfa-\xff].*";}min-data 2;insert-before junos:facebook-access;}}

If you are done configuring the device, enter commit from configuration mode.

Verification

To confirm that the configuration is working properly, perform this task:

Verifying the Custom Application Definitions

Verifying the Custom Application Definitions

Purpose

Display predefined and custom application signatures and settings that are configured on your device. Note that predefined application signature names use the prefix “junos.”

Action

From configuration mode, enter the show services application-identification command.