Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

IDP Signature Language Enhancements

Starting from Junos OS 19.4R1, IDP engine supports signature language constructs. Signature constructs allows IDP to generate more efficient signatures that help reduce false positives.

Understanding Signature Language Constructs

The following constructs are supported in the IDP engine code:

  • Depth—Specifies the depth in a packet to search for the given pattern. The depth value is not relative. For example, you can specify the depth as 100.
  • Offset—Allows you to specify where to start searching for a pattern within a packet. The offset value is not relative.For example, you can specify a value for offset as 100.
  • Within—Ensures that there is a maximum of N bytes between pattern matches. The pattern match is always relative to a previous match.For example, if the value of N is 10.As per the example, after m01 match, m02 match occurs within 10 bytes to trigger an attack notification.
  • Distance—Allows you to specify where the IDP engine should search for the specified pattern relative to the previous pattern match. This is always relative to previous match and the distance value can be negative.For example, if the value of N is 10, once m01 matches, m02 should occur 10 bytes following the end of m01 match:

  • Ipopts—All the listed ipopts have corresponding anomalies defined in the security package and can be detected when configured on the device or IDP engine:

    • rr - Record Route

    • eol - End of list

    • nop - No Op

    • ts - Time Stamp

    • sec - IP Security

    • esec - IP Extended Security

    • lsrr - Loose Source Routing

    • ssrr - Strict Source Routing

    • satid - Stream identifier

Starting from Junos OS 20.2R1, IDP engine supports signature language constructs. Signature constructs allows IDP to generate more efficient signatures that help reduce false positives.

  • Byte extract—The Byte extract keyword helps in writing signatures against length-encoded protocols,reads the packet payload in bytes and saves it as a variable for later use. The byte extract can be both relative and non-relative. There can be any number of byte extracts used per chain attack.For example:

    Table 1 lists the fields for the Byte extract construct.

    Table 1: Byte Extract Output Fields

    Field

    Field Description

    align

    Specify the byte alignment.

    bitmask

    Specify the bitmask (1-4 bytes) for AND operation in hexadecimal format.

    bytes

    Specify the number of bytes to extract from packet (1..10).

    endianness

    Specify the endianness with which the bytes read by the IDP engine should be processed.

    multiplier

    Specify the value to be multiplied against the bytes read.

    offset

    Specify the offset number of bytes in the payload from where the IDP engine should start processing.

    relative

    Specify whether to use an offset relative to last pattern match or not.

    string

    Specify the data type in which string data should be parsed.

    var-name

    Specify the name of the variable to reference in other rule options.

  • Byte test—TheByte test keyword allows you to test the byte field with an operative value. The byte test can be both relative and non relative. > , < , =, &, ^ ,<=,>= are the supported operators and the maximum number of bytes extracted is 4.For example:

    Table 2 lists the fields for the Byte test construct.

    Table 2: Byte Test Output Fields

    Field

    Field Description

    bitmask

    Specify the bitmask (1-4 bytes) for AND operation in hexadecimal format.

    bytes

    Specify the number of bytes to extract from packet (1..10).

    endianness

    Specify the endianness with which the bytes read by the IDP engine should be processed.

    negate

    Check if the operator is not true.

    offset

    Mention the offset variable name or offset value

    operator

    Specify the operation to perform on an extracted value.

    relative

    Specify whether to use an offset relative to last pattern match or not.

    rvalue

    The converted value is tested with rvalue. .

    string

    Specify the data type in which string data should be parsed.

  • Byte jump—The Byte jump keyword is used for signatures written for length encoded protocols to skip over specific portions of payload, and perform detection in very specific locations. The byte jump value can be both relative and non-relative.For example:

    Table 3 lists the fields for the Byte jump construct.

    Table 3: Byte Jump Output Fields

    Field

    Field Description

    align

    Specify the endianness with which bytes read by the IDP engine should be processed.

    bitmask

    Specify the bitmask (1-4 bytes) for AND operation in hexadecimal format.

    bytes

    Specify the number of bytes to extract from packet (1..10).

    endianness

    Specify the endianness with which bytes read by the IDP engine, should be processed.

    from-beginning

    Enable jump from the beginning of the payload.

    from-end

    Enable jump from the end of the payload.

    multiplier

    Specify the value to be multiplied against the bytes read.

    offset

    Mention the offset variable name or offset value to be used.

    post-offset

    Specify the number of bytes to skip forward or backward (-65535..65535).

    relative

    Specify whether to use an offset relative to last pattern match or not.

    string

    Specify the data type in which string data should be parsed.

  • Byte math—The Byte math keyword allows you to perform a mathematical operation on an extracted value, a specified value, or existing variable. The byte math value stores the outcome in a new resulting variable. The operations such as 1) '+' | '-' | '*' | '/' | '<<' | '>>' are supported. It can be both relative and non-relative.For example:

    Table 4 lists the fields for the Byte math construct.

    Table 4: Byte Math Output Fields

    Field

    Field Description

    bitmask

    Specify the bitmask (1-4 bytes) for AND operation in hexadecimal format.

    bytes

    Specify the number of bytes to extract from packet (1..10).

    endianness

    Specify the endianness with which bytes read should be processed.

    offset

    Specify the number of bytes in to payload to start processing (0..65535).

    operator

    Specify the operation to perform on extracted value.

    relative

    Specify whether to use an offset relative to last pattern match or not.

    result

    Specify the variable name to which the result should be stored.

    rvalue

    Specify the value to use for the specific mathematical operation.

    string

    Specify the data type in which the string data should be parsed.

  • Is-data-at— The is-data-at keyword allows you to verify that the payload contains the required data at a specified location. For example:

    Table 5 lists the fields for the Is-data-at construct.

    Table 5: Isdataat Output Fields

    Field

    Field Description

    negate

    Negates the results of the is-data-at test.

    offset

    Mention the offset variable name or offset value.

    relative

    Specify whether to use an offset relative to the last pattern match or not

  • Detection Filter— The detection filter defines the rate at which the attack should match. A count is maintained for either source or destination as per the option value specified in the signature. Detection filter is outside <SLE_Constructs> and is specified per attack and not per member of attack. If an attack is detected 5 times in an interval of 10 seconds from the same source IP, it will be flagged as an attack. For Example: