Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
ON THIS PAGE
 

IDP Signature Language Constructs

IDP Signature language constructs enable IDP to create efficient signatures, reducing false positives. The Signature Language achieves this by defining attack patterns with rule-based syntax, contexts, and match conditions.

The IDP Signature Language Constructs within Junos OS offer advanced capabilities for enhancing network security through the precise definition of security signatures. These constructs enable you to specify detailed traffic patterns, set alert conditions, and incorporate contextual information, thus improving the accuracy and relevance of threat detection. By leveraging these constructs, you gain fine-grained control over security management, enabling tailored responses to specific network environments.

Benefits

  • Enhance threat detection accuracy by allowing precise definition of traffic patterns and alert conditions, reducing false positives and negatives.

  • Improve security management flexibility by enabling the integration of contextual information, aiding in the differentiation between legitimate and malicious activities.

  • Provide tailored security responses by allowing network administrators to specify detailed monitoring criteria suited to their specific network environment.

  • Facilitate efficient threat mitigation through advanced customization options, enabling the creation of sophisticated security signatures.

  • Support proactive security measures by enabling early detection of anomalous traffic patterns, helping to prevent potential security breaches.

Constructs

Following are the signature language constructs supported in IDP:

  • Depth—Specifies the depth in a packet to search for the given pattern. The depth value is not relative. For example, you can specify the depth as 100.
  • Offset—Allows you to specify where to start searching for a pattern within a packet. The offset value is not relative. For example, you can specify a value for offset as 100.
  • Within—Ensures that a maximum of N bytes exist between pattern matches. The pattern match is always relative to a previous match. For example, if the value of N is 10.As per the example, after m01 match, m02 match occurs within 10 bytes to trigger an attack notification.
  • Distance—Specify where the IDP engine searches for the pattern relative to the previous pattern. The distance can be negative. For example, if the value of N is 10, once m01 matches, m02 should occur 10 bytes following the end of m01 match:

  • Ipopts—All the listed ipopts have corresponding anomalies defined in the security package and can be detected when configured on the device or IDP engine:

    • rr - Record Route

    • eol - End of list

    • nop - No Op

    • ts - Time Stamp

    • sec - IP Security

    • esec - IP Extended Security

    • lsrr - Loose Source Routing

    • ssrr - Strict Source Routing

    • satid - Stream identifier

  • Byte extract—The Byte extract keyword helps in writing signatures against length-encoded protocols,reads the packet payload in bytes and saves it as a variable for later use. The byte extract can be both relative and non-relative. There can be any number of byte extracts used per chain attack. For example:

    IDP Signature Language Constructs lists the fields for the Byte extract construct.

    Table 1: Byte Extract Output Fields

    Field

    Field Description

    align

    Specify the byte alignment.

    bitmask

    Specify the bitmask (1-4 bytes) for AND operation in hexadecimal format.

    bytes

    Specify the number of bytes to extract from packet (1..10).

    endianness

    Specify the endianness with which the bytes read by the IDP engine should be processed.

    multiplier

    Specify the value to be multiplied against the bytes read.

    offset

    Specify the offset number of bytes in the payload from where the IDP engine should start processing.

    relative

    Specify whether to use an offset relative to last pattern match or not.

    string

    Specify the data type in which string data should be parsed.

    var-name

    Specify the name of the variable to reference in other rule options.

  • Byte test—The Byte test keyword allows you to test the byte field with an operative value. The byte test can be both relative and non relative. > , < , =, &, ^ ,<=,>= are the supported operators. The maximum number of bytes extracted is 4. For example:

    IDP Signature Language Constructs lists the fields for the Byte test construct.

    Table 2: Byte Test Output

    Field

    Field Description

    bitmask

    Specify the bitmask (1-4 bytes) for AND operation in hexadecimal format.

    bytes

    Specify the number of bytes to extract from packet (1..10).

    endianness

    Specify the endianness with which the bytes read by the IDP engine should be processed.

    negate

    Check if the operator is not true.

    offset

    Mention the offset variable name or offset value.

    operator

    Specify the operation to perform on an extracted value.

    relative

    Specify whether to use an offset relative to last pattern match or not.

    rvalue

    The converted value is tested with rvalue. .

    string

    Specify the data type in which string data should be parsed.

  • Byte jump—The Byte jump keyword is used for signatures written for length encoded protocols to skip over specific portions of payload, and perform detection in very specific locations. The byte jump value can be both relative and non-relative. For example:

    IDP Signature Language Constructs lists the fields for the Byte jump construct.

    Table 3: Byte Jump Output

    Field

    Field Description

    align

    Specify the endianness with which bytes read by the IDP engine should be processed.

    bitmask

    Specify the bitmask (1-4 bytes) for AND operation in hexadecimal format.

    bytes

    Specify the number of bytes to extract from packet (1-10).

    endianness

    Specify the endianness with which bytes read by the IDP engine, should be processed.

    from-beginning

    Enable jump from the beginning of the payload.

    from-end

    Enable jump from the end of the payload.

    multiplier

    Specify the value to be multiplied against the bytes read.

    offset

    Mention the offset variable name or offset value to be used.

    post-offset

    Specify the number of bytes to skip forward or backward (-65535..65535).

    relative

    Specify whether to use an offset relative to last pattern match or not.

    string

    Specify the data type in which string data should be parsed.

  • Byte math—The Byte math keyword allows you to perform a mathematical operation on an extracted value, a specified value, or existing variable. The byte math value stores the outcome in a new resulting variable. The operations such as 1) '+' | '-' | '*' | '/' | '<<' | '>>' are supported. It can be both relative and non-relative. For example:

    IDP Signature Language Constructs lists the fields for the Byte math construct.

    Table 4: Byte Math Output

    Field

    Field Description

    bitmask

    Specify the bitmask (1-4 bytes) for AND operation in hexadecimal format.

    bytes

    Specify the number of bytes to extract from packet (1-10).

    endianness

    Specify the endianness with which bytes read should be processed.

    offset

    Specify the number of bytes in to payload to start processing (0-65535).

    operator

    Specify the operation to perform on extracted value.

    relative

    Specify whether to use an offset relative to last pattern match or not.

    result

    Specify the variable name to which the result should be stored.

    rvalue

    Specify the value to use for the specific mathematical operation.

    string

    Specify the data type in which the string data should be parsed.

  • Is-data-at— The is-data-at keyword allows you to verify that the payload contains the required data at a specified location. For example:

    IDP Signature Language Constructs lists the fields for the Is-data-at construct.

    Table 5: Isdataat Output

    Field

    Field Description

    negate

    Negates the results of the is-data-at test.

    offset

    Mention the offset variable name or offset value.

    relative

    Specify whether to use an offset relative to the last pattern match or not.

  • Detection Filter— The detection filter defines the rate at which the attack should match. A count is maintained for either source or destination as per the option value specified in the signature. Detection filter is outside <SLE_Constructs> and is specified per attack and not per member of attack. If an attack is detected 5 times in an interval of 10 seconds from the same source IP, it will be flagged as an attack. For example: