Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?


Application Identification for Nested Applications

Nested applications are protocols running over the parent application. For example, both Facebook and Yahoo Messenger can run over HTTP, but there is a need to identify them as two different applications. To do this, the application layer is split into two layers: Layer 7 applications and Layer 7 protocols.

The predefined application signatures included with Junos OS have been created to detect the Layer 7 nested applications. Predefined application signatures can be used in attack objects.

To configure nested application properties, include the nested-application statement at the [edit services application-identification] hierarchy level:

You can include the following application rule properties:

  • chain-order—Signatures can contain multiple members. If the chain order feature is on, those members are read in order. The default for this option is no chain order. If a signature contains only one member, this option is ignored.

  • context—Define a service specific context. The options are http-header-content-type , http-header-host , http-url-parsed, http-url-parsed-param-parsed. This statement is mandatory.

  • direction—The connection direction of the packets to apply pattern matching. The options are client-to-server, server-to-client, or any. This statement is mandatory.

  • index—A number that is a one-to-one mapping to the application name that is used to ensure that each signature definition is unique. The index range for predefined applications is 1 through 32767. The index range for custom applications and custom nested applications is 32768 through 65534.

  • maximum transactions—The maximum number of transactions that should occur before a match is made. This statement is mandatory.

  • member—Define a member name for a custom nested application signature definition. Custom definitions can contain multiple members that define attributes for an application.

  • order—Define application matching priority. For address configurations, the order number resolves the conflict when multiple address entries are matched for a specific session. The lower number has higher priority. This statement is mandatory.

  • pattern—Define an attack pattern to be detected. This statement is mandatory.

  • protocol—The protocol that is monitored to identify nested applications. The value http is supported. This statement is mandatory.

  • signature—Name of the custom nested application signature definition. Must be a unique name with a maximum length of 32 characters. This statement is mandatory.

  • type—Well-known application name for this application definition, such as Facebook or Kazza. This application name must be unique with a maximum length of 32 characters. This statement is mandatory.