Juniper Secure Analytics Application Configuration Guide Provides You with Information About How to Configure Application Mappings

Juniper Secure Analytics

JSA Application Configuration Guide

Release 2014.5

Juniper Networks, Inc. 1194 North Mathilda Avenue Sunnyvale, CA 94089 USA 408-745-2000 www.juniper.net

Juniper Networks, Junos, Steel-Belted Radius, NetScreen, and ScreenOS are registered trademarks of Juniper Networks, Inc. in the United States and other countries. The Juniper Networks Logo, the Junos logo, and JunosE are trademarks of Juniper Networks, Inc. All other trademarks, service marks, registered trademarks, or registered service marks are the property of their respective owners.

Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice.

The following terms are trademarks or registered trademarks of other companies:

JavaTM and all Java-based trademarks and logos are trademarks or registered trademarks of Oracle and/or its affiliates.

FCC Statement The following information is for FCC compliance of Class A devices: This equipment has been tested and found to comply with the limits for a Class A digital device, pursuant to part 15 of the FCC rules. These limits are designed to provide reasonable protection against harmful interference when the equipment is operated in a commercial environment. The equipment generates, uses, and can radiate radio-frequency energy and, if not installed and used in accordance with the instruction manual, may cause harmful interference to radio communications. Operation of this equipment in a residential area is likely to cause harmful interference, in which case users will be required to correct the interference at their own expense. The following information is for FCC compliance of Class B devices: The equipment described in this manual generates and may radiate radio-frequency energy. If it is not installed in accordance with Juniper Networks’ installation instructions, it may cause interference with radio and television reception. This equipment has been tested and found to comply with the limits for a Class B digital device in accordance with the specifications in part 15 of the FCC rules. These specifications are designed to provide reasonable protection against such interference in a residential installation. However, there is no guarantee that interference will not occur in a particular installation. If this equipment does cause harmful interference to radio or television reception, which can be determined by turning the equipment off and on, the user is encouraged to try to correct the interference by one or more of the following measures: Reorient or relocate the receiving antenna. Increase the separation between the equipment and receiver. Consult the dealer or an experienced radio/TV technician for help. Connect the equipment to an outlet on a circuit different from that to which the receiver is connected.

Caution: Changes or modifications to this product could void the user's warranty and authority to operate this device.

Disclaimer THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT, SUBJECT TO THE MODIFICTAIONS SET FORTH BELOW ON THIS PAGE, ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR JUNIPER NETWORKS REPRESENTATIVE FOR A COPY.

JSA Application Configuration Guide Release 2014.5

Revision History

February 2016—JSA Application Configuration Guide

The information in this document is current as of the date listed in the revision history.

END USER LICENSE AGREEMENT The Juniper Networks product that is the subject of this technical documentation consists of (or is intended for use with) Juniper Networks software. Use of such software is subject to the terms and conditions of the End User License Agreement (“EULA”) posted at http://www.juniper.net/support/eula.html, as modified by the following text, which shall be treated under the EULA as an Entitlement Document taking precedence over any conflicting provisions of such EULA as regards such software:

As regards software accompanying the STRM products (the “Program”), such software contains software licensed by Q1Labs and is further accompanied by third-party software that is described in the applicable documentation or materials provided by Juniper Networks.

2 CONTENTS

ABOUT THIS GUIDE Audience ...... 5 Documentation Conventions ...... 5 Technical Documentation...... 5 Requesting Technical Support ...... 6

1 APPLICATION MAPPING About JSA Applications ...... 9 Overview of Application Mapping Tasks ...... 9 Defining New Applications ...... 10 Defining Application Mappings...... 11 Defining Application Signatures ...... 13

2 DEFAULT APPLICATIONS

3 ICMP TYPE AND CODE IDS Identifying Default ICMP Types ...... 53 Identifying Default ICMP Codes...... 54

4 PORT IDS

5 PROTOCOL IDS

INDEX

ABOUT THIS GUIDE

The Juniper Secure Analytics Application Configuration Guide provides you with information about how to configure application mappings. Define custom applications to enable JSA to classify applications that are used in a flow. Application mapping is useful when you investigate various types of security threats on the Offenses, Log Activity, or Network Activity tabs in the user interface.

Unless otherwise noted, all references to Juniper Secure Analytics (JSA) refer to JSA.

Audience The guide is intended for the system administrator who configure application mappings in your JSA deployment. You must have JSA administrative access and a knowledge of your corporate network and networking technologies.

Documentation Table 1 lists conventions that are used throughout this guide. Conventions Table 1 Icons

Icon Type Description Information note Information that describes important features or instructions.

Caution Information that alerts you to potential loss of data or potential damage to an application, system, device, or network. Warning Information that alerts you to potential personal injury.

Technical You can access technical documentation, technical notes, and release notes Documentation directly from the Juniper Customer Support website at https://www.juniper.net/support/. Once you access the Juniper Customer Support

JSA Application Configuration Guide 6 ABOUT THIS GUIDE

website, locate the product and software release for which you require documentation.

Your comments are important to us. Please send your e-mail comments about this guide or any of the Juniper Networks documentation to: [email protected].

Include the following information with your comments: • Document title • Page number

Requesting Technical product support is available through the Juniper Networks Technical Technical Support Assistance Center (JTAC). If you are a customer with an active J-Care or JNASC support contract, or are covered under warranty, and need post-sales technical support, you can access our tools and resources online or open a case with JTAC. • JTAC policies—For a complete understanding of our JTAC procedures and policies, review the JTAC User Guide located at http://www.juniper.net/us/en/local/pdf/resource-guides/7100059-en.pdf . • Product warranties—For product warranty information, visit http://www.juniper.net/support/warranty/ . • JTAC Hours of Operation —The JTAC centers have resources available 24 hours a day, 7 days a week, 365 days a year.

Self-Help Online Tools and Resources For quick and easy problem resolution, Juniper Networks has designed an online self-service portal called the Customer Support Center (CSC) that provides you with the following features: • Find CSC offerings: http://www.juniper.net/customers/support/ • Find product documentation: http://www.juniper.net/techpubs/ • Find solutions and answer questions using our Knowledge Base: http://kb.juniper.net/ • Download the latest versions of software and review release notes: http://www.juniper.net/customers/csc/software/ • Search technical bulletins for relevant hardware and software notifications: https://www.juniper.net/alerts/ • Join and participate in the Juniper Networks Community Forum: http://www.juniper.net/company/communities/ • Open a case online in the CSC Case Management tool: http://www.juniper.net/cm/ To verify service entitlement by product serial number, use our Serial Number Entitlement (SNE) Tool: https://tools.juniper.net/SerialNumberEntitlementSearch/

JSA Application Configuration Guide Requesting Technical Support 7

Opening a Case with JTAC You can open a case with JTAC on the Web or by telephone. • Use the Case Management tool in the CSC at http://www.juniper.net/cm/ . • Call 1-888-314-JTAC (1-888-314-5822 toll-free in the USA, Canada, and Mexico). For international or direct-dial options in countries without toll-free numbers, visit us at http://www.juniper.net/support/requesting-support.html.

JSA Application Configuration Guide 8 ABOUT THIS GUIDE

JSA Application Configuration Guide 1 APPLICATION MAPPING

Juniper Secure Analytics (JSA) includes default application IDs. You can edit the application mapping file to ensure that traffic is appropriately classified in the JSA user interface. The mappings in the mapping file override the default application IDs.

About JSA When JSA detects a flow, it assigns an application ID to the flow. The application Applications ID is assigned based on the protocol and ports that are used for the flow, and the flow content.

For more information about default application IDs, see Default Applications.

JSA default application IDs are allocated are based on the Service Name and Transport Protocol Port Number Registry (http://www.iana.org/assignments/service-names-port-numbers/service-names-por t-numbers.txt).

Overview of When you create a new or customized application mapping, perform the following Application tasks in sequence: Mapping Tasks

1 Define applications - The application configuration file contains default applications. To define new applications, you must add new applications IDs to the application configuration file. For more information, see Defining New Applications. 2 Map traffic to the new applications - You can map traffic to the applications by using either of the following methods: • Define application mappings - Update the application mapping file, which maps applications to application IDs based on IP address and port number. For more information, see Defining Application Mappings. • Define application signatures - Define application signatures to apply to flows that the default application mapping does not automatically detect. This method requires you to create rules that are based on IP address, port, and content to assign application IDs to flows. For more information, see Defining Application

JSA Application Configuration Guide 10 APPLICATION MAPPING

Signatures. To define port-only application signatures, configure port mappings in the application mapping file, not the application signatures file.

Defining New To define new applications, edit the application configuration file. Applications About this task When you define new applications, note the following considerations: • When you add new application ID numbers, create a new and unique application ID number. The application ID number must not exist in the apps.conf file. Apply numbers that range 15,000 - 20,000 for custom applications. • The format of the entry uses the following syntax: Where: - is the name of the application. The application name is used in the Network Activity and Offenses tabs. You can specify an application name with up to five application levels; however, JSA uses only three levels of the application name. Use a number sign (#) to separate each level of the application name. - is the unique ID for each application that you want to define. The following example defines the Authentication.Radius-1646 application with an application ID of 51343: Authentication#Radius-1646####51343 - Five application levels are represented in the application ID. Application levels are separated by number sign (#). If an application ID contains fewer than five levels, include the number signs for all five levels. • Insert the new application ID in alphabetical order in the apps.conf file. For example: To add Authentication#Radius-1646####51343 as an application ID, insert the application ID as follows: Authentication#Radius-1645####51342 Authentication#Radius-1646####51343 <- inserted application Authentication#Radius-1812####51344 Authentication#Radius-1813####51345

Procedure Step 1 Using SSH, log in to JSA as the root user. Step 2 Open the following file: /store/configservices/staging/globalconfig/apps.conf Step 3 Insert new applications, as necessary. Step 4 Save and exit the file.

JSA Application Configuration Guide Defining Application Mappings 11

Step 5 Log in to the JSA user interface. Step 6 Click the Admin tab. Step 7 On the toolbar, click Deploy Changes.

What to do next Choose one of the following options: • To define application mappings, see Defining Application Mappings. • To define application signatures, see Defining Application Signatures.

Defining Use the application mapping file to create user-defined application mappings that Application are based on the IP address and port number. Mappings Before you begin You must add the new application IDs. See Defining New Applications.

About this task When you update the application mapping file, note the following requirements: • Each line in the file indicates a mapped application. You can specify multiple mappings (each on a separate line) for the same application. • You can specify a wildcard character * for any field. Use the wildcard character alone, and not as part of a comma-separated list. The wildcard character indicates that the field applies to all flows. • A flow can be associated with multiple mappings; therefore, a flow is mapped to an application ID based on the mapping order in the file. The first mapping that applies in the file is assigned to the flow. • When you add new application ID numbers, you must create a new and unique application ID number. The application ID number must not exist in the apps.conf file. Apply numbers that range 15,000 - 20,000 for custom applications. • The format of the entry must resemble the following syntax: : : Where: - specifies the application ID you want to assign to the flow. A value of 1 indicates an unknown application. If the ID you want to assign does not exist, you must create the ID in the apps.conf file. For more information, see Defining New Applications. - specifies the default application ID of the flow, as assigned by JSA. A value of * indicates a wildcard character. If multiple application IDs are assigned, the application IDs are separated by commas.

JSA Application Configuration Guide 12 APPLICATION MAPPING

To determine the default application IDs, go to the Network Activity tab in the JSA user interface. Move your mouse pointer over the application field for a flow that is associated with the application you want to update. The application ID is displayed. For more information about default values, see Default Applications. - specifies the source IP address of the flow. This field can contain either a comma-separated list of addresses or Classless Inter-Domain Routing (CIDR) values. A value of * indicates a wildcard character, which means that this field applies to all flows. - specifies the associated port. This field can contain a comma-separated list of values or ranges that are specified in the format: -. A value of * indicates a wildcard character, which means that this field applies to all flows. - specifies the destination IP address of the flow. This field can contain either a comma-separated list of addresses or CIDR values. A value of * indicates a wildcard character, which means that this field applies to all flows. - specifies the associated destination port. This field can contain a comma-separated list of values or ranges that are specified in the format: -. A value of * indicates a wildcard character, which means that this field applies to all flows. - specifies a name that you want to assign to this mapping. This field is optional. The following example maps all flows that match the IP addresses and ports for which the QFlow Collector assigned to the old ID of 1010 and assign the new ID of 15000: 15000 1010 10.100.100/24,10.100.50.10:* 172.14.33.33:80,443

Example 1 of mapping file 15000 1010 10.100.100/24,10.100.50.10:* 172.14.33.33:80,443 AllowedWebTypeA 15000 1010 10.100.30/24:* 172.14.33.20:80 AllowedWebTypeA 15100 * *:33333 64.35.20/24,64.33/16,64.77.34.12:33333,33350-33400 GameX 15100 1,34803,34809 *:33333 *:33333,33350-33400 GameX

Example 2 of mapping file 21200 1,34803,34809 *:* *:123 ntp 34731 1,34803,34809 *:* *:1241 Nessus 2001 1,34803,34809 *:* *:1214 Kazaa

Procedure Step 1 Using SSH, log in to JSA as the root user. Step 2 Choose one of the following options:

JSA Application Configuration Guide Defining Application Signatures 13

• Open the following file: /store/configservices/staging/globalconfig/user_application_m apping.conf • If the user_application_mapping.conf does not exist in your system, create the file and place the empty file in the following directory: /store/configservices/staging/globalconfig/ Step 3 Update the file, as necessary. Step 4 Save and exit the file. Step 5 If necessary, edit your application configuration file. Step 6 Log in to the JSA user interface. Step 7 Click the Admin tab. Step 8 Click Deploy Changes.

Defining Use the application signatures file to create IP address and content-based rules to Application assign application IDs to flows that JSA does not automatically detect. Signatures About this task The application signatures file is a definition file that is distributed to all QFlow Collectors by the primary console. The file includes source and destination ports, and ranges.

Characteristics of the application signatures file include: • Hex content is delimited with the pipe character “|”. For example: |45 54| or, GET • A flow can be associated with multiple signatures; therefore, a flow is mapped to an application ID based on the signature order in the file. The first signature that applies in the file is assigned to the flow. • When you edit the signatures.xml file, the data that is inserted between the XML tags is case-sensitive. For example, when you specify TCP within the XML tags, enter the value using all capital letters. • Include the user_defined parameter in your new or updated signature. This parameter ensures that all modifications are maintained after an automatic update.

For a list of default application identification numbers, see Default Applications.

JSA Application Configuration Guide 14 APPLICATION MAPPING

When you edit the Applications Signature file, use the following parameters:

Table 1-1 Application Signatures Default Parameters Parameter Description appid Type a unique ID for each application that you want to define. Apply numbers that range 15,000 - 20,000 for custom applications. appname Type the name of the application. The application name is used in the Network Activity and Offenses tabs. groupname Type the group name for the application. Note: This parameter is only used with the automatic generation script. description Type the long description of the application and any required notes for the particular signature. revision Type a revision for version control. protocol Type the protocol. If the same signature is required for more than one protocol, define the second signature. srcip Type the specific source IP address for the signature to execute. Use multiple application identifications if more than one source IP address is required. srcport Type the specific source port for the signature to execute. Use multiple application identifications if more than one source port is required. dstip Type the specific destination IP address for the signature to execute. Use multiple application identifications if more destination IP addresses are required. dstport Type the specific destination port for the signature to execute. Use multiple application identifications if more than one destination port is required. commondstport Type the destination port most commonly associated with the application. commonsrcport Type the source port most commonly associated with the application. scrcontent Type the following options: is the offset in the payload that you want to begin searching for the source content. If no value is specified, the default is 0. is the offset in the payload you want to stop the search. For example, if you configure the following: scrcontent 5 10 The payload would be searched between 5 and 15 bytes.

JSA Application Configuration Guide Defining Application Signatures 15

Table 1-1 Application Signatures Default Parameters (continued)

Parameter Description dstcontent Type the following options: is the offset in the payload that you want to begin searching for the destination content. If no value is specified, the default is 0. is the offset in the payload you want to stop the search. For example, if you configure the following: scrcontent 5 10 The payload would be searched between 5 and 15 bytes. weight Type the weight you want to assign this application. user_defined Specify to ensure that a new or updated signature is maintained after an automatic update. Note: For more information regarding automatic updates, see the Juniper Secure Analytics Administration Guide.

Example of a Signatures.xml file 1009 IMAP Mail #ff0000 IMAP traffic 1 TCP any any any any 143 LOGIN * OK 30

JSA Application Configuration Guide 16 APPLICATION MAPPING

Procedure Step 1 Using SSH, log in to JSA as the root user. Username: root Password: Step 2 To change to the globalconfig directory, type the following command: cd /store/configservices/staging/globalconfig Step 3 Open the following file: signatures.xml Step 4 Make the necessary changes. See Table 1-1. Step 5 Save and exit the file. Step 6 If necessary, edit your applications configuration file. See Defining New Applications. Step 7 Log in to JSA. Step 8 Click the Admin tab. Step 9 Click Deploy Changes.

JSA Application Configuration Guide Defining Application Signatures 17

JSA Application Configuration Guide

2 DEFAULT APPLICATIONS

Juniper Secure Analytics (JSA) includes default application IDs, which you can view in the applications configuration file. The default application values apply to all source and destination flows; however, the destination port is specific to the application.

Table 2-1 provides the default Application values for JSA: Table 2-1 Default Applications Application group Sub-components Value Description Authentication LDAP 1019 LDAP traffic Authentication MSGAuthentication 20998 MSG authentication traffic Authentication NTLMSSP 5700 NT LAN Manager Support Provider (NTLMSSP) traffic Authentication Radius 51342 Radius traffic Authentication Radius 51344 Radius traffic Authentication Radius 51345 Radius traffic Authentication tacacs 21028 Tacacs traffic Authentication TACACS-DatabaseService 21061 Tacacs Database Service traffic Chat CUSeeMe 60016 CUSeeMe traffic Chat iChat 3008 iChat traffic Chat ICQ 268435456 ICQ traffic Chat ICQ 3001 ICQ traffic Chat ICQ 3002 ICQ traffic Chat ICQControl 285212672 ICQ traffic Chat ICQTalk 301989888 ICQ traffic Chat IRC 5669 IRC traffic Chat IRC 5782 IRC traffic Chat IRC 5668 IRC traffic Chat IRC 3003 IRC traffic Chat Jabber 3004 Jabber protocol traffic Chat Jabber 3006 Jabber protocol traffic

JSA Application Configuration Guide 20 DEFAULT APPLICATIONS