Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

IDP Signature Language Enhancements

Starting from Junos OS 19.4R1, signature language constructs are supported in the IDP engine code to write more efficient signatures that helps in reducing false positives.

Understanding Signature Language Constructs

The following constructs are supported in the IDP engine code:

  • Depth—Specifies the depth in a packet to search for the given pattern. Depth is not relative. For example, you can specify a value for depth as 100.
  • Offset—Allows you to specify where to start searching for a pattern within a packet. Offset is not relative.For example, you can specify a value for depth as 100.
  • Within—Ensures that there are at most N bytes between pattern matches. This is always relative to previous match.For example, if the value of N is 10.As per the example, Post m01 match, m02 match should occur within 10 bytes to trigger an attack match.
  • Distance—Allows you to specify how far into a packet, should the IDP engine ignore before starting to search for the specified pattern relative to the end of the previous pattern match. This is always relative to previous match and the distance value can be negative.For example, if the value of N is 10.Once m01 matches, m02 should occur post 10 bytes from the end of m01 match.
  • Ipopts—All the listed ipopts will have corresponding anomalies defined in security package and detected when configured on the device or idp engine:

    • rr - Record Route

    • eol - End of list

    • nop - No Op

    • ts - Time Stamp

    • sec - IP Security

    • esec - IP Extended Security

    • lsrr - Loose Source Routing

    • ssrr - Strict Source Routing

    • satid - Stream identifier

Starting from Junos OS 20.2R1, the following signature language constructs are supported in the IDP engine code to write more efficient signatures that helps in reducing false positives.

  • Byte extract—The byte extract keyword helps in writing signatures against length-encoded protocols. It reads the packet payload in bytes and saves it as a variable for later use. It can be both relative and non-relative. There can be any number of byte extracts used per chain attack.For example:

    Table 1 lists the fields for the Byte extract construct.

    Table 1: Byte Extract Output Fields

    Field

    Field Description

    align

    Specify the byte alignment.

    bitmask

    Specify the bitmask (1-4 bytes) for AND operation in hexadecimal format.

    bytes

    Specify the number of bytes to extract from packet (1..10).

    endianness

    Specify the endianness with which bytes read should be processed.

    multiplier

    Specify the value to be multiplied against the bytes read.

    offset

    Specify the number of bytes in to payload to start processing.

    relative

    Specify whether to use an offset relative to last pattern match or not.

    string

    Specify the data type in which string data should be parsed.

    var-name

    Specify the name of the variable to reference in other rule options.

  • Byte test—The test byte keyword allows you to test the byte field against an operative value. It can be both relative and non relative. > , < , =, &, ^ ,<=,>= are the supported operators and the maximum number of bytes extracted is 4.For example:

    Table 2 lists the fields for the Byte test construct.

    Table 2: Byte Test Output Fields

    Field

    Field Description

    bitmask

    Specify the bitmask (1-4 bytes) for AND operation in hexadecimal format.

    bytes

    Specify the number of bytes to extract from packet (1..10).

    endianness

    Specify the endianness with which bytes read should be processed.

    negate

    Check if the operator is not true.

    offset

    Mention the offset variable name or offset value to be used.

    operator

    Specify the operation to perform on extracted value.

    relative

    Specify whether to use an offset relative to last pattern match or not.

    rvalue

    Specify the rvalue to test the converted value against.

    string

    Specify the data type in which string data should be parsed.

  • Byte jump—The byte jump keyword is used for signatures written for length encoded protocols to skip over specific portions of payload, and perform detection in very specific locations. It can be both relative and non relative.For example:

    Table 3 lists the fields for the Byte jump construct.

    Table 3: Byte Jump Output Fields

    Field

    Field Description

    align

    Specify the endianness with which bytes read should be processed.

    bitmask

    Specify the bitmask (1-4 bytes) for AND operation in hexadecimal format.

    bytes

    Specify the number of bytes to extract from packet (1..10).

    endianness

    Specify the endianness with which bytes read should be processed.

    from-beginning

    Enable jump from the beginning of the payload.

    from-end

    Enable jump from the end of the payload.

    multiplier

    Specify the value to be multiplied against the bytes read.

    offset

    Mention the offset variable name or offset value to be used.

    post-offset

    Specify the number of bytes to skip forward or backward (-65535..65535).

    relative

    Specify whether to use an offset relative to last pattern match or not.

    string

    Specify the data type in which string data should be parsed.

  • Byte math—The byte math keyword allows you to perform a mathematical operation on an extracted value, a specified value, or existing variable. It stores the outcome in a new resulting variable. The operations such as 1) '+' | '-' | '*' | '/' | '<<' | '>>' are supported. It can be both relative and non relative.For example:

    Table 4 lists the fields for the Byte math construct.

    Table 4: Byte Math Output Fields

    Field

    Field Description

    bitmas

    Specify the bitmask (1-4 bytes) for AND operation in hexadecimal format.

    bytes

    Specify the number of bytes to extract from packet (1..10).

    endianness

    Specify the endianness with which bytes read should be processed.

    offset

    Specify the number of bytes in to payload to start processing (0..65535).

    operator

    Specify the operation to perform on extracted value.

    relative

    Specify whether to use an offset relative to last pattern match or not.

    result

    Specify the variable name to which result should be stored.

    rvalue

    Specify the value to use mathematical operation against.

    string

    Specify the data type in which string data should be parsed.

  • Is-data-at— The is-data-at keyword allows you to verify that the payload has data at a specified location. For Example:

    Table 5 lists the fields for the Is-data-at construct.

    Table 5: Isdataat Output Fields

    Field

    Field Description

    negate

    Negates the results of the is-data-at test.

    offset

    Mention the offset variable name or offset value to be used.

    relative

    Specify whether to use an offset relative to last pattern match or not

  • Detection Filter— The detection filter defines the rate at which the attack should match. A count is maintained for either source or destination as per the option value specified in signature. Detection filter is outside <SLE_Constructs> as this is specified per attack and not per member of attack. From same source IP, if an attack is detected 5 times in an interval of 10 seconds, it will be flagged as an attack. If an attack is detected 5 times in an interval of 10 seconds from the same source IP, it will be flagged as an attack.For Example: