Application Identification for Nested Applications
Nested applications are protocols running over the parent application. For example, both Facebook and Yahoo Messenger can run over HTTP, but there is a need to identify them as two different applications. To do this, the application layer is split into two layers: Layer 7 applications and Layer 7 protocols.
The predefined application signatures included with Junos OS have been created to detect the Layer 7 nested applications. Predefined application signatures can be used in attack objects.
To configure nested application properties, include the nested-application statement at the [edit services application-identification] hierarchy level:
nested-application name { index number; protocol protocol; signature name { chain-order ; maximum-transactions number; member name { context (http-header-content-type | http-header-host | http-url-parsed | http-url-parsed-param-parsed); direction (any | client-to-server | server-to-client); pattern dfa-pattern; } order number; } type type; }
You can include the following application rule properties:
chain-order—Signatures can contain multiple members. If the chain order feature is on, those members are read in order. The default for this option is no chain order. If a signature contains only one member, this option is ignored.context—Define a service specific context. The options arehttp-header-content-type,http-header-host,http-url-parsed,http-url-parsed-param-parsed. This statement is mandatory.direction—The connection direction of the packets to apply pattern matching. The options areclient-to-server,server-to-client, orany. This statement is mandatory.index—A number that is a one-to-one mapping to the application name that is used to ensure that each signature definition is unique. The index range for predefined applications is 1 through 32767. The index range for custom applications and custom nested applications is 32768 through 65534.maximum transactions—The maximum number of transactions that should occur before a match is made. This statement is mandatory.member—Define a member name for a custom nested application signature definition. Custom definitions can contain multiple members that define attributes for an application.order—Define application matching priority. For address configurations, the order number resolves the conflict when multiple address entries are matched for a specific session. The lower number has higher priority. This statement is mandatory.pattern—Define an attack pattern to be detected. This statement is mandatory.protocol—The protocol that is monitored to identify nested applications. The valuehttpis supported. This statement is mandatory.signature—Name of the custom nested application signature definition. Must be a unique name with a maximum length of 32 characters. This statement is mandatory.type—Well-known application name for this application definition, such as Facebook or Kazza. This application name must be unique with a maximum length of 32 characters. This statement is mandatory.