Junos security configuration module
Version: 2019-01-01
module junos-conf-security { yang-version 1; namespace "http://yang.juniper.net/junos/conf/security"; prefix jc-security; import junos-common-ddl-extensions { prefix junos; revision-date "2019-01-01"; } import junos-common-types { prefix jt; revision-date "2019-01-01"; } import junos-conf-root { prefix jc; revision-date "2019-01-01"; } organization "Juniper Networks, Inc."; contact "yang-support@juniper.net"; description "Junos security configuration module"; revision "2019-01-01" { description "Junos: 21.3R1.9"; } augment /jc:configuration { uses security-group; } augment /jc:configuration/jc:groups { uses security-group; } grouping security-group { container security { description "Security configuration"; uses apply-advanced; container alarms { description "Configure security alarms"; uses apply-advanced; container audible { presence "enable audible"; description "Beep when new security alarms arrive"; uses apply-advanced; leaf continuous { type empty; description "Keep beeping until all security alarms have been cleared"; } } // container audible container potential-violation { description "Configure potential security violations"; uses apply-advanced; leaf authentication { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "2 .. 10"; } } description "Raise alarm for specified number of authentication failures"; } leaf cryptographic-self-test { type empty; description "Raise alarm for cryptographic self test failures"; } leaf key-generation-self-test { type empty; description "Raise alarm for key generation self test failures"; } leaf non-cryptographic-self-test { type empty; description "Raise alarm for non-cryptographic self test failures"; } container policy { description "Raise alarm for flow policy violations"; } // container policy container replay-attacks { presence "enable replay-attacks"; description "No. of Replay attacks before which an alarm needs to be raised"; uses apply-advanced; leaf threshold { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 1000000000"; } } default "1000"; description "Replay threshold value"; } } // container replay-attacks leaf security-log-percent-full { type union { type string { pattern "<.*>|$.*"; } type uint8 { range "0 .. 100"; } } description "Raise alarm when security log exceeds this percent capacity"; } } // container potential-violation } // container alarms container log { description "Configure auditable security logs"; uses log-object; } // container log container certificates { description "X.509 certificate configuration"; uses apply-advanced; list local { key "name"; ordered-by user; description "Local X.509 certificate configuration"; uses certificate-object; } // list local leaf path-length { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 15"; } } default "15"; description "Maximum certificate path length"; } leaf maximum-certificates { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "64 .. 4294967295"; } } default "1024"; description "Maximum number of certificates to cache"; } leaf cache-size { type string; units "bytes"; description "Maximum size of certificate cache"; } leaf cache-timeout-negative { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "10 .. 4294967295"; } } default "20"; description "Time in seconds to cache negative responses"; } leaf enrollment-retry { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 1080"; } } description "Number of retry attempts for an enrollment request"; } list certification-authority { key "name"; ordered-by user; description "CA X.509 certificate configuration"; leaf name { type string { junos:posix-pattern "^.{1,32}$"; junos:pattern-message "Must be string of 32 characters or less"; } description "CA profile name"; } uses apply-advanced; leaf ca-name { type string; description "CA name"; } leaf file { type string; description "File to read certificate from"; } leaf crl { type string; description "File to read crl from"; } leaf enrollment-url { type string; description "URL"; } leaf ldap-url { type string; description "URL"; } leaf encoding { type enumeration { enum "binary" { value 0; description "DER encoding"; } enum "pem" { value 1; description "Privacy-enhanced-mail encoding, base64"; } } default "binary"; description "Encoding to use for certificate or CRL on disk"; } } // list certification-authority } // container certificates container authentication-key-chains { description "Authentication key chain configuration"; uses security-authentication-key-chains; } // container authentication-key-chains container ssh-known-hosts { description "SSH known host list"; uses apply-advanced; list host { key "name"; ordered-by user; description "SSH known host entry"; leaf name { type string; description "Host name"; } uses apply-advanced; leaf rsa1-key { type string; description "Base64 encoded RSA key (protocol version 1)"; } leaf rsa-key { type string; description "Base64 encoded RSA key"; } leaf dsa-key { type string; description "Base64 encoded DSA key"; } leaf ecdsa-key { type string; status deprecated; description "Base64 encoded ECDSA key"; } leaf ecdsa-sha2-nistp256-key { type string; description "Base64 encoded ECDSA-SHA2-NIST256 key"; } leaf ecdsa-sha2-nistp384-key { type string; description "Base64 encoded ECDSA-SHA2-NIST384 key"; } leaf ecdsa-sha2-nistp521-key { type string; description "Base64 encoded ECDSA-SHA2-NIST521 key"; } leaf ed25519-key { type string; description "Base64 encoded ED25519 key"; } } // list host } // container ssh-known-hosts container pki { presence "enable pki"; description "PKI service configuration"; uses security-pki; } // container pki container idp { description "IDP configuration"; list idp-policy { key "name"; ordered-by user; description "Configure IDP policy"; uses idp-policy-type; } // list idp-policy leaf active-policy { junos:must "("security idp idp-policy $$")"; junos:must-message "Policy must be defined under [security idp idp-policy] "; type string; status deprecated; description "Set active policy"; } leaf default-policy { junos:must "("security idp idp-policy $$")"; junos:must-message "Policy must be defined under [security idp idp-policy] "; type string; description "Set active policy"; } list custom-attack { key "name"; ordered-by user; description "Configure custom attacks"; uses custom-attack-type; } // list custom-attack list custom-attack-group { key "name"; ordered-by user; description "Configure custom attack groups"; uses custom-attack-group-type; } // list custom-attack-group list dynamic-attack-group { key "name"; ordered-by user; description "Configure dynamic attack groups"; uses dynamic-attack-group-type; } // list dynamic-attack-group container traceoptions { description "Trace options for idp services"; uses idpd-traceoptions-type; } // container traceoptions container security-package { description "Security package options"; uses apply-advanced; leaf url { type string; description "URL of Security package download"; } leaf source-address { type jt:ipv4addr; description "Source address to be used for sending download request"; } leaf proxy-profile { junos:must "("services proxy profile $$")"; junos:must-message "Referenced Proxy profile must be defined under [services proxy profile] path"; type string { length "1 .. 64"; } description "Proxy profile of security package download"; } leaf routing-instance { junos:must "("routing-instances $$")"; junos:must-message "Routing-instance must be defined"; type string; description "Routing instance for security-package download"; } container install { presence "enable install"; description "Configure install command"; uses apply-advanced; leaf ignore-version-check { type empty; description "Skip version check when attack database gets installed"; } leaf ignore-appid-failure { type empty; description "Continue idp installation even if appid installation fails"; } } // container install container automatic { presence "enable automatic"; description "Scheduled download and update"; uses apply-advanced; leaf start-time { type jt:time; description "Start time (YYYY-MM-DD.HH:MM:SS)"; } leaf interval { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 336"; } } units "hours"; description "Interval"; } leaf download-timeout { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 60"; } } units "minutes"; default "1"; status deprecated; description "Maximum time for download to complete"; } choice enable-disable { leaf enable { type empty; description "Enable"; } } // choice enable-disable } // container automatic } // container security-package container sensor-configuration { description "IDP Sensor Configuration"; container log { description "IDP Log Configuration"; uses apply-advanced; leaf cache-size { type union { type string { pattern "<.*>|$.*"; } type uint32; } description "Log cache size"; } container suppression { presence "enable suppression"; description "Log suppression"; uses apply-advanced; choice enable-disable { leaf disable { type empty; description "Disable log suppression"; } } // choice enable-disable choice include-destination-address-choice { leaf include-destination-address { type empty; description "Include destination address while performing a log suppression"; } leaf no-include-destination-address { type empty; description "Don't include destination address while performing a log suppression"; } } // choice include-destination-address-choice leaf start-log { type union { type string { pattern "<.*>|$.*"; } type uint32; } description "Suppression start log"; } leaf max-logs-operate { type union { type string { pattern "<.*>|$.*"; } type uint32; } description "Maximum logs can be operate on"; } leaf max-time-report { type union { type string { pattern "<.*>|$.*"; } type uint32; } description "Time after suppressed logs will be reported"; } } // container suppression } // container log container application-identification { presence "enable application-identification"; description "Application identification"; uses apply-advanced; choice enable-disable { leaf disable { type empty; description "Disable application identification"; } } // choice enable-disable choice application-system-cache-choice { leaf application-system-cache { type empty; description "Application system cache"; } leaf no-application-system-cache { type empty; description "Don't application system cache"; } } // choice application-system-cache-choice leaf max-tcp-session-packet-memory { type union { type string { pattern "<.*>|$.*"; } type uint32; } status deprecated; description "Max TCP session memory"; } leaf max-udp-session-packet-memory { type union { type string { pattern "<.*>|$.*"; } type uint32; } status deprecated; description "Max UDP session memory"; } leaf max-sessions { type union { type string { pattern "<.*>|$.*"; } type uint32; } status deprecated; description "Max sessions that can run AI at the same time"; } leaf max-packet-memory { type union { type string { pattern "<.*>|$.*"; } type uint32; } status deprecated; description "Max packet memory"; } leaf max-packet-memory-ratio { type union { type string { pattern "<.*>|$.*"; } type uint32; } description "Max packet memory ratio"; } leaf max-reass-packet-memory-ratio { type union { type string { pattern "<.*>|$.*"; } type uint32; } status deprecated; description "Max reass packet memory ratio"; } leaf application-system-cache-timeout { type union { type string { pattern "<.*>|$.*"; } type uint32; } description "Application system cache timeout"; } } // container application-identification container flow { description "Flow configuration"; uses apply-advanced; choice log-errors-choice { leaf log-errors { type empty; description "Flow log errors"; } leaf no-log-errors { type empty; description "Don't flow log errors"; } } // choice log-errors-choice choice allow-icmp-without-flow-choice { leaf allow-icmp-without-flow { type empty; status deprecated; description "Allow icmp without flow"; } leaf no-allow-icmp-without-flow { type empty; status deprecated; description "Don't allow icmp without flow"; } } // choice allow-icmp-without-flow-choice leaf hash-table-size { type union { type string { pattern "<.*>|$.*"; } type uint32; } description "Flow hash table size"; } leaf reject-timeout { type union { type string { pattern "<.*>|$.*"; } type uint32; } description "Flow reject timeout"; } leaf max-timers-poll-ticks { type union { type string { pattern "<.*>|$.*"; } type uint32; } description "Maximum timers poll ticks"; } leaf fifo-max-size { type union { type string { pattern "<.*>|$.*"; } type uint32; } description "Maximum fifo size"; } leaf udp-anticipated-timeout { type union { type string { pattern "<.*>|$.*"; } type uint32; } description "Maximum udp anticipated timeout"; } leaf allow-nonsyn-connection { type empty; description "Allow TCP non-syn connection"; } leaf-list intel-inspect-protocols { type string; ordered-by user; description "Protocols to be processed in Intelligent Inspection mode"; } } // container flow container re-assembler { description "Re-assembler configuration"; uses apply-advanced; choice drop-on-syn-in-window-choice { leaf drop-on-syn-in-window { type empty; description "Drop session when SYN is seen in the window"; } leaf no-drop-on-syn-in-window { type empty; description "Don't drop session when SYN is seen in the window"; } } // choice drop-on-syn-in-window-choice choice ignore-memory-overflow-choice { leaf ignore-memory-overflow { type empty; description "Ignore memory overflow"; } leaf no-ignore-memory-overflow { type empty; description "Don't ignore memory overflow"; } } // choice ignore-memory-overflow-choice choice ignore-reassembly-memory-overflow-choice { leaf ignore-reassembly-memory-overflow { type empty; description "Ignore packet reassembly memory overflow"; } leaf no-ignore-reassembly-memory-overflow { type empty; description "Don't ignore packet reassembly memory overflow"; } } // choice ignore-reassembly-memory-overflow-choice leaf ignore-reassembly-overflow { type empty; description "Ignore global reassembly overflow"; } leaf max-packet-mem { type union { type string { pattern "<.*>|$.*"; } type uint32; } status deprecated; description "Maximum packet memory"; } leaf max-flow-mem { type union { type string { pattern "<.*>|$.*"; } type uint32; } description "Maximum flow memory"; } leaf max-packet-mem-ratio { type union { type string { pattern "<.*>|$.*"; } type uint32; } description "Maximum packet memory ratio"; } leaf action-on-reassembly-failure { type enumeration { enum "ignore" { value 0; description "No action is taken."; } enum "drop" { value 1; description "Drop the packet."; } enum "drop-session" { value 2; description "Drop the session."; } } default "drop"; description "Select the action on reassembly failures"; } choice tcp-error-logging-choice { leaf tcp-error-logging { type empty; description "Enable logging on tcp errors"; } leaf no-tcp-error-logging { type empty; description "Don't enable logging on tcp errors"; } } // choice tcp-error-logging-choice leaf max-synacks-queued { type union { type string { pattern "<.*>|$.*"; } type uint32; } description "Maximum syn-acks queued with different SEQ numbers "; } choice force-tcp-window-checks-choice { leaf force-tcp-window-checks { type empty; description "Force TCP window checks if uni-directional policy is configured"; } leaf no-force-tcp-window-checks { type empty; description "Don't force TCP window checks if uni-directional policy is configured"; } } // choice force-tcp-window-checks-choice } // container re-assembler container ips { description "Ips configuration"; uses apply-advanced; choice process-override-choice { leaf process-override { type empty; description "Process override"; } leaf no-process-override { type empty; description "Don't process override"; } } // choice process-override-choice choice detect-shellcode-choice { leaf detect-shellcode { type empty; description "Detect shellcode"; } leaf no-detect-shellcode { type empty; description "Don't detect shellcode"; } } // choice detect-shellcode-choice choice process-ignore-s2c-choice { leaf process-ignore-s2c { type empty; description "Process ignore s2c"; } leaf no-process-ignore-s2c { type empty; description "Don't process ignore s2c"; } } // choice process-ignore-s2c-choice choice ignore-regular-expression-choice { leaf ignore-regular-expression { type empty; description "Ignore regular expression"; } leaf no-ignore-regular-expression { type empty; description "Don't ignore regular expression"; } } // choice ignore-regular-expression-choice leaf process-port { type union { type string { pattern "<.*>|$.*"; } type uint32; } description "Process port"; } leaf fifo-max-size { type union { type string { pattern "<.*>|$.*"; } type uint32; } description "Maximum fifo size"; } leaf log-supercede-min { type union { type string { pattern "<.*>|$.*"; } type uint32; } description "Minimum log supercede"; } leaf content-decompression-max-memory-kb { type union { type string { pattern "<.*>|$.*"; } type uint32; } description "Maximum memory usage in kilo bytes"; } leaf content-decompression-max-ratio { type union { type string { pattern "<.*>|$.*"; } type uint32; } description "Maximum decompression ratio supported"; } leaf session-pkt-depth { type union { type string { pattern "<.*>|$.*"; } type uint32; } description "Session pkt scanning depth"; } } // container ips container global { description "Global configuration"; uses apply-advanced; choice enable-packet-pool-choice { leaf enable-packet-pool { type empty; description "Enable packet pool"; } leaf no-enable-packet-pool { type empty; description "Don't enable packet pool"; } } // choice enable-packet-pool-choice leaf log-xff-header { type empty; description "Log xff header"; } choice enable-all-qmodules-choice { leaf enable-all-qmodules { type empty; description "Enable all qmodules"; } leaf no-enable-all-qmodules { type empty; description "Don't enable all qmodules"; } } // choice enable-all-qmodules-choice choice policy-lookup-cache-choice { leaf policy-lookup-cache { type empty; description "Policy lookup cache"; } leaf no-policy-lookup-cache { type empty; description "Don't policy lookup cache"; } } // choice policy-lookup-cache-choice leaf memory-limit-percent { type union { type string { pattern "<.*>|$.*"; } type uint32; } description "Memory limit percentage"; } leaf disable-idp-processing { type empty; description "Flag to disable IDP processing"; } leaf intelligent-offload { type enumeration { enum "disable" { value 0; description "Disable flow offload"; } enum "conservative" { value 1; description "Increases scrutiny of flows prior to offload"; } } description "Intelligently offload the flow"; } } // container global container detector { description "Detector Configuration"; uses apply-advanced; list protocol-name { key "name"; ordered-by user; description "Apropriate help string"; uses proto-object; } // list protocol-name } // container detector container high-availability { description "High availability configuration"; uses apply-advanced; leaf no-policy-cold-synchronization { type empty; description "Disable policy cold synchronization"; } } // container high-availability } // container sensor-configuration leaf max-sessions { type union { type uint32; type string { pattern "<.*>|$.*"; } } description "Max number of IDP sessions"; } list logical-system { key "name"; ordered-by user; description "Configure max IDP sessions for the logial system"; uses logical-system-type; } // list logical-system list tenant-system { key "name"; ordered-by user; description "Configure max IDP sessions for the tenant"; uses tenant-system-type; } // list tenant-system } // container idp } // container security } // grouping security-group grouping apply-advanced { description "Apply advanced configuration logic"; leaf-list apply-groups { type string; ordered-by user; description "Groups from which to inherit configuration data"; } leaf-list apply-groups-except { type string; ordered-by user; description "Don't inherit configuration data from these groups"; } list apply-macro { key "name"; ordered-by user; description "Macro and parameters for commit script expansion"; uses apply-macro-type; } // list apply-macro } // grouping apply-advanced grouping apply-macro-type { description "Macro data for commit-script expansion"; leaf name { type string; description "Name of the macro to be expanded"; } list data { key "name"; uses macro-data-type; } // list data } // grouping apply-macro-type grouping certificate-object { leaf name { type string; description "Simple name to identify this certificate"; } uses apply-advanced; leaf certificate { type string; description "Certificate and private key string"; } } // grouping certificate-object grouping custom-attack-group-type { description "Define custom attack group"; leaf name { type string; description "Custom attack group name"; } uses apply-advanced; leaf attack-group-description { type string; status deprecated; description "Attack group description in xml format"; } leaf-list group-members { type string; ordered-by user; description "List of attacks/attack groups belonging to this group"; } } // grouping custom-attack-group-type grouping custom-attack-type { description "Define custom attack"; leaf name { type string { junos:posix-pattern "^.{1,60}$"; junos:pattern-message "Custom attack name must be a string of 60 characters or less"; } description "Custom attack name"; } uses apply-advanced; leaf-list attack-description { type string; ordered-by user; description "Attack description"; } leaf recommended-action { type enumeration { enum "none" { value 0; description "No action"; } enum "ignore" { value 1; description "No further inspection on the flow"; } enum "drop-packet" { value 2; description "Drop the packet"; } enum "drop" { value 3; description "Drop the packet and subsequent packets of the flow"; } enum "close-client" { value 4; description "Reset the client side"; } enum "close-server" { value 5; description "Reset the server side"; } enum "close" { value 6; description "Reset both client and server"; } } description "Recommended Action"; } leaf severity { type enumeration { enum "info" { value 0; description "Provide information of attack when it matches."; } enum "warning" { value 1; description "Issue a warning when attack matches."; } enum "minor" { value 2; description "The attack is a minor one."; } enum "major" { value 3; description "The attack is a major one."; } enum "critical" { value 4; description "The attack is a critical one."; } } description "Select the severity that matches the lethality of this attack on your network"; } container time-binding { description "Time binding params"; leaf count { type union { type uint32; type string { pattern "<.*>|$.*"; } } description "Number of times this attack is to be triggered"; } leaf scope { junos:must "((!(".. count 0") && !(".. count 1")))"; junos:must-message "Scope should be defined if count > 1"; type enumeration { enum "peer" { value 0; description "If the attack is between a single source and single destination"; } enum "source" { value 1; description "If the attack is from one source and multiple destination"; } enum "destination" { value 2; description "If the attack is from multiple sources to one destination"; } } description "Scope within which the count occurs"; } leaf interval { junos:must "((!(".. count 0") && (!(".. count 1") && (".. count" && ".. scope"))))"; junos:must-message "To configure interval, count & scope should be set and count should be greater than or equal to 2"; type string { junos:posix-pattern "^((([0-5][0-9])[m][-]([0-5][0-9])[s])|([6][0][m][-][0][0][s]))$"; junos:pattern-message "Invalid interval format: Correct format MMm-SSs, with minutes range 00-60, seconds range 00-59"; } default "01m-00s"; description "Maximum time-gap between two instances of the attack. Format : MMm-SSs"; } } // container time-binding container detection-filter { junos:must "(!(".. time-binding"))"; junos:must-message "Time-binding and detection-filter will not be allowed together"; description "Detection filter params"; leaf count { type union { type uint32; type string { pattern "<.*>|$.*"; } } description "Number of matches for this attack to be triggered. Must be greater than 0"; } leaf scope { type enumeration { enum "session" { value 0; description "If the attack is between a single source and single destination"; } enum "source" { value 1; description "If the attack is from one source and multiple destination"; } enum "destination" { value 2; description "If the attack is from multiple sources to one destination"; } } description "Scope within which the count occurs"; } leaf interval { type string { junos:posix-pattern "^((([0-5][0-9])[m][-]([0-5][0-9])[s])|([6][0][m][-][0][0][s]))$"; junos:pattern-message "Invalid interval format: Correct format MMm-SSs, with minutes range 00-60, seconds range 00-59"; } description "Time period over which count is accrued. Format : MMm-SSs. Minimum value is 1 second"; } } // container detection-filter container attack-type { description "Type of attack"; uses apply-advanced; container signature { junos:must "(!((".. anomaly" || ".. chain")))"; junos:must-message "Only one attack type is permitted"; description "Signature based attack"; uses apply-advanced; container protocol-binding { description "Protocol binding over which attack will be detected"; uses apply-advanced; choice protocol { container tcp { presence "enable tcp"; description "Attack is for TCP packets only"; uses apply-advanced; list minimum-port { key "name"; ordered-by user; description "Multiple sets of (single port/port ranges) can be specified"; uses port-range; } // list minimum-port } // container tcp container udp { presence "enable udp"; description "Attack is for UDP packets only"; uses apply-advanced; list minimum-port { key "name"; ordered-by user; description "Either single port or port ranges can be specified"; uses port-range; } // list minimum-port } // container udp container rpc { presence "enable rpc"; description "Attack is for RPC packets only"; uses apply-advanced; leaf program-number { type union { type uint32; type string { pattern "<.*>|$.*"; } } description "RPC Program Number"; } } // container rpc leaf icmp { type empty; description "Attack is for ICMP packets only"; } leaf icmpv6 { type empty; description "Attack is for ICMPv6 packets only"; } container ip { presence "enable ip"; description "Attack is for all IP based packets"; uses apply-advanced; leaf protocol-number { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 139"; } } description "Transport layer protocol number"; } } // container ip container ipv6 { presence "enable ipv6"; description "Attack is for all IPv6 based packets"; uses apply-advanced; leaf protocol-number { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 139"; } } description "Transport layer protocol number"; } } // container ipv6 leaf application { type string; description "Application name"; } case case_9 { } // case case_9 } // choice protocol } // container protocol-binding leaf context { type string; description "Context"; } leaf pattern { junos:must "(".. context")"; junos:must-message "Context must be specified"; type string { length "0 .. 511"; } description "Pattern is the signature of the attack you want to detect"; } leaf pattern-pcre { junos:must "(".. context")"; junos:must-message "Context must be specified"; type string { length "0 .. 511"; } description "Attack signature pattern in PCRE format"; } container content { junos:must "(".. context")"; junos:must-message "Context must be specified"; description "Mention the match-modifire parameters to enhance pattern matching"; leaf pattern { type string; description "Specify match-modifier pattern"; } leaf pcre { type string { length "0 .. 511"; } description "PCRE expression"; } container depth { junos:must "(".. pattern")"; junos:must-message "Content pattern must be specified"; description "Maximum depth to search pattern within a packet. Depth is not relative"; leaf depth-value { type union { type string { pattern "<.*>|$.*"; } type uint16 { range "1 .. 65535"; } } description "Specify the value of 'depth'"; } leaf depth-variable { type string; description "Specify the variable name from which 'depth' should be extracted"; } } // container depth container offset { junos:must "(".. pattern")"; junos:must-message "Content pattern must be specified"; description "Where to start searching for a pattern within a packet. Offset value is not relative"; leaf offset-value { type union { type string { pattern "<.*>|$.*"; } type uint16 { range "0 .. 65535"; } } description "Specify the value of 'offset'"; } leaf offset-variable { type string; description "Specify the variable name from which 'offset' should be extracted"; } } // container offset container within { junos:must "(".. pattern")"; junos:must-message "Content pattern must be specified"; description "Maximum Number of bytes present between two conjugative pattern match. within is relative"; leaf within-value { type union { type string { pattern "<.*>|$.*"; } type uint16 { range "1 .. 65535"; } } description "Specify the value of 'within'"; } leaf within-variable { type string; description "Specify the variable name from which 'within' should be extracted"; } } // container within container distance { junos:must "(".. pattern")"; junos:must-message "Content pattern must be specified"; description "Maximum Length to ignore before searching next pattern match. Distance is relative"; leaf distance-value { type union { type string { pattern "<.*>|$.*"; } type int32 { range "-65535 .. 65535"; } } description "Specify the value of 'distance'"; } leaf distance-variable { type string; description "Specify the variable name from which 'distance' should be extracted"; } } // container distance container byte-extract { junos:must "(".. pattern")"; junos:must-message "Content pattern must be specified"; description "Mention the byte-extract parameters for signature in length encoded protocols"; leaf bytes { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 10"; } } description "Specify the number of bytes to extract from packet"; } leaf offset { type union { type int32; type string { pattern "<.*>|$.*"; } } description "Specify the number of bytes in to payload to start processing"; } leaf var-name { type string; description "Specify the name of the variable to reference in other rule options"; } leaf relative { type empty; description "Specify whether to use an offset relative to last pattern match or not"; } leaf multiplier { type union { type uint16; type string { pattern "<.*>|$.*"; } } description "Specify the value to be multiplied against the bytes read"; } leaf endianness { type enumeration { enum "Little" { value 0; description "Process data in little endian"; } enum "Big" { value 1; description "Process data in big endian"; } } description "Specify the endianness with which bytes read should be processed"; } leaf align { type enumeration { enum "2-byte" { value 0; description "Round the number of converted bytes to 2-byte boundary"; } enum "4-byte" { value 1; description "Round the number of converted bytes to 4-byte boundary"; } } description "Specify the byte alignment"; } leaf string { type enumeration { enum "hex" { value 0; description "Process data in hexadecimal format"; } enum "dec" { value 1; description "Process data in decimal format"; } enum "oct" { value 2; description "Process data in octal format"; } } description "Specify the data type in which string data should be parsed"; } leaf bitmask { type string; description "Specify the bitmask (1-4 bytes) for AND operation in hexadecimal format"; } } // container byte-extract container byte-test { junos:must "(".. pattern")"; junos:must-message "Content pattern must be specified"; description "Mention the byte-test parameters for signature in length encoded protocols"; leaf bytes { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 10"; } } description "Specify the number of bytes to extract from packet"; } container offset { description "Mention the offset variable name or offset value to be used"; leaf offset-value { type union { type int32; type string { pattern "<.*>|$.*"; } } description "Specify the number of bytes in to payload to start processing"; } leaf offset-variable { type string; description "Specify the name of the offset variable"; } } // container offset container rvalue { description "Specify the rvalue to test the converted value against"; leaf rvalue-value { type union { type uint32; type string { pattern "<.*>|$.*"; } } description "Specify the value"; } leaf rvalue-variable { type string; description "Specify the variable name"; } } // container rvalue leaf relative { type empty; description "Specify whether to use an offset relative to last pattern match or not"; } leaf operator { type enumeration { enum "less-than" { value 0; description "Perform operation 'less than'"; } enum "greater-than" { value 1; description "Perform operation 'greater than'"; } enum "less-than-or-equal" { value 2; description "Perform operation 'less than or equal'"; } enum "greater-than-or-equal" { value 3; description "Perform operation 'greater than or equal'"; } enum "equal" { value 4; description "Perform operation 'equal'"; } enum "bitwise-AND" { value 5; description "Perform operation 'bitwise AND'"; } enum "bitwise-XOR" { value 6; description "Perform operation 'bitwise OR'"; } } description "Specify the operation to perform on extracted value"; } leaf negate { type empty; description "Check if the operator is not true"; } leaf endianness { type enumeration { enum "Little" { value 0; description "Process data in little endian"; } enum "Big" { value 1; description "Process data in big endian"; } } description "Specify the endianness with which bytes read should be processed"; } leaf string { type enumeration { enum "hex" { value 0; description "Process data in hexadecimal format"; } enum "dec" { value 1; description "Process data in decimal format"; } enum "oct" { value 2; description "Process data in octal format"; } } description "Specify the data type in which string data should be parsed"; } leaf bitmask { type string; description "Specify the bitmask (1-4 bytes) for AND operation in hexadecimal format"; } } // container byte-test container byte-math { junos:must "(".. pattern")"; junos:must-message "Content pattern must be specified"; description "Mention the byte-math parameters for signature in length encoded protocols"; leaf bytes { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 10"; } } description "Specify the number of bytes to extract from packet"; } leaf offset { type union { type string { pattern "<.*>|$.*"; } type uint16 { range "0 .. 65535"; } } description "Specify the number of bytes in to payload to start processing"; } container rvalue { description "Specify the value to use mathematical operation against"; leaf rvalue-value { type union { type uint32; type string { pattern "<.*>|$.*"; } } description "Specify the value"; } leaf rvalue-variable { type string; description "Specify the variable name"; } } // container rvalue leaf relative { type empty; description "Specify whether to use an offset relative to last pattern match or not"; } leaf operator { type enumeration { enum "addition" { value 0; description "Perform operation 'addition'"; } enum "subtraction" { value 1; description "Perform operation 'subtraction'"; } enum "multiplication" { value 2; description "Perform operation 'multiplication'"; } enum "division" { value 3; description "Perform operation 'division'"; } enum "right-shift" { value 4; description "Perform operation 'right shift'"; } enum "left-shift" { value 5; description "Perform operation 'left shift'"; } } description "Specify the operation to perform on extracted value"; } leaf endianness { type enumeration { enum "Little" { value 0; description "Process data in little endian"; } enum "Big" { value 1; description "Process data in big endian"; } } description "Specify the endianness with which bytes read should be processed"; } leaf string { type enumeration { enum "hex" { value 0; description "Process data in hexadecimal format"; } enum "dec" { value 1; description "Process data in decimal format"; } enum "oct" { value 2; description "Process data in octal format"; } } description "Specify the data type in which string data should be parsed"; } leaf bitmask { type string; description "Specify the bitmask (1-4 bytes) for AND operation in hexadecimal format"; } leaf result { type string; description "Specify the variable name to which result should be stored"; } } // container byte-math container byte-jump { junos:must "(".. pattern")"; junos:must-message "Content pattern must be specified"; description "Mention the byte-jump parameters for signature in length encoded protocols"; leaf bytes { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 10"; } } description "Specify the number of bytes to extract from packet"; } container offset { description "Mention the offset variable name or offset value to be used"; leaf offset-value { type union { type string { pattern "<.*>|$.*"; } type uint16 { range "0 .. 65535"; } } description "Specify the number of bytes in to payload to start processing"; } leaf offset-variable { type string; description "Specify the name of the offset variable"; } } // container offset leaf relative { type empty; description "Specify whether to use an offset relative to last pattern match or not"; } leaf multiplier { type union { type uint16; type string { pattern "<.*>|$.*"; } } description "Specify the value to be multiplied against the bytes read"; } leaf endianness { type enumeration { enum "Little" { value 0; description "Process data in little endian"; } enum "Big" { value 1; description "Process data in big endian"; } } description "Specify the endianness with which bytes read should be processed"; } leaf align { type enumeration { enum "4-byte" { value 0; description "Round the number of converted bytes to 4-byte boundary"; } } description "Specify the endianness with which bytes read should be processed"; } leaf string { type enumeration { enum "hex" { value 0; description "Process data in hexadecimal format"; } enum "dec" { value 1; description "Process data in decimal format"; } enum "oct" { value 2; description "Process data in octal format"; } } description "Specify the data type in which string data should be parsed"; } leaf bitmask { type string; description "Specify the bitmask (1-4 bytes) for AND operation in hexadecimal format"; } leaf from-beginning { type empty; description "Enable jump from the beginning of the payload"; } leaf from-end { type empty; description "Enable jump from the end of the payload"; } leaf post-offset { type union { type string { pattern "<.*>|$.*"; } type int32 { range "-65535 .. 65535"; } } description "Specify the number of bytes to skip forward or backward"; } } // container byte-jump container is-data-at { junos:must "(".. pattern")"; junos:must-message "Content pattern must be specified"; description "Mention the is-data-at parameters for signature in length encoded protocols"; container offset { description "Mention the offset variable name or offset value to be used"; leaf offset-value { type union { type string { pattern "<.*>|$.*"; } type uint16 { range "0 .. 65535"; } } description "Specify the number of bytes in to payload to start processing"; } leaf offset-variable { type string; description "Specify the name of the offset variable"; } } // container offset leaf relative { type empty; description "Specify whether to use an offset relative to last pattern match or not"; } leaf negate { type empty; description "Negates the results of the isdataat test"; } } // container is-data-at } // container content container optional-parameters { junos:must "(".. pattern-pcre")"; junos:must-message "Applicable only for pattern-pcre defined signatures"; description "Mention the optional parameters to enhance pattern matching"; leaf min-offset { type union { type uint64; type string { pattern "<.*>|$.*"; } } description "Minimum offset in data at which pattern-match can end"; } leaf max-offset { type union { type uint64; type string { pattern "<.*>|$.*"; } } description "Maximum offset in data at which pattern-match can end"; } leaf min-length { type union { type uint64; type string { pattern "<.*>|$.*"; } } description "Minimum match length required to match the pattern"; } leaf edit-distance { type union { type uint32; type string { pattern "<.*>|$.*"; } } description "Match the pattern within this edit distance"; } leaf hamming-distance { type union { type uint32; type string { pattern "<.*>|$.*"; } } description "Match the pattern within this hamming distance"; } } // container optional-parameters leaf regexp { junos:must "((".. pattern" || ".. pattern-pcre"))"; junos:must-message "A pattern or pattern-pcre must be defined "; type string { length "0 .. 511"; } description "Regular expression used for matching repetition of patterns"; } leaf negate { junos:must "(!((".. context normalized-stream" || (".. context normalized-stream256" || (".. context normalized-stream1k" || ".. context normalized-stream8k")))))"; junos:must-message "Negation not supported for normalized-stream contexts"; junos:must "(!((".. context stream" || (".. context stream256" || (".. context stream1k" || ".. context stream8k")))))"; junos:must-message "Negation not supported for stream contexts"; type empty; description "Trigger the attack if condition is not met"; } leaf direction { type enumeration { enum "client-to-server" { value 0; description "Client to Server"; } enum "server-to-client" { value 1; description "Server to Client"; } enum "any" { value 2; description "Any direction"; } } description "Connection direction of the attack"; } leaf shellcode { type enumeration { enum "intel" { value 0; description "Detect shellcode for intel platforms"; } enum "sparc" { value 1; description "Detect shellcode for sparc platforms"; } enum "all" { value 2; description "Detect shellcode for both intel and sparc platforms"; } enum "no-shellcode" { value 3; description "Do not detect shellcode"; } } description "Specify shellcode flag for this attack"; } container protocol { description "Protocol header matches"; uses apply-advanced; container ipv4 { description "IPv4 protocol parameters"; uses apply-advanced; container tos { presence "enable tos"; description "Type of Service"; leaf match { type enumeration { enum "equal" { value 0; description "Match when value in packet is exact match"; } enum "greater-than" { value 1; description "Match when value in packet is greater"; } enum "less-than" { value 2; description "Match when value in packet is less"; } enum "not-equal" { value 3; description "Match when value in packet is not exact match"; } } description "Match condition"; } leaf value { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 255"; } } description "Match value"; } } // container tos container ihl { presence "enable ihl"; description "Header length in words"; leaf match { type enumeration { enum "equal" { value 0; description "Match when value in packet is exact match"; } enum "greater-than" { value 1; description "Match when value in packet is greater"; } enum "less-than" { value 2; description "Match when value in packet is less"; } enum "not-equal" { value 3; description "Match when value in packet is not exact match"; } } description "Match condition"; } leaf value { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 15"; } } description "Match value"; } } // container ihl container total-length { presence "enable total-length"; description "Total Length of IP datagram"; leaf match { type enumeration { enum "equal" { value 0; description "Match when value in packet is exact match"; } enum "greater-than" { value 1; description "Match when value in packet is greater"; } enum "less-than" { value 2; description "Match when value in packet is less"; } enum "not-equal" { value 3; description "Match when value in packet is not exact match"; } } description "Match condition"; } leaf value { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 65535"; } } description "Match value"; } } // container total-length container identification { presence "enable identification"; description "Fragment Identification"; leaf match { type enumeration { enum "equal" { value 0; description "Match when value in packet is exact match"; } enum "greater-than" { value 1; description "Match when value in packet is greater"; } enum "less-than" { value 2; description "Match when value in packet is less"; } enum "not-equal" { value 3; description "Match when value in packet is not exact match"; } } description "Match condition"; } leaf value { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 65535"; } } description "Match value"; } } // container identification container ip-flags { presence "enable ip-flags"; description "IP Flag bits"; choice rb-choice { leaf rb { type empty; description "Reserved bit"; } leaf no-rb { type empty; description "Don't reserved bit"; } } // choice rb-choice choice mf-choice { leaf mf { type empty; description "More Fragment bit"; } leaf no-mf { type empty; description "Don't more Fragment bit"; } } // choice mf-choice choice df-choice { leaf df { type empty; description "Don't Fragment bit"; } leaf no-df { type empty; description "Don't don't Fragment bit"; } } // choice df-choice } // container ip-flags container ttl { presence "enable ttl"; description "Time to live"; leaf match { type enumeration { enum "equal" { value 0; description "Match when value in packet is exact match"; } enum "greater-than" { value 1; description "Match when value in packet is greater"; } enum "less-than" { value 2; description "Match when value in packet is less"; } enum "not-equal" { value 3; description "Match when value in packet is not exact match"; } } description "Match condition"; } leaf value { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 255"; } } description "Match value"; } } // container ttl container protocol { presence "enable protocol"; description "Transport layer protocol"; leaf match { type enumeration { enum "equal" { value 0; description "Match when value in packet is exact match"; } enum "greater-than" { value 1; description "Match when value in packet is greater"; } enum "less-than" { value 2; description "Match when value in packet is less"; } enum "not-equal" { value 3; description "Match when value in packet is not exact match"; } } description "Match condition"; } leaf value { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 255"; } } description "Match value"; } } // container protocol container source { presence "enable source"; description "Source IP-address/Hostname"; leaf match { type enumeration { enum "equal" { value 0; description "Match when value in packet is exact match"; } enum "greater-than" { value 1; description "Match when value in packet is greater"; } enum "less-than" { value 2; description "Match when value in packet is less"; } enum "not-equal" { value 3; description "Match when value in packet is not exact match"; } } description "Match condition"; } leaf value { type jt:ipv4addr; description "Match value"; } } // container source container destination { presence "enable destination"; description "Destination IP-address/Hostname"; leaf match { type enumeration { enum "equal" { value 0; description "Match when value in packet is exact match"; } enum "greater-than" { value 1; description "Match when value in packet is greater"; } enum "less-than" { value 2; description "Match when value in packet is less"; } enum "not-equal" { value 3; description "Match when value in packet is not exact match"; } } description "Match condition"; } leaf value { type jt:ipv4addr; description "Match value"; } } // container destination container checksum-validate { presence "enable checksum-validate"; description "Validate checksum field against calculated checksum"; leaf match { junos:must "(".. value")"; junos:must-message "Missing mandatory statement: 'value'"; type enumeration { enum "equal" { value 0; description "Match when checksum field in packet is exact match"; } enum "greater-than" { value 1; description "Match when checksum field in packet is greater"; } enum "less-than" { value 2; description "Match when checksum field in packet is less"; } enum "not-equal" { value 3; description "Match when checksum field in packet is not exact match"; } } description "Match condition"; } leaf value { junos:must "(".. match")"; junos:must-message "Missing mandatory statement: 'match'"; type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 65535"; } } default "0"; description "Match value"; } } // container checksum-validate } // container ipv4 container tcp { junos:must "((!(".. udp") && !(".. icmp")))"; junos:must-message "tcp cannot be specified with udp or icmp"; description "TCP protocol parameters"; uses apply-advanced; container source-port { presence "enable source-port"; description "Source port"; leaf match { type enumeration { enum "equal" { value 0; description "Match when value in packet is exact match"; } enum "greater-than" { value 1; description "Match when value in packet is greater"; } enum "less-than" { value 2; description "Match when value in packet is less"; } enum "not-equal" { value 3; description "Match when value in packet is not exact match"; } } description "Match condition"; } leaf value { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 65535"; } } description "Match value"; } } // container source-port container destination-port { presence "enable destination-port"; description "Destination port"; leaf match { type enumeration { enum "equal" { value 0; description "Match when value in packet is exact match"; } enum "greater-than" { value 1; description "Match when value in packet is greater"; } enum "less-than" { value 2; description "Match when value in packet is less"; } enum "not-equal" { value 3; description "Match when value in packet is not exact match"; } } description "Match condition"; } leaf value { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 65535"; } } description "Match value"; } } // container destination-port container sequence-number { presence "enable sequence-number"; description "Sequence Number"; leaf match { type enumeration { enum "equal" { value 0; description "Match when value in packet is exact match"; } enum "greater-than" { value 1; description "Match when value in packet is greater"; } enum "less-than" { value 2; description "Match when value in packet is less"; } enum "not-equal" { value 3; description "Match when value in packet is not exact match"; } } description "Match condition"; } leaf value { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 4294967295"; } } description "Match value"; } } // container sequence-number container ack-number { presence "enable ack-number"; description "Acknowledgement Number"; leaf match { type enumeration { enum "equal" { value 0; description "Match when value in packet is exact match"; } enum "greater-than" { value 1; description "Match when value in packet is greater"; } enum "less-than" { value 2; description "Match when value in packet is less"; } enum "not-equal" { value 3; description "Match when value in packet is not exact match"; } } description "Match condition"; } leaf value { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 4294967295"; } } description "Match value"; } } // container ack-number container header-length { presence "enable header-length"; description "Header Length in words"; leaf match { type enumeration { enum "equal" { value 0; description "Match when value in packet is exact match"; } enum "greater-than" { value 1; description "Match when value in packet is greater"; } enum "less-than" { value 2; description "Match when value in packet is less"; } enum "not-equal" { value 3; description "Match when value in packet is not exact match"; } } description "Match condition"; } leaf value { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 15"; } } description "Match value"; } } // container header-length container reserved { presence "enable reserved"; description "Three reserved bits"; leaf match { type enumeration { enum "equal" { value 0; description "Match when value in packet is exact match"; } enum "greater-than" { value 1; description "Match when value in packet is greater"; } enum "less-than" { value 2; description "Match when value in packet is less"; } enum "not-equal" { value 3; description "Match when value in packet is not exact match"; } } description "Match condition"; } leaf value { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 7"; } } description "Match value"; } } // container reserved container window-size { presence "enable window-size"; description "Window Size"; leaf match { type enumeration { enum "equal" { value 0; description "Match when value in packet is exact match"; } enum "greater-than" { value 1; description "Match when value in packet is greater"; } enum "less-than" { value 2; description "Match when value in packet is less"; } enum "not-equal" { value 3; description "Match when value in packet is not exact match"; } } description "Match condition"; } leaf value { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 65535"; } } description "Match value"; } } // container window-size container urgent-pointer { presence "enable urgent-pointer"; description "Urgent Pointer"; leaf match { type enumeration { enum "equal" { value 0; description "Match when value in packet is exact match"; } enum "greater-than" { value 1; description "Match when value in packet is greater"; } enum "less-than" { value 2; description "Match when value in packet is less"; } enum "not-equal" { value 3; description "Match when value in packet is not exact match"; } } description "Match condition"; } leaf value { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 65535"; } } description "Match value"; } } // container urgent-pointer container tcp-flags { presence "enable tcp-flags"; description "TCP header flags"; choice r1-choice { leaf r1 { type empty; description "Set Reserverd bit 1"; } leaf no-r1 { type empty; description "Don't set Reserverd bit 1"; } } // choice r1-choice choice r2-choice { leaf r2 { type empty; description "Set Reserved bit 2"; } leaf no-r2 { type empty; description "Don't set Reserved bit 2"; } } // choice r2-choice choice urg-choice { leaf urg { type empty; description "Set Urgent bit"; } leaf no-urg { type empty; description "Don't set Urgent bit"; } } // choice urg-choice choice ack-choice { leaf ack { type empty; description "Set Acknowledge bit"; } leaf no-ack { type empty; description "Don't set Acknowledge bit"; } } // choice ack-choice choice psh-choice { leaf psh { type empty; description "Set Push bit"; } leaf no-psh { type empty; description "Don't set Push bit"; } } // choice psh-choice choice rst-choice { leaf rst { type empty; description "Set Reset bit"; } leaf no-rst { type empty; description "Don't set Reset bit"; } } // choice rst-choice choice syn-choice { leaf syn { type empty; description "Set SYN bit"; } leaf no-syn { type empty; description "Don't set SYN bit"; } } // choice syn-choice choice fin-choice { leaf fin { type empty; description "Set FINish bit"; } leaf no-fin { type empty; description "Don't set FINish bit"; } } // choice fin-choice } // container tcp-flags container option { presence "enable option"; description "Kind"; leaf match { type enumeration { enum "equal" { value 0; description "Match when value in packet is exact match"; } enum "greater-than" { value 1; description "Match when value in packet is greater"; } enum "less-than" { value 2; description "Match when value in packet is less"; } enum "not-equal" { value 3; description "Match when value in packet is not exact match"; } } description "Match condition"; } leaf value { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 255"; } } description "Match value"; } } // container option container data-length { presence "enable data-length"; description "Size of IP datagram subtracted by TCP header length"; leaf match { type enumeration { enum "equal" { value 0; description "Match when value in packet is exact match"; } enum "greater-than" { value 1; description "Match when value in packet is greater"; } enum "less-than" { value 2; description "Match when value in packet is less"; } enum "not-equal" { value 3; description "Match when value in packet is not exact match"; } } description "Match condition"; } leaf value { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "2 .. 255"; } } description "Match value"; } } // container data-length container window-scale { presence "enable window-scale"; description "Window scale"; leaf match { type enumeration { enum "equal" { value 0; description "Match when value in packet is exact match"; } enum "greater-than" { value 1; description "Match when value in packet is greater"; } enum "less-than" { value 2; description "Match when value in packet is less"; } enum "not-equal" { value 3; description "Match when value in packet is not exact match"; } } description "Match condition"; } leaf value { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 255"; } } description "Match value"; } } // container window-scale container mss { presence "enable mss"; description "Maximum Segment Size"; leaf match { type enumeration { enum "equal" { value 0; description "Match when value in packet is exact match"; } enum "greater-than" { value 1; description "Match when value in packet is greater"; } enum "less-than" { value 2; description "Match when value in packet is less"; } enum "not-equal" { value 3; description "Match when value in packet is not exact match"; } } description "Match condition"; } leaf value { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 65535"; } } description "Match value"; } } // container mss container checksum-validate { presence "enable checksum-validate"; description "Validate checksum field against calculated checksum"; leaf match { junos:must "(".. value")"; junos:must-message "Missing mandatory statement: 'value'"; type enumeration { enum "equal" { value 0; description "Match when checksum field in packet is exact match"; } enum "greater-than" { value 1; description "Match when checksum field in packet is greater"; } enum "less-than" { value 2; description "Match when checksum field in packet is less"; } enum "not-equal" { value 3; description "Match when checksum field in packet is not exact match"; } } description "Match condition"; } leaf value { junos:must "(".. match")"; junos:must-message "Missing mandatory statement: 'match'"; type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 65535"; } } default "0"; description "Match value"; } } // container checksum-validate } // container tcp container udp { junos:must "((!(".. tcp") && !(".. icmp")))"; junos:must-message "udp cannot be specified with tcp or icmp"; description "UDP protocol parameters"; uses apply-advanced; container source-port { presence "enable source-port"; description "Source port"; leaf match { type enumeration { enum "equal" { value 0; description "Match when value in packet is exact match"; } enum "greater-than" { value 1; description "Match when value in packet is greater"; } enum "less-than" { value 2; description "Match when value in packet is less"; } enum "not-equal" { value 3; description "Match when value in packet is not exact match"; } } description "Match condition"; } leaf value { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 65535"; } } description "Match value"; } } // container source-port container destination-port { presence "enable destination-port"; description "Destination port"; leaf match { type enumeration { enum "equal" { value 0; description "Match when value in packet is exact match"; } enum "greater-than" { value 1; description "Match when value in packet is greater"; } enum "less-than" { value 2; description "Match when value in packet is less"; } enum "not-equal" { value 3; description "Match when value in packet is not exact match"; } } description "Match condition"; } leaf value { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 65535"; } } description "Match value"; } } // container destination-port container data-length { presence "enable data-length"; description "Size of IP datagram subtracted by UDP header length"; leaf match { type enumeration { enum "equal" { value 0; description "Match when value in packet is exact match"; } enum "greater-than" { value 1; description "Match when value in packet is greater"; } enum "less-than" { value 2; description "Match when value in packet is less"; } enum "not-equal" { value 3; description "Match when value in packet is not exact match"; } } description "Match condition"; } leaf value { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 65535"; } } description "Match value"; } } // container data-length container checksum-validate { presence "enable checksum-validate"; description "Validate checksum field against calculated checksum"; leaf match { junos:must "(".. value")"; junos:must-message "Missing mandatory statement: 'value'"; type enumeration { enum "equal" { value 0; description "Match when checksum field in packet is exact match"; } enum "greater-than" { value 1; description "Match when checksum field in packet is greater"; } enum "less-than" { value 2; description "Match when checksum field in packet is less"; } enum "not-equal" { value 3; description "Match when checksum field in packet is not exact match"; } } description "Match condition"; } leaf value { junos:must "(".. match")"; junos:must-message "Missing mandatory statement: 'match'"; type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 65535"; } } default "0"; description "Match value"; } } // container checksum-validate } // container udp container icmp { junos:must "((!(".. udp") && (!(".. tcp") && !(".. icmpv6"))))"; junos:must-message "icmp cannot be specified with tcp or udp or icmpv6"; description "ICMP protocol parameters"; uses apply-advanced; container type { presence "enable type"; description "Type"; uses apply-advanced; leaf match { type enumeration { enum "equal" { value 0; description "Match when value in packet is exact match"; } enum "greater-than" { value 1; description "Match when value in packet is greater"; } enum "less-than" { value 2; description "Match when value in packet is less"; } enum "not-equal" { value 3; description "Match when value in packet is not exact match"; } } description "Match condition"; } leaf value { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 255"; } } description "Match value"; } } // container type container code { presence "enable code"; description "Code"; leaf match { type enumeration { enum "equal" { value 0; description "Match when value in packet is exact match"; } enum "greater-than" { value 1; description "Match when value in packet is greater"; } enum "less-than" { value 2; description "Match when value in packet is less"; } enum "not-equal" { value 3; description "Match when value in packet is not exact match"; } } description "Match condition"; } leaf value { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 255"; } } description "Match value"; } } // container code container identification { presence "enable identification"; description "Identifier in echo request/reply"; leaf match { type enumeration { enum "equal" { value 0; description "Match when value in packet is exact match"; } enum "greater-than" { value 1; description "Match when value in packet is greater"; } enum "less-than" { value 2; description "Match when value in packet is less"; } enum "not-equal" { value 3; description "Match when value in packet is not exact match"; } } description "Match condition"; } leaf value { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 65535"; } } description "Match value"; } } // container identification container sequence-number { presence "enable sequence-number"; description "Sequence Number"; leaf match { type enumeration { enum "equal" { value 0; description "Match when value in packet is exact match"; } enum "greater-than" { value 1; description "Match when value in packet is greater"; } enum "less-than" { value 2; description "Match when value in packet is less"; } enum "not-equal" { value 3; description "Match when value in packet is not exact match"; } } description "Match condition"; } leaf value { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 65535"; } } description "Match value"; } } // container sequence-number container data-length { presence "enable data-length"; description "Size of IP datagram subtracted by ICMP header length"; leaf match { type enumeration { enum "equal" { value 0; description "Match when value in packet is exact match"; } enum "greater-than" { value 1; description "Match when value in packet is greater"; } enum "less-than" { value 2; description "Match when value in packet is less"; } enum "not-equal" { value 3; description "Match when value in packet is not exact match"; } } description "Match condition"; } leaf value { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 65535"; } } description "Match value"; } } // container data-length container checksum-validate { presence "enable checksum-validate"; description "Validate checksum field against calculated checksum"; leaf match { junos:must "(".. value")"; junos:must-message "Missing mandatory statement: 'value'"; type enumeration { enum "equal" { value 0; description "Match when checksum field in packet is exact match"; } enum "greater-than" { value 1; description "Match when checksum field in packet is greater"; } enum "less-than" { value 2; description "Match when checksum field in packet is less"; } enum "not-equal" { value 3; description "Match when checksum field in packet is not exact match"; } } description "Match condition"; } leaf value { junos:must "(".. match")"; junos:must-message "Missing mandatory statement: 'match'"; type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 65535"; } } default "0"; description "Match value"; } } // container checksum-validate } // container icmp container icmpv6 { junos:must "((!(".. udp") && (!(".. tcp") && !(".. icmp"))))"; junos:must-message "icmpv6 cannot be specified with tcp or udp or icmp"; description "ICMPv6 protocol parameters"; uses apply-advanced; container type { presence "enable type"; description "Type"; uses apply-advanced; leaf match { type enumeration { enum "equal" { value 0; description "Match when value in packet is exact match"; } enum "greater-than" { value 1; description "Match when value in packet is greater"; } enum "less-than" { value 2; description "Match when value in packet is less"; } enum "not-equal" { value 3; description "Match when value in packet is not exact match"; } } description "Match condition"; } leaf value { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 255"; } } description "Match value"; } } // container type container code { presence "enable code"; description "Code"; leaf match { type enumeration { enum "equal" { value 0; description "Match when value in packet is exact match"; } enum "greater-than" { value 1; description "Match when value in packet is greater"; } enum "less-than" { value 2; description "Match when value in packet is less"; } enum "not-equal" { value 3; description "Match when value in packet is not exact match"; } } description "Match condition"; } leaf value { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 255"; } } description "Match value"; } } // container code container identification { presence "enable identification"; description "Identifier in echo request/reply"; leaf match { type enumeration { enum "equal" { value 0; description "Match when value in packet is exact match"; } enum "greater-than" { value 1; description "Match when value in packet is greater"; } enum "less-than" { value 2; description "Match when value in packet is less"; } enum "not-equal" { value 3; description "Match when value in packet is not exact match"; } } description "Match condition"; } leaf value { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 65535"; } } description "Match value"; } } // container identification container sequence-number { presence "enable sequence-number"; description "Sequence number"; leaf match { type enumeration { enum "equal" { value 0; description "Match when value in packet is exact match"; } enum "greater-than" { value 1; description "Match when value in packet is greater"; } enum "less-than" { value 2; description "Match when value in packet is less"; } enum "not-equal" { value 3; description "Match when value in packet is not exact match"; } } description "Match condition"; } leaf value { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 65535"; } } description "Match value"; } } // container sequence-number container data-length { presence "enable data-length"; description "Size of IPv6 datagram subtracted by ICMPv6 header length"; leaf match { type enumeration { enum "equal" { value 0; description "Match when value in packet is exact match"; } enum "greater-than" { value 1; description "Match when value in packet is greater"; } enum "less-than" { value 2; description "Match when value in packet is less"; } enum "not-equal" { value 3; description "Match when value in packet is not exact match"; } } description "Match condition"; } leaf value { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 255"; } } description "Match value"; } } // container data-length container checksum-validate { presence "enable checksum-validate"; description "Validate checksum field against calculated checksum"; leaf match { junos:must "(".. value")"; junos:must-message "Missing mandatory statement: 'value'"; type enumeration { enum "equal" { value 0; description "Match when checksum field in packet is exact match"; } enum "greater-than" { value 1; description "Match when checksum field in packet is greater"; } enum "less-than" { value 2; description "Match when checksum field in packet is less"; } enum "not-equal" { value 3; description "Match when checksum field in packet is not exact match"; } } description "Match condition"; } leaf value { junos:must "(".. match")"; junos:must-message "Missing mandatory statement: 'match'"; type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 65535"; } } default "0"; description "Match value"; } } // container checksum-validate } // container icmpv6 } // container protocol } // container signature container anomaly { junos:must "(!((".. signature" || ".. chain")))"; junos:must-message "Only one attack type is permitted"; description "Protocol anomaly"; uses apply-advanced; leaf service { type string; description "Service name"; } leaf test { type string; description "Protocol anomaly condition to be checked"; } leaf direction { type enumeration { enum "client-to-server" { value 0; description "From Client to Server"; } enum "server-to-client" { value 1; description "From Server to Client"; } enum "any" { value 2; description "Any direction"; } } description "Direction"; } leaf shellcode { type enumeration { enum "intel" { value 0; description "Detect shellcode for intel platforms"; } enum "sparc" { value 1; description "Detect shellcode for sparc platforms"; } enum "all" { value 2; description "Detect shellcode for both intel and sparc platforms"; } enum "no-shellcode" { value 3; description "Do not detect shellcode"; } } description "Specify shellcode flag for this attack"; } } // container anomaly container chain { junos:must "(!((".. signature" || ".. anomaly")))"; junos:must-message "Only one attack type is permitted"; description "Chain attack"; uses apply-advanced; container protocol-binding { description "Protocol binding over which attack will be detected"; uses apply-advanced; choice protocol { container tcp { presence "enable tcp"; description "Attack is for TCP packets only"; uses apply-advanced; list minimum-port { key "name"; ordered-by user; description "Multiple sets of (single port/port ranges) can be specified"; uses port-range; } // list minimum-port } // container tcp container udp { presence "enable udp"; description "Attack is for UDP packets only"; uses apply-advanced; list minimum-port { key "name"; ordered-by user; description "Either single port or port ranges can be specified"; uses port-range; } // list minimum-port } // container udp container rpc { presence "enable rpc"; description "Attack is for RPC packets only"; uses apply-advanced; leaf program-number { type union { type uint32; type string { pattern "<.*>|$.*"; } } description "RPC Program Number"; } } // container rpc leaf icmp { type empty; description "Attack is for ICMP packets only"; } leaf icmpv6 { type empty; description "Attack is for ICMPv6 packets only"; } container ip { presence "enable ip"; description "Attack is for all IP based packets"; uses apply-advanced; leaf protocol-number { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 139"; } } description "Transport layer protocol number"; } } // container ip container ipv6 { presence "enable ipv6"; description "Attack is for all IPv6 based packets"; uses apply-advanced; leaf protocol-number { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 139"; } } description "Transport layer protocol number"; } } // container ipv6 leaf application { type string; description "Application name"; } case case_9 { } // case case_9 } // choice protocol } // container protocol-binding leaf scope { type enumeration { enum "session" { value 0; description "Allow matches across transactions within the same session"; } enum "transaction" { value 1; description "Allow matches in single transactions within the same session"; } } description "Scope of the attack"; } leaf order { type empty; description "Attacks should match in the order in which they are defined"; } leaf reset { type empty; description "Repeat match should generate a new alert"; } leaf expression { junos:must "(!(".. order"))"; junos:must-message "Boolean Expression cannot be specified with order"; type string; description "Boolean Expression(or, and, oand). Multiple expressions can be combined using parenthesis."; } list member { key "name"; ordered-by user; description "List of member attacks."; uses chain-member-type; } // list member } // container chain } // container attack-type } // grouping custom-attack-type grouping chain-member-type { description "Chain member"; leaf name { type string; description "Custom attack name"; } uses apply-advanced; container attack-type { presence "enable attack-type"; description "Type of attack"; uses apply-advanced; container signature { junos:must "(!(".. anomaly"))"; junos:must-message "Only one attack type is permitted"; description "Signature based attack"; uses apply-advanced; leaf context { type string; description "Context"; } leaf pattern { junos:must "(".. context")"; junos:must-message "Context must be specified"; type string { length "0 .. 511"; } description "Pattern is the signature of the attack you want to detect"; } leaf pattern-pcre { junos:must "(".. context")"; junos:must-message "Context must be specified"; type string { length "0 .. 511"; } description "Attack signature pattern in PCRE format"; } container content { junos:must "(".. context")"; junos:must-message "Context must be specified"; description "Mention the match-modifire parameters to enhance pattern matching"; leaf pattern { type string; description "Specify match-modifier pattern"; } leaf pcre { type string { length "0 .. 511"; } description "PCRE expression"; } container depth { junos:must "(".. pattern")"; junos:must-message "Content pattern must be specified"; description "Maximum depth to search pattern within a packet. Depth is not relative"; leaf depth-value { type union { type string { pattern "<.*>|$.*"; } type uint16 { range "1 .. 65535"; } } description "Specify the value of 'depth'"; } leaf depth-variable { type string; description "Specify the variable name from which 'depth' should be extracted"; } } // container depth container offset { junos:must "(".. pattern")"; junos:must-message "Content pattern must be specified"; description "Where to start searching for a pattern within a packet. Offset value is not relative"; leaf offset-value { type union { type string { pattern "<.*>|$.*"; } type uint16 { range "0 .. 65535"; } } description "Specify the value of 'offset'"; } leaf offset-variable { type string; description "Specify the variable name from which 'offset' should be extracted"; } } // container offset container within { junos:must "(".. pattern")"; junos:must-message "Content pattern must be specified"; description "Maximum Number of bytes present between two conjugative pattern match. within is relative"; leaf within-value { type union { type string { pattern "<.*>|$.*"; } type uint16 { range "1 .. 65535"; } } description "Specify the value of 'within'"; } leaf within-variable { type string; description "Specify the variable name from which 'within' should be extracted"; } } // container within container distance { junos:must "(".. pattern")"; junos:must-message "Content pattern must be specified"; description "Maximum Length to ignore before searching next pattern match. Distance is relative"; leaf distance-value { type union { type string { pattern "<.*>|$.*"; } type int32 { range "-65535 .. 65535"; } } description "Specify the value of 'distance'"; } leaf distance-variable { type string; description "Specify the variable name from which 'distance' should be extracted"; } } // container distance container byte-extract { junos:must "(".. pattern")"; junos:must-message "Content pattern must be specified"; description "Mention the byte-extract parameters for signature in length encoded protocols"; leaf bytes { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 10"; } } description "Specify the number of bytes to extract from packet"; } leaf offset { type union { type int32; type string { pattern "<.*>|$.*"; } } description "Specify the number of bytes in to payload to start processing"; } leaf var-name { type string; description "Specify the name of the variable to reference in other rule options"; } leaf relative { type empty; description "Specify whether to use an offset relative to last pattern match or not"; } leaf multiplier { type union { type uint16; type string { pattern "<.*>|$.*"; } } description "Specify the value to be multiplied against the bytes read"; } leaf endianness { type enumeration { enum "Little" { value 0; description "Process data in little endian"; } enum "Big" { value 1; description "Process data in big endian"; } } description "Specify the endianness with which bytes read should be processed"; } leaf align { type enumeration { enum "2-byte" { value 0; description "Round the number of converted bytes to 2-byte boundary"; } enum "4-byte" { value 1; description "Round the number of converted bytes to 4-byte boundary"; } } description "Specify the byte alignment"; } leaf string { type enumeration { enum "hex" { value 0; description "Process data in hexadecimal format"; } enum "dec" { value 1; description "Process data in decimal format"; } enum "oct" { value 2; description "Process data in octal format"; } } description "Specify the data type in which string data should be parsed"; } leaf bitmask { type string; description "Specify the bitmask (1-4 bytes) for AND operation in hexadecimal format"; } } // container byte-extract container byte-test { junos:must "(".. pattern")"; junos:must-message "Content pattern must be specified"; description "Mention the byte-test parameters for signature in length encoded protocols"; leaf bytes { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 10"; } } description "Specify the number of bytes to extract from packet"; } container offset { description "Mention the offset variable name or offset value to be used"; leaf offset-value { type union { type int32; type string { pattern "<.*>|$.*"; } } description "Specify the number of bytes in to payload to start processing"; } leaf offset-variable { type string; description "Specify the name of the offset variable"; } } // container offset container rvalue { description "Specify the rvalue to test the converted value against"; leaf rvalue-value { type union { type uint32; type string { pattern "<.*>|$.*"; } } description "Specify the value"; } leaf rvalue-variable { type string; description "Specify the variable name"; } } // container rvalue leaf relative { type empty; description "Specify whether to use an offset relative to last pattern match or not"; } leaf operator { type enumeration { enum "less-than" { value 0; description "Perform operation 'less than'"; } enum "greater-than" { value 1; description "Perform operation 'greater than'"; } enum "less-than-or-equal" { value 2; description "Perform operation 'less than or equal'"; } enum "greater-than-or-equal" { value 3; description "Perform operation 'greater than or equal'"; } enum "equal" { value 4; description "Perform operation 'equal'"; } enum "bitwise-AND" { value 5; description "Perform operation 'bitwise AND'"; } enum "bitwise-XOR" { value 6; description "Perform operation 'bitwise OR'"; } } description "Specify the operation to perform on extracted value"; } leaf negate { type empty; description "Check if the operator is not true"; } leaf endianness { type enumeration { enum "Little" { value 0; description "Process data in little endian"; } enum "Big" { value 1; description "Process data in big endian"; } } description "Specify the endianness with which bytes read should be processed"; } leaf string { type enumeration { enum "hex" { value 0; description "Process data in hexadecimal format"; } enum "dec" { value 1; description "Process data in decimal format"; } enum "oct" { value 2; description "Process data in octal format"; } } description "Specify the data type in which string data should be parsed"; } leaf bitmask { type string; description "Specify the bitmask (1-4 bytes) for AND operation in hexadecimal format"; } } // container byte-test container byte-math { junos:must "(".. pattern")"; junos:must-message "Content pattern must be specified"; description "Mention the byte-math parameters for signature in length encoded protocols"; leaf bytes { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 10"; } } description "Specify the number of bytes to extract from packet"; } leaf offset { type union { type string { pattern "<.*>|$.*"; } type uint16 { range "0 .. 65535"; } } description "Specify the number of bytes in to payload to start processing"; } container rvalue { description "Specify the value to use mathematical operation against"; leaf rvalue-value { type union { type uint32; type string { pattern "<.*>|$.*"; } } description "Specify the value"; } leaf rvalue-variable { type string; description "Specify the variable name"; } } // container rvalue leaf relative { type empty; description "Specify whether to use an offset relative to last pattern match or not"; } leaf operator { type enumeration { enum "addition" { value 0; description "Perform operation 'addition'"; } enum "subtraction" { value 1; description "Perform operation 'subtraction'"; } enum "multiplication" { value 2; description "Perform operation 'multiplication'"; } enum "division" { value 3; description "Perform operation 'division'"; } enum "right-shift" { value 4; description "Perform operation 'right shift'"; } enum "left-shift" { value 5; description "Perform operation 'left shift'"; } } description "Specify the operation to perform on extracted value"; } leaf endianness { type enumeration { enum "Little" { value 0; description "Process data in little endian"; } enum "Big" { value 1; description "Process data in big endian"; } } description "Specify the endianness with which bytes read should be processed"; } leaf string { type enumeration { enum "hex" { value 0; description "Process data in hexadecimal format"; } enum "dec" { value 1; description "Process data in decimal format"; } enum "oct" { value 2; description "Process data in octal format"; } } description "Specify the data type in which string data should be parsed"; } leaf bitmask { type string; description "Specify the bitmask (1-4 bytes) for AND operation in hexadecimal format"; } leaf result { type string; description "Specify the variable name to which result should be stored"; } } // container byte-math container byte-jump { junos:must "(".. pattern")"; junos:must-message "Content pattern must be specified"; description "Mention the byte-jump parameters for signature in length encoded protocols"; leaf bytes { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 10"; } } description "Specify the number of bytes to extract from packet"; } container offset { description "Mention the offset variable name or offset value to be used"; leaf offset-value { type union { type string { pattern "<.*>|$.*"; } type uint16 { range "0 .. 65535"; } } description "Specify the number of bytes in to payload to start processing"; } leaf offset-variable { type string; description "Specify the name of the offset variable"; } } // container offset leaf relative { type empty; description "Specify whether to use an offset relative to last pattern match or not"; } leaf multiplier { type union { type uint16; type string { pattern "<.*>|$.*"; } } description "Specify the value to be multiplied against the bytes read"; } leaf endianness { type enumeration { enum "Little" { value 0; description "Process data in little endian"; } enum "Big" { value 1; description "Process data in big endian"; } } description "Specify the endianness with which bytes read should be processed"; } leaf align { type enumeration { enum "4-byte" { value 0; description "Round the number of converted bytes to 4-byte boundary"; } } description "Specify the endianness with which bytes read should be processed"; } leaf string { type enumeration { enum "hex" { value 0; description "Process data in hexadecimal format"; } enum "dec" { value 1; description "Process data in decimal format"; } enum "oct" { value 2; description "Process data in octal format"; } } description "Specify the data type in which string data should be parsed"; } leaf bitmask { type string; description "Specify the bitmask (1-4 bytes) for AND operation in hexadecimal format"; } leaf from-beginning { type empty; description "Enable jump from the beginning of the payload"; } leaf from-end { type empty; description "Enable jump from the end of the payload"; } leaf post-offset { type union { type string { pattern "<.*>|$.*"; } type int32 { range "-65535 .. 65535"; } } description "Specify the number of bytes to skip forward or backward"; } } // container byte-jump container is-data-at { junos:must "(".. pattern")"; junos:must-message "Content pattern must be specified"; description "Mention the is-data-at parameters for signature in length encoded protocols"; container offset { description "Mention the offset variable name or offset value to be used"; leaf offset-value { type union { type string { pattern "<.*>|$.*"; } type uint16 { range "0 .. 65535"; } } description "Specify the number of bytes in to payload to start processing"; } leaf offset-variable { type string; description "Specify the name of the offset variable"; } } // container offset leaf relative { type empty; description "Specify whether to use an offset relative to last pattern match or not"; } leaf negate { type empty; description "Negates the results of the isdataat test"; } } // container is-data-at } // container content container optional-parameters { junos:must "(".. pattern-pcre")"; junos:must-message "Applicable only for pattern-pcre defined signatures"; description "Mention the optional parameters to enhance pattern matching"; leaf min-offset { type union { type uint64; type string { pattern "<.*>|$.*"; } } description "Minimum offset in data at which pattern-match can end"; } leaf max-offset { type union { type uint64; type string { pattern "<.*>|$.*"; } } description "Maximum offset in data at which pattern-match can end"; } leaf min-length { type union { type uint64; type string { pattern "<.*>|$.*"; } } description "Minimum match length required to match the pattern"; } leaf edit-distance { type union { type uint32; type string { pattern "<.*>|$.*"; } } description "Match the pattern within this edit distance"; } leaf hamming-distance { type union { type uint32; type string { pattern "<.*>|$.*"; } } description "Match the pattern within this hamming distance"; } } // container optional-parameters leaf regexp { junos:must "((".. pattern" || ".. pattern-pcre"))"; junos:must-message "A pattern or pattern-pcre must be defined "; type string { length "0 .. 511"; } description "Regular expression used for matching repetition of patterns"; } leaf negate { junos:must "(!((".. context normalized-stream" || (".. context normalized-stream256" || (".. context normalized-stream1k" || ".. context normalized-stream8k")))))"; junos:must-message "Negation not supported for normalized-stream contexts"; junos:must "(!((".. context stream" || (".. context stream256" || (".. context stream1k" || ".. context stream8k")))))"; junos:must-message "Negation not supported for stream contexts"; type empty; description "Trigger the attack if condition is not met"; } leaf direction { type enumeration { enum "client-to-server" { value 0; description "Client to Server"; } enum "server-to-client" { value 1; description "Server to Client"; } enum "any" { value 2; description "Any direction"; } } description "Connection direction of the attack"; } leaf shellcode { type enumeration { enum "intel" { value 0; description "Detect shellcode for intel platforms"; } enum "sparc" { value 1; description "Detect shellcode for sparc platforms"; } enum "all" { value 2; description "Detect shellcode for both intel and sparc platforms"; } enum "no-shellcode" { value 3; description "Do not detect shellcode"; } } description "Specify shellcode flag for this attack"; } container protocol { description "Protocol header matches"; uses apply-advanced; container ipv4 { description "IPv4 protocol parameters"; uses apply-advanced; container tos { presence "enable tos"; description "Type of Service"; leaf match { type enumeration { enum "equal" { value 0; description "Match when value in packet is exact match"; } enum "greater-than" { value 1; description "Match when value in packet is greater"; } enum "less-than" { value 2; description "Match when value in packet is less"; } enum "not-equal" { value 3; description "Match when value in packet is not exact match"; } } description "Match condition"; } leaf value { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 255"; } } description "Match value"; } } // container tos container ihl { presence "enable ihl"; description "Header length in words"; leaf match { type enumeration { enum "equal" { value 0; description "Match when value in packet is exact match"; } enum "greater-than" { value 1; description "Match when value in packet is greater"; } enum "less-than" { value 2; description "Match when value in packet is less"; } enum "not-equal" { value 3; description "Match when value in packet is not exact match"; } } description "Match condition"; } leaf value { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 15"; } } description "Match value"; } } // container ihl container total-length { presence "enable total-length"; description "Total Length of IP datagram"; leaf match { type enumeration { enum "equal" { value 0; description "Match when value in packet is exact match"; } enum "greater-than" { value 1; description "Match when value in packet is greater"; } enum "less-than" { value 2; description "Match when value in packet is less"; } enum "not-equal" { value 3; description "Match when value in packet is not exact match"; } } description "Match condition"; } leaf value { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 65535"; } } description "Match value"; } } // container total-length container identification { presence "enable identification"; description "Fragment Identification"; leaf match { type enumeration { enum "equal" { value 0; description "Match when value in packet is exact match"; } enum "greater-than" { value 1; description "Match when value in packet is greater"; } enum "less-than" { value 2; description "Match when value in packet is less"; } enum "not-equal" { value 3; description "Match when value in packet is not exact match"; } } description "Match condition"; } leaf value { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 65535"; } } description "Match value"; } } // container identification container ip-flags { presence "enable ip-flags"; description "IP Flag bits"; choice rb-choice { leaf rb { type empty; description "Reserved bit"; } leaf no-rb { type empty; description "Don't reserved bit"; } } // choice rb-choice choice mf-choice { leaf mf { type empty; description "More Fragment bit"; } leaf no-mf { type empty; description "Don't more Fragment bit"; } } // choice mf-choice choice df-choice { leaf df { type empty; description "Don't Fragment bit"; } leaf no-df { type empty; description "Don't don't Fragment bit"; } } // choice df-choice } // container ip-flags container ttl { presence "enable ttl"; description "Time to live"; leaf match { type enumeration { enum "equal" { value 0; description "Match when value in packet is exact match"; } enum "greater-than" { value 1; description "Match when value in packet is greater"; } enum "less-than" { value 2; description "Match when value in packet is less"; } enum "not-equal" { value 3; description "Match when value in packet is not exact match"; } } description "Match condition"; } leaf value { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 255"; } } description "Match value"; } } // container ttl container protocol { presence "enable protocol"; description "Transport layer protocol"; leaf match { type enumeration { enum "equal" { value 0; description "Match when value in packet is exact match"; } enum "greater-than" { value 1; description "Match when value in packet is greater"; } enum "less-than" { value 2; description "Match when value in packet is less"; } enum "not-equal" { value 3; description "Match when value in packet is not exact match"; } } description "Match condition"; } leaf value { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 255"; } } description "Match value"; } } // container protocol container source { presence "enable source"; description "Source IP-address/Hostname"; leaf match { type enumeration { enum "equal" { value 0; description "Match when value in packet is exact match"; } enum "greater-than" { value 1; description "Match when value in packet is greater"; } enum "less-than" { value 2; description "Match when value in packet is less"; } enum "not-equal" { value 3; description "Match when value in packet is not exact match"; } } description "Match condition"; } leaf value { type jt:ipv4addr; description "Match value"; } } // container source container destination { presence "enable destination"; description "Destination IP-address/Hostname"; leaf match { type enumeration { enum "equal" { value 0; description "Match when value in packet is exact match"; } enum "greater-than" { value 1; description "Match when value in packet is greater"; } enum "less-than" { value 2; description "Match when value in packet is less"; } enum "not-equal" { value 3; description "Match when value in packet is not exact match"; } } description "Match condition"; } leaf value { type jt:ipv4addr; description "Match value"; } } // container destination container checksum-validate { presence "enable checksum-validate"; description "Validate checksum field against calculated checksum"; leaf match { junos:must "(".. value")"; junos:must-message "Missing mandatory statement: 'value'"; type enumeration { enum "equal" { value 0; description "Match when checksum field in packet is exact match"; } enum "greater-than" { value 1; description "Match when checksum field in packet is greater"; } enum "less-than" { value 2; description "Match when checksum field in packet is less"; } enum "not-equal" { value 3; description "Match when checksum field in packet is not exact match"; } } description "Match condition"; } leaf value { junos:must "(".. match")"; junos:must-message "Missing mandatory statement: 'match'"; type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 65535"; } } default "0"; description "Match value"; } } // container checksum-validate } // container ipv4 container tcp { junos:must "((!(".. udp") && !(".. icmp")))"; junos:must-message "tcp cannot be specified with udp or icmp"; description "TCP protocol parameters"; uses apply-advanced; container source-port { presence "enable source-port"; description "Source port"; leaf match { type enumeration { enum "equal" { value 0; description "Match when value in packet is exact match"; } enum "greater-than" { value 1; description "Match when value in packet is greater"; } enum "less-than" { value 2; description "Match when value in packet is less"; } enum "not-equal" { value 3; description "Match when value in packet is not exact match"; } } description "Match condition"; } leaf value { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 65535"; } } description "Match value"; } } // container source-port container destination-port { presence "enable destination-port"; description "Destination port"; leaf match { type enumeration { enum "equal" { value 0; description "Match when value in packet is exact match"; } enum "greater-than" { value 1; description "Match when value in packet is greater"; } enum "less-than" { value 2; description "Match when value in packet is less"; } enum "not-equal" { value 3; description "Match when value in packet is not exact match"; } } description "Match condition"; } leaf value { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 65535"; } } description "Match value"; } } // container destination-port container sequence-number { presence "enable sequence-number"; description "Sequence Number"; leaf match { type enumeration { enum "equal" { value 0; description "Match when value in packet is exact match"; } enum "greater-than" { value 1; description "Match when value in packet is greater"; } enum "less-than" { value 2; description "Match when value in packet is less"; } enum "not-equal" { value 3; description "Match when value in packet is not exact match"; } } description "Match condition"; } leaf value { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 4294967295"; } } description "Match value"; } } // container sequence-number container ack-number { presence "enable ack-number"; description "Acknowledgement Number"; leaf match { type enumeration { enum "equal" { value 0; description "Match when value in packet is exact match"; } enum "greater-than" { value 1; description "Match when value in packet is greater"; } enum "less-than" { value 2; description "Match when value in packet is less"; } enum "not-equal" { value 3; description "Match when value in packet is not exact match"; } } description "Match condition"; } leaf value { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 4294967295"; } } description "Match value"; } } // container ack-number container header-length { presence "enable header-length"; description "Header Length in words"; leaf match { type enumeration { enum "equal" { value 0; description "Match when value in packet is exact match"; } enum "greater-than" { value 1; description "Match when value in packet is greater"; } enum "less-than" { value 2; description "Match when value in packet is less"; } enum "not-equal" { value 3; description "Match when value in packet is not exact match"; } } description "Match condition"; } leaf value { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 15"; } } description "Match value"; } } // container header-length container reserved { presence "enable reserved"; description "Three reserved bits"; leaf match { type enumeration { enum "equal" { value 0; description "Match when value in packet is exact match"; } enum "greater-than" { value 1; description "Match when value in packet is greater"; } enum "less-than" { value 2; description "Match when value in packet is less"; } enum "not-equal" { value 3; description "Match when value in packet is not exact match"; } } description "Match condition"; } leaf value { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 7"; } } description "Match value"; } } // container reserved container window-size { presence "enable window-size"; description "Window Size"; leaf match { type enumeration { enum "equal" { value 0; description "Match when value in packet is exact match"; } enum "greater-than" { value 1; description "Match when value in packet is greater"; } enum "less-than" { value 2; description "Match when value in packet is less"; } enum "not-equal" { value 3; description "Match when value in packet is not exact match"; } } description "Match condition"; } leaf value { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 65535"; } } description "Match value"; } } // container window-size container urgent-pointer { presence "enable urgent-pointer"; description "Urgent Pointer"; leaf match { type enumeration { enum "equal" { value 0; description "Match when value in packet is exact match"; } enum "greater-than" { value 1; description "Match when value in packet is greater"; } enum "less-than" { value 2; description "Match when value in packet is less"; } enum "not-equal" { value 3; description "Match when value in packet is not exact match"; } } description "Match condition"; } leaf value { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 65535"; } } description "Match value"; } } // container urgent-pointer container tcp-flags { presence "enable tcp-flags"; description "TCP header flags"; choice r1-choice { leaf r1 { type empty; description "Set Reserverd bit 1"; } leaf no-r1 { type empty; description "Don't set Reserverd bit 1"; } } // choice r1-choice choice r2-choice { leaf r2 { type empty; description "Set Reserved bit 2"; } leaf no-r2 { type empty; description "Don't set Reserved bit 2"; } } // choice r2-choice choice urg-choice { leaf urg { type empty; description "Set Urgent bit"; } leaf no-urg { type empty; description "Don't set Urgent bit"; } } // choice urg-choice choice ack-choice { leaf ack { type empty; description "Set Acknowledge bit"; } leaf no-ack { type empty; description "Don't set Acknowledge bit"; } } // choice ack-choice choice psh-choice { leaf psh { type empty; description "Set Push bit"; } leaf no-psh { type empty; description "Don't set Push bit"; } } // choice psh-choice choice rst-choice { leaf rst { type empty; description "Set Reset bit"; } leaf no-rst { type empty; description "Don't set Reset bit"; } } // choice rst-choice choice syn-choice { leaf syn { type empty; description "Set SYN bit"; } leaf no-syn { type empty; description "Don't set SYN bit"; } } // choice syn-choice choice fin-choice { leaf fin { type empty; description "Set FINish bit"; } leaf no-fin { type empty; description "Don't set FINish bit"; } } // choice fin-choice } // container tcp-flags container option { presence "enable option"; description "Kind"; leaf match { type enumeration { enum "equal" { value 0; description "Match when value in packet is exact match"; } enum "greater-than" { value 1; description "Match when value in packet is greater"; } enum "less-than" { value 2; description "Match when value in packet is less"; } enum "not-equal" { value 3; description "Match when value in packet is not exact match"; } } description "Match condition"; } leaf value { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 255"; } } description "Match value"; } } // container option container data-length { presence "enable data-length"; description "Size of IP datagram subtracted by TCP header length"; leaf match { type enumeration { enum "equal" { value 0; description "Match when value in packet is exact match"; } enum "greater-than" { value 1; description "Match when value in packet is greater"; } enum "less-than" { value 2; description "Match when value in packet is less"; } enum "not-equal" { value 3; description "Match when value in packet is not exact match"; } } description "Match condition"; } leaf value { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "2 .. 255"; } } description "Match value"; } } // container data-length container window-scale { presence "enable window-scale"; description "Window scale"; leaf match { type enumeration { enum "equal" { value 0; description "Match when value in packet is exact match"; } enum "greater-than" { value 1; description "Match when value in packet is greater"; } enum "less-than" { value 2; description "Match when value in packet is less"; } enum "not-equal" { value 3; description "Match when value in packet is not exact match"; } } description "Match condition"; } leaf value { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 255"; } } description "Match value"; } } // container window-scale container mss { presence "enable mss"; description "Maximum Segment Size"; leaf match { type enumeration { enum "equal" { value 0; description "Match when value in packet is exact match"; } enum "greater-than" { value 1; description "Match when value in packet is greater"; } enum "less-than" { value 2; description "Match when value in packet is less"; } enum "not-equal" { value 3; description "Match when value in packet is not exact match"; } } description "Match condition"; } leaf value { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 65535"; } } description "Match value"; } } // container mss container checksum-validate { presence "enable checksum-validate"; description "Validate checksum field against calculated checksum"; leaf match { junos:must "(".. value")"; junos:must-message "Missing mandatory statement: 'value'"; type enumeration { enum "equal" { value 0; description "Match when checksum field in packet is exact match"; } enum "greater-than" { value 1; description "Match when checksum field in packet is greater"; } enum "less-than" { value 2; description "Match when checksum field in packet is less"; } enum "not-equal" { value 3; description "Match when checksum field in packet is not exact match"; } } description "Match condition"; } leaf value { junos:must "(".. match")"; junos:must-message "Missing mandatory statement: 'match'"; type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 65535"; } } default "0"; description "Match value"; } } // container checksum-validate } // container tcp container udp { junos:must "((!(".. tcp") && !(".. icmp")))"; junos:must-message "udp cannot be specified with tcp or icmp"; description "UDP protocol parameters"; uses apply-advanced; container source-port { presence "enable source-port"; description "Source port"; leaf match { type enumeration { enum "equal" { value 0; description "Match when value in packet is exact match"; } enum "greater-than" { value 1; description "Match when value in packet is greater"; } enum "less-than" { value 2; description "Match when value in packet is less"; } enum "not-equal" { value 3; description "Match when value in packet is not exact match"; } } description "Match condition"; } leaf value { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 65535"; } } description "Match value"; } } // container source-port container destination-port { presence "enable destination-port"; description "Destination port"; leaf match { type enumeration { enum "equal" { value 0; description "Match when value in packet is exact match"; } enum "greater-than" { value 1; description "Match when value in packet is greater"; } enum "less-than" { value 2; description "Match when value in packet is less"; } enum "not-equal" { value 3; description "Match when value in packet is not exact match"; } } description "Match condition"; } leaf value { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 65535"; } } description "Match value"; } } // container destination-port container data-length { presence "enable data-length"; description "Size of IP datagram subtracted by UDP header length"; leaf match { type enumeration { enum "equal" { value 0; description "Match when value in packet is exact match"; } enum "greater-than" { value 1; description "Match when value in packet is greater"; } enum "less-than" { value 2; description "Match when value in packet is less"; } enum "not-equal" { value 3; description "Match when value in packet is not exact match"; } } description "Match condition"; } leaf value { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 65535"; } } description "Match value"; } } // container data-length container checksum-validate { presence "enable checksum-validate"; description "Validate checksum field against calculated checksum"; leaf match { junos:must "(".. value")"; junos:must-message "Missing mandatory statement: 'value'"; type enumeration { enum "equal" { value 0; description "Match when checksum field in packet is exact match"; } enum "greater-than" { value 1; description "Match when checksum field in packet is greater"; } enum "less-than" { value 2; description "Match when checksum field in packet is less"; } enum "not-equal" { value 3; description "Match when checksum field in packet is not exact match"; } } description "Match condition"; } leaf value { junos:must "(".. match")"; junos:must-message "Missing mandatory statement: 'match'"; type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 65535"; } } default "0"; description "Match value"; } } // container checksum-validate } // container udp container icmp { junos:must "((!(".. udp") && (!(".. tcp") && !(".. icmpv6"))))"; junos:must-message "icmp cannot be specified with tcp or udp or icmpv6"; description "ICMP protocol parameters"; uses apply-advanced; container type { presence "enable type"; description "Type"; uses apply-advanced; leaf match { type enumeration { enum "equal" { value 0; description "Match when value in packet is exact match"; } enum "greater-than" { value 1; description "Match when value in packet is greater"; } enum "less-than" { value 2; description "Match when value in packet is less"; } enum "not-equal" { value 3; description "Match when value in packet is not exact match"; } } description "Match condition"; } leaf value { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 255"; } } description "Match value"; } } // container type container code { presence "enable code"; description "Code"; leaf match { type enumeration { enum "equal" { value 0; description "Match when value in packet is exact match"; } enum "greater-than" { value 1; description "Match when value in packet is greater"; } enum "less-than" { value 2; description "Match when value in packet is less"; } enum "not-equal" { value 3; description "Match when value in packet is not exact match"; } } description "Match condition"; } leaf value { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 255"; } } description "Match value"; } } // container code container identification { presence "enable identification"; description "Identifier in echo request/reply"; leaf match { type enumeration { enum "equal" { value 0; description "Match when value in packet is exact match"; } enum "greater-than" { value 1; description "Match when value in packet is greater"; } enum "less-than" { value 2; description "Match when value in packet is less"; } enum "not-equal" { value 3; description "Match when value in packet is not exact match"; } } description "Match condition"; } leaf value { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 65535"; } } description "Match value"; } } // container identification container sequence-number { presence "enable sequence-number"; description "Sequence Number"; leaf match { type enumeration { enum "equal" { value 0; description "Match when value in packet is exact match"; } enum "greater-than" { value 1; description "Match when value in packet is greater"; } enum "less-than" { value 2; description "Match when value in packet is less"; } enum "not-equal" { value 3; description "Match when value in packet is not exact match"; } } description "Match condition"; } leaf value { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 65535"; } } description "Match value"; } } // container sequence-number container data-length { presence "enable data-length"; description "Size of IP datagram subtracted by ICMP header length"; leaf match { type enumeration { enum "equal" { value 0; description "Match when value in packet is exact match"; } enum "greater-than" { value 1; description "Match when value in packet is greater"; } enum "less-than" { value 2; description "Match when value in packet is less"; } enum "not-equal" { value 3; description "Match when value in packet is not exact match"; } } description "Match condition"; } leaf value { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 65535"; } } description "Match value"; } } // container data-length container checksum-validate { presence "enable checksum-validate"; description "Validate checksum field against calculated checksum"; leaf match { junos:must "(".. value")"; junos:must-message "Missing mandatory statement: 'value'"; type enumeration { enum "equal" { value 0; description "Match when checksum field in packet is exact match"; } enum "greater-than" { value 1; description "Match when checksum field in packet is greater"; } enum "less-than" { value 2; description "Match when checksum field in packet is less"; } enum "not-equal" { value 3; description "Match when checksum field in packet is not exact match"; } } description "Match condition"; } leaf value { junos:must "(".. match")"; junos:must-message "Missing mandatory statement: 'match'"; type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 65535"; } } default "0"; description "Match value"; } } // container checksum-validate } // container icmp container icmpv6 { junos:must "((!(".. udp") && (!(".. tcp") && !(".. icmp"))))"; junos:must-message "icmpv6 cannot be specified with tcp or udp or icmp"; description "ICMPv6 protocol parameters"; uses apply-advanced; container type { presence "enable type"; description "Type"; uses apply-advanced; leaf match { type enumeration { enum "equal" { value 0; description "Match when value in packet is exact match"; } enum "greater-than" { value 1; description "Match when value in packet is greater"; } enum "less-than" { value 2; description "Match when value in packet is less"; } enum "not-equal" { value 3; description "Match when value in packet is not exact match"; } } description "Match condition"; } leaf value { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 255"; } } description "Match value"; } } // container type container code { presence "enable code"; description "Code"; leaf match { type enumeration { enum "equal" { value 0; description "Match when value in packet is exact match"; } enum "greater-than" { value 1; description "Match when value in packet is greater"; } enum "less-than" { value 2; description "Match when value in packet is less"; } enum "not-equal" { value 3; description "Match when value in packet is not exact match"; } } description "Match condition"; } leaf value { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 255"; } } description "Match value"; } } // container code container identification { presence "enable identification"; description "Identifier in echo request/reply"; leaf match { type enumeration { enum "equal" { value 0; description "Match when value in packet is exact match"; } enum "greater-than" { value 1; description "Match when value in packet is greater"; } enum "less-than" { value 2; description "Match when value in packet is less"; } enum "not-equal" { value 3; description "Match when value in packet is not exact match"; } } description "Match condition"; } leaf value { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 65535"; } } description "Match value"; } } // container identification container sequence-number { presence "enable sequence-number"; description "Sequence number"; leaf match { type enumeration { enum "equal" { value 0; description "Match when value in packet is exact match"; } enum "greater-than" { value 1; description "Match when value in packet is greater"; } enum "less-than" { value 2; description "Match when value in packet is less"; } enum "not-equal" { value 3; description "Match when value in packet is not exact match"; } } description "Match condition"; } leaf value { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 65535"; } } description "Match value"; } } // container sequence-number container data-length { presence "enable data-length"; description "Size of IPv6 datagram subtracted by ICMPv6 header length"; leaf match { type enumeration { enum "equal" { value 0; description "Match when value in packet is exact match"; } enum "greater-than" { value 1; description "Match when value in packet is greater"; } enum "less-than" { value 2; description "Match when value in packet is less"; } enum "not-equal" { value 3; description "Match when value in packet is not exact match"; } } description "Match condition"; } leaf value { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 255"; } } description "Match value"; } } // container data-length container checksum-validate { presence "enable checksum-validate"; description "Validate checksum field against calculated checksum"; leaf match { junos:must "(".. value")"; junos:must-message "Missing mandatory statement: 'value'"; type enumeration { enum "equal" { value 0; description "Match when checksum field in packet is exact match"; } enum "greater-than" { value 1; description "Match when checksum field in packet is greater"; } enum "less-than" { value 2; description "Match when checksum field in packet is less"; } enum "not-equal" { value 3; description "Match when checksum field in packet is not exact match"; } } description "Match condition"; } leaf value { junos:must "(".. match")"; junos:must-message "Missing mandatory statement: 'match'"; type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 65535"; } } default "0"; description "Match value"; } } // container checksum-validate } // container icmpv6 } // container protocol } // container signature container anomaly { junos:must "(!(".. signature"))"; junos:must-message "Only one attack type is permitted"; description "Protocol anomaly"; uses apply-advanced; leaf test { type string; description "Protocol anomaly condition to be checked"; } leaf direction { type enumeration { enum "client-to-server" { value 0; description "From Client to Server"; } enum "server-to-client" { value 1; description "From Server to Client"; } enum "any" { value 2; description "Any direction"; } } description "Direction"; } leaf shellcode { type enumeration { enum "intel" { value 0; description "Detect shellcode for intel platforms"; } enum "sparc" { value 1; description "Detect shellcode for sparc platforms"; } enum "all" { value 2; description "Detect shellcode for both intel and sparc platforms"; } enum "no-shellcode" { value 3; description "Do not detect shellcode"; } } description "Specify shellcode flag for this attack"; } } // container anomaly } // container attack-type } // grouping chain-member-type grouping dynamic-attack-group-type { description "Define dynamic attack group"; leaf name { type string; description "Name of the dynamic attack group"; } uses apply-advanced; leaf attack-group-description { type string; status deprecated; description "Filter name/value in xml format"; } container filters { description "Configure filters"; uses apply-advanced; container direction { presence "enable direction"; description "Direction of attack"; uses apply-advanced; leaf expression { type enumeration { enum "and" { value 0; description "AND values together (recommended if 'exclude-*' values are set)"; } enum "or" { value 1; description "OR values together"; } } default "or"; description "Boolean AND/OR to be used for values"; } leaf-list values { type enumeration { enum "client-to-server" { value 0; description "Select attacks from client to server"; } enum "server-to-client" { value 1; description "Select attacks from server to client"; } enum "any" { value 2; description "Select attacks which can occur in either direction"; } enum "exclude-client-to-server" { value 3; description "Filter out attacks from client to server"; } enum "exclude-server-to-client" { value 4; description "Filter out attacks from server to client"; } enum "exclude-any" { value 5; description "Filter out attacks which occur in either direction"; } } ordered-by user; description "Values for direction field"; } } // container direction container severity { presence "enable severity"; description "Severity of attack"; uses apply-advanced; leaf-list values { type enumeration { enum "info" { value 0; description "Provide information of attack when it matches."; } enum "warning" { value 1; description "Issue a warning when attack matches."; } enum "minor" { value 2; description "The attack is a minor one."; } enum "major" { value 3; description "The attack is a major one."; } enum "critical" { value 4; description "The attack is a critical one."; } } ordered-by user; description "Values for severity field"; } } // container severity container type { presence "enable type"; description "Type of attack"; uses apply-advanced; leaf-list values { type enumeration { enum "signature" { value 0; description "Signature based attacks"; } enum "anomaly" { value 1; description "Protocol anomalies"; } } ordered-by user; description "Values for type field"; } } // container type choice recommended-choice { leaf recommended { type empty; description "Recommended flag"; } leaf no-recommended { type empty; description "Don't recommended flag"; } } // choice recommended-choice container performance { presence "enable performance"; description "Performance of attack"; uses apply-advanced; leaf-list values { type enumeration { enum "unknown" { value 0; description "Performance level unknown"; } enum "fast" { value 1; description "Fast performance"; } enum "normal" { value 2; description "Normal performance"; } enum "slow" { value 3; description "Slow performance"; } } ordered-by user; description "Values for performance field"; } } // container performance container category { presence "enable category"; description "Category of attack"; uses apply-advanced; leaf-list values { type string; ordered-by user; description "Values for category field"; } } // container category container service { presence "enable service"; description "Service/Application of attack"; uses apply-advanced; leaf-list values { type string; ordered-by user; description "Values for service field"; } } // container service container false-positives { presence "enable false-positives"; description "False positive field in attack"; uses apply-advanced; leaf-list values { type enumeration { enum "unknown" { value 0; description "Unknown information"; } enum "rarely" { value 1; description "Rare false positives occurrence"; } enum "occasionally" { value 2; description "Ocassional false positives occurrence"; } enum "frequently" { value 3; description "Frequent false positives occurrence"; } } ordered-by user; description "Values for false-positives field"; } } // container false-positives list vendor { key "name"; ordered-by user; description "Vendor/Product the attack belongs to"; uses vendor-object; } // list vendor container file-type { presence "enable file-type"; description "File type the attack is valid for"; uses apply-advanced; leaf-list values { type string; ordered-by user; description "Values for file-type field"; } } // container file-type container vulnerability-type { presence "enable vulnerability-type"; description "Vulnariability type of attack"; uses apply-advanced; leaf-list values { type string; ordered-by user; description "Values for vulnariability-type field"; } } // container vulnerability-type choice excluded-choice { leaf excluded { type empty; description "Excluded Attacks"; } leaf no-excluded { type empty; description "Don't excluded Attacks"; } } // choice excluded-choice container attack-prefix { presence "enable attack-prefix"; description "Prefix match for attack names"; uses apply-advanced; leaf-list values { type string; ordered-by user; description "Values for attack name prefix match"; } } // container attack-prefix list cvss-score { key "name"; ordered-by user; description "CVSS score of Attack "; leaf name { type enumeration { enum "greater-than" { value 0; description "Match when cvss score is greater"; } enum "less-than" { value 1; description "Match when cvss score is less"; } } description "Match condition of CVSS score"; } uses apply-advanced; leaf value { junos:must "(".. value")"; junos:must-message "Missing mandatory statement: 'value'"; type decimal64 { fraction-digits 9; range "0 .. 10"; } description "Match value"; } } // list cvss-score list age-of-attack { key "name"; ordered-by user; description "Age of an Attack "; leaf name { type enumeration { enum "greater-than" { value 0; description "Match when Age of Attack is greater"; } enum "less-than" { value 1; description "Match when Age of Attack is less"; } } description "Match condition of Age of Attack"; } uses apply-advanced; leaf value { junos:must "(".. value")"; junos:must-message "Missing mandatory statement: 'value'"; type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 100"; } } description "Match value"; } } // list age-of-attack } // container filters } // grouping dynamic-attack-group-type grouping idp-policy-type { leaf name { type string; description "IDP policy name"; } container rulebase-ips { description "IPS rulebase"; uses apply-advanced; list rule { key "name"; ordered-by user; description "Configure IPS rule"; leaf name { type string; description "Rule name"; } uses apply-advanced; leaf description { type string; description "Rule description"; } container match { description "Rule match criteria"; uses apply-advanced; leaf from-zone { junos:must "((".. from-zone any" || "security zones security-zone $$"))"; junos:must-message "from-zone should be 'any' or configured under [security zones security-zone]"; type string; default "any"; description "Match from zone"; } choice source { leaf-list source-address { type string; ordered-by user; description "Match source address"; } leaf-list source-except { type string; ordered-by user; description "Don't match source address"; } leaf-list source-prefix { type jt:ipv4prefix; ordered-by user; description "Match source address"; } leaf-list source-prefix-except { type jt:ipv4prefix; ordered-by user; description "Don't match source address"; } } // choice source leaf to-zone { junos:must "((".. to-zone any" || "security zones security-zone $$"))"; junos:must-message "to-zone should be 'any' or configured under [security zones security-zone]"; type string; default "any"; description "Match to zone"; } choice destination { leaf-list destination-address { type string; ordered-by user; description "Match destination address"; } leaf-list destination-except { type string; ordered-by user; description "Don't match destination address"; } leaf-list destination-prefix { type jt:ipv4prefix; ordered-by user; description "Match destination address"; } leaf-list destination-prefix-except { type jt:ipv4prefix; ordered-by user; description "Don't match destination address"; } } // choice destination leaf application { type string; description "Specify application or application-set name to match"; } container attacks { description "Match attack objects"; uses apply-advanced; leaf-list custom-attacks { type string; ordered-by user; description "Custom attacks"; } leaf-list custom-attack-groups { type string; ordered-by user; description "Custom attack groups"; } leaf-list dynamic-attack-groups { type string; ordered-by user; description "Dynamic attack groups"; } leaf-list predefined-attacks { type string; ordered-by user; description "Predefined attacks"; } leaf-list predefined-attack-groups { type string; ordered-by user; description "Predefined attack groups"; } } // container attacks } // container match container then { uses apply-advanced; container action { choice action { leaf no-action { type empty; description "No action"; } leaf ignore-connection { type empty; description "Ignore"; } container mark-diffserv { description "Mark differentiated services codepoint (DSCP)"; uses apply-advanced; leaf codepoint { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 63"; } } description "Codepoint value"; } } // container mark-diffserv case case_4 { } // case case_4 leaf drop-packet { type empty; description "Drop packet"; } leaf drop-connection { type empty; description "Drop connection"; } leaf close-client { type empty; description "Close client"; } leaf close-server { type empty; description "Close server"; } leaf close-client-and-server { type empty; description "Close client and server"; } leaf recommended { junos:must "(".. .. .. match attacks")"; junos:must-message "attacks must also be configured."; type empty; description "Recommended"; } } // choice action } // container action container ip-action { uses apply-advanced; choice ip-action { leaf ip-notify { type empty; description "Notify about future traffic"; } leaf ip-close { type empty; description "Close future connections"; } leaf ip-block { type empty; description "Block future connections"; } } // choice ip-action leaf target { type enumeration { enum "service" { value 0; description "Match source, destination, dst-port and protocol"; } enum "source-zone-address" { value 1; description "Match source-zone and source-address"; } enum "source-address" { value 2; description "Match source"; } enum "destination-address" { value 3; description "Match destination"; } enum "zone-service" { value 4; description "Match source-zone, destination, dst-port, protocol"; } enum "source-zone" { value 5; description "Match source-zone"; } } } leaf log { type empty; description "Log IP action taken"; } leaf log-create { type empty; description "Log IP action creation"; } leaf timeout { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 64800"; } } description "Number of seconds IP action should remain effective"; } leaf refresh-timeout { junos:must "(".. timeout")"; junos:must-message "timeout must be specified"; type empty; description "Refresh timeout when future connections match installed ip-action filter"; } } // container ip-action container notification { presence "enable notification"; description "Configure notification/logging options"; uses apply-advanced; container log-attacks { presence "enable log-attacks"; description "Enable attack logging"; uses apply-advanced; leaf alert { type empty; description "Set alert flag in attack log"; } } // container log-attacks } // container notification leaf severity { type enumeration { enum "info" { value 0; } enum "warning" { value 1; } enum "minor" { value 2; } enum "major" { value 3; } enum "critical" { value 4; } } description "Set rule severity level"; } container application-services { description "Enable application services for this rule"; container security-intelligence { description "Generate security intellegence feeds"; leaf add-attacker-ip-to-feed { type string { length "1 .. 64"; } description "Specify the desired feed-name"; } leaf add-target-ip-to-feed { type string { length "1 .. 64"; } description "Specify the desired feed-name"; } } // container security-intelligence } // container application-services } // container then leaf terminal { type empty; description "Set/Unset terminal flag"; } } // list rule } // container rulebase-ips container rulebase-exempt { description "Exempt rulebase"; uses apply-advanced; list rule { key "name"; ordered-by user; description "Configure exempt rule"; leaf name { type string; description "Rule name"; } uses apply-advanced; leaf description { type string; description "Rule description"; } container match { description "Rule match criteria"; uses apply-advanced; leaf from-zone { junos:must "((".. from-zone any" || "security zones security-zone $$"))"; junos:must-message "from-zone should be 'any' or configured under [security zones security-zone]"; type string; default "any"; description "Match from zone"; } choice source { leaf-list source-address { type string; ordered-by user; description "Match source address"; } leaf-list source-except { type string; ordered-by user; description "Don't match source address"; } leaf-list source-prefix { type jt:ipv4prefix; ordered-by user; description "Match source address"; } leaf-list source-prefix-except { type jt:ipv4prefix; ordered-by user; description "Don't match source address"; } } // choice source leaf to-zone { junos:must "((".. to-zone any" || "security zones security-zone $$"))"; junos:must-message "to-zone should be 'any' or configured under [security zones security-zone]"; type string; default "any"; description "Match to zone"; } choice destination { leaf-list destination-address { type string; ordered-by user; description "Match destination address"; } leaf-list destination-except { type string; ordered-by user; description "Don't match destination address"; } leaf-list destination-prefix { type jt:ipv4prefix; ordered-by user; description "Match destination address"; } leaf-list destination-prefix-except { type jt:ipv4prefix; ordered-by user; description "Don't match destination address"; } } // choice destination container attacks { description "Match attack objects"; uses apply-advanced; leaf-list custom-attacks { type string; ordered-by user; description "Custom attacks"; } leaf-list custom-attack-groups { type string; ordered-by user; description "Custom attack groups"; } leaf-list dynamic-attack-groups { type string; ordered-by user; description "Dynamic attack groups"; } leaf-list predefined-attacks { type string; ordered-by user; description "Predefined attacks"; } leaf-list predefined-attack-groups { type string; ordered-by user; description "Predefined attack groups"; } } // container attacks } // container match } // list rule } // container rulebase-exempt } // grouping idp-policy-type grouping idpd-traceoptions-type { description "Trace options for idpd"; uses apply-advanced; leaf no-remote-trace { junos:must "("system tracing")"; junos:must-message "'no-remote-trace' is valid only when [system tracing] is configured"; type empty; description "Disable remote tracing"; } container file { description "Trace file information"; leaf filename { type string { junos:posix-pattern "![/ %]"; junos:pattern-message "Must not contain '/', % or a space"; length "1 .. 1024"; } description "Name of file in which to write trace information"; } leaf size { type string; description "Maximum trace file size"; } leaf files { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "2 .. 1000"; } } default "3"; description "Maximum number of trace files"; } choice world-readable-choice { leaf world-readable { type empty; description "Allow any user to read the log file"; } leaf no-world-readable { type empty; description "Don't allow any user to read the log file"; } } // choice world-readable-choice leaf match { type jt:regular-expression; description "Regular expression for lines to be logged"; } } // container file list flag { key "name"; ordered-by user; description "Events and other information to include in trace output"; leaf name { type enumeration { enum "all" { value 0; description "All events"; } } description "Flag name to include in trace output"; } } // list flag leaf level { type enumeration { enum "error" { value 0; description "Match error conditions"; } enum "warning" { value 1; description "Match warning messages"; } enum "notice" { value 2; description "Match conditions that should be handled specially"; } enum "info" { value 3; description "Match informational messages"; } enum "verbose" { value 4; description "Match verbose messages"; } enum "all" { value 5; description "Match all levels"; } } default "error"; description "Level of debugging output"; } } // grouping idpd-traceoptions-type grouping log-object { description "Configure auditable security logs"; uses apply-advanced; list exclude { key "name"; ordered-by user; status deprecated; description "List of security log criteria to exclude from the audit log"; leaf name { type string; description "Exclude criteria name"; } uses apply-advanced; leaf destination-address { type jt:ipaddr; description "Destination address"; } leaf destination-port { type union { type uint32; type string { pattern "<.*>|$.*"; } } description "Destination port"; } leaf event-id { type string; description "Event ID filter"; } leaf failure { type empty; description "Event was a failure"; } leaf interface-name { type string; description "Name of interface"; } leaf policy-name { type string; description "Policy name filter"; } leaf process { type string; description "Process that generated the event"; } leaf protocol { type string; description "Protocol filter"; } leaf source-address { type jt:ipaddr; description "Source address"; } leaf source-port { type union { type uint32; type string { pattern "<.*>|$.*"; } } description "Source port"; } leaf success { type empty; description "Event was successful"; } leaf username { type string; description "Username filter"; } } // list exclude leaf limit { type union { type uint32; type string { pattern "<.*>|$.*"; } } default "10000"; status deprecated; description "Limit number of security log entries to keep in memory"; } container cache { presence "enable cache"; description "Cache security log events in the audit log buffer"; uses apply-advanced; list exclude { junos:must "(!(".. .. exclude"))"; junos:must-message "'security log cache exclude' and 'security log exclude' are mutually exclusive"; key "name"; ordered-by user; description "List of security log criteria to exclude from the audit log"; leaf name { type string; description "Exclude criteria name"; } uses apply-advanced; leaf destination-address { type jt:ipaddr; description "Destination address"; } leaf destination-port { type union { type uint32; type string { pattern "<.*>|$.*"; } } description "Destination port"; } leaf event-id { type string; description "Event ID filter"; } leaf failure { type empty; description "Event was a failure"; } leaf interface-name { type string; description "Name of interface"; } leaf policy-name { type string; description "Policy name filter"; } leaf process { type string; description "Process that generated the event"; } leaf protocol { type string; description "Protocol filter"; } leaf source-address { type jt:ipaddr; description "Source address"; } leaf source-port { type union { type uint32; type string { pattern "<.*>|$.*"; } } description "Source port"; } leaf success { type empty; description "Event was successful"; } leaf username { type string; description "Username filter"; } } // list exclude leaf limit { junos:must "(!(".. .. limit"))"; junos:must-message "'security log cache limit' and 'security log limit' are mutually exclusive"; type union { type uint32; type string { pattern "<.*>|$.*"; } } default "10000"; description "Limit number of security log entries to keep in memory"; } } // container cache list host { key "name"; max-elements 10; ordered-by user; leaf name { type string { junos:posix-pattern "^[[:alnum:]:._-]+$"; junos:pattern-message "Must be a string of letters, numbers, dashes, colons or underscores"; } description "Name of host to notify"; } uses apply-advanced; list contents { key "name"; leaf name { type enumeration { enum "services" { value 0; description "Adaptive Services PIC"; } } description "Facility type"; } choice level { leaf any { type empty; description "All levels"; } leaf emergency { type empty; description "Panic conditions"; } leaf alert { type empty; description "Conditions that should be corrected immediately"; } leaf critical { type empty; description "Critical conditions"; } leaf error { type empty; description "Error conditions"; } leaf warning { type empty; description "Warning messages"; } leaf notice { type empty; description "Conditions that should be handled specially"; } leaf info { type empty; description "Informational messages"; } leaf none { type empty; description "No messages"; } } // choice level } // list contents leaf facility-override { type enumeration { enum "authorization" { value 0; description "Authorization system"; } enum "daemon" { value 1; description "Various system processes"; } enum "ftp" { value 2; description "FTP process"; } enum "kernel" { value 3; description "Kernel"; } enum "user" { value 4; description "User processes"; } enum "local0" { value 5; description "Local logging option number 0"; } enum "local1" { value 6; description "Local logging option number 1"; } enum "local2" { value 7; description "Local logging option number 2"; } enum "local3" { value 8; description "Local logging option number 3"; } enum "local4" { value 9; description "Local logging option number 4"; } enum "local5" { value 10; description "Local logging option number 5"; } enum "local6" { value 11; description "Local logging option number 6"; } enum "local7" { value 12; description "Local logging option number 7"; } } description "Alternate facility for logging to remote host"; } leaf log-prefix { type string { junos:posix-pattern "![ =:]{1,15}"; junos:pattern-message "Must be a string of 15 characters or less"; } description "Prefix for all logging to this host"; } leaf port { type union { type string { pattern "<.*>|$.*"; } type uint16 { range "1 .. 65535"; } } description "UDP port for syslogd on the host"; } container class { description "Syslog messages classes"; uses apply-advanced; container session-logs { presence "enable session-logs"; description "Allow syslog messages for session events"; uses apply-advanced; container open { presence "enable open"; description "Allow syslog messages for session open events"; } // container open container close { presence "enable close"; description "Allow syslog messages for session close events"; } // container close } // container session-logs container packet-logs { presence "enable packet-logs"; description "Allow syslog messages for packet related events"; } // container packet-logs container stateful-firewall-logs { presence "enable stateful-firewall-logs"; description "Allow syslog messages for stateful firewall events"; } // container stateful-firewall-logs container alg-logs { presence "enable alg-logs"; description "Allow syslog messages for ALG events"; } // container alg-logs container nat-logs { presence "enable nat-logs"; description "Allow syslog messages for NAT events"; uses apply-advanced; container deterministic-nat-configuration-log { presence "enable deterministic-nat-configuration-log"; description "Allow syslog messages for Determinisitic NAT config events"; } // container deterministic-nat-configuration-log } // container nat-logs container ids-logs { presence "enable ids-logs"; description "Allow syslog messages for IDS events"; } // container ids-logs container pcp-logs { presence "enable pcp-logs"; description "PCP logs"; container map { presence "enable map"; description "Allow syslog messages for PCP"; } // container map container debug { presence "enable debug"; description "Allow PCP debug syslogs"; } // container debug } // container pcp-logs container ha-logs { description "Stateful high availability logs"; uses apply-advanced; container open-synchronized { presence "enable open-synchronized"; description "Allow syslog message for session open events"; } // container open-synchronized container close-synchronized { presence "enable close-synchronized"; description "Allow syslog message for session close events"; } // container close-synchronized } // container ha-logs container urlf-logs { presence "enable urlf-logs"; description "Allow syslog messages for URLF events"; } // container urlf-logs } // container class leaf source-address { type jt:ipv4addr; description "Use specified address as source address"; } container tcp-log { presence "enable tcp-log"; description "Enable tcp log for this service-set"; uses apply-advanced; leaf source-address { junos:must "(!(".. .. source-address"))"; junos:must-message "source-address must not be configured under host when tcp-log is configured"; type jt:ipaddr; description "Source address for tcp logging"; } leaf vrf-name { junos:must "("routing-instances $$")"; junos:must-message "referenced routing instance must be defined"; type string; description "Routing instance name for tcp logging"; } leaf ssl-profile { junos:must "("services ssl initiation profile $$")"; junos:must-message "referenced ssl profile must be defined"; type string { length "1 .. 63"; } description "SSL profile name for tcp logging"; } } // container tcp-log } // list host leaf message-rate-limit { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 2147483647"; } } units "messages per second"; description "Maximum syslog messages per second allowed from this interface. Applies per member if set at aggregate level"; } } // grouping log-object grouping logical-system-type { description "Logical system name"; leaf name { junos:must "("logical-systems $$")"; junos:must-message "Logical systems must be defined under [logical-systems] "; type string; description "Logical system name"; } uses apply-advanced; leaf max-sessions { type union { type uint32; type string { pattern "<.*>|$.*"; } } description "Max number of IDP sessions"; } } // grouping logical-system-type grouping macro-data-type { leaf name { type string; description "Keyword part of the keyword-value pair"; } leaf value { type string; description "Value part of the keyword-value pair"; } } // grouping macro-data-type grouping port-range { description "Port ranges"; leaf name { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 65535"; } } description "Single port/minimum port in the port range"; } leaf maximum-port { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 65535"; } } description "Maximum port in the port range"; } } // grouping port-range grouping proto-object { leaf name { type string; } uses apply-advanced; list tunable-name { key "name"; ordered-by user; description "Protocol tunable name"; uses tunable-object; } // list tunable-name } // grouping proto-object grouping security-authentication-key-chains { uses apply-advanced; list key-chain { key "name"; description "Key chain configuration"; leaf name { type string { junos:posix-pattern "!^((__.*__)|(.*[ ].*)|(.{33,}))$"; junos:pattern-message "Must be string of 32 characters or less with no spaces"; } description "Name of authentication key chain"; } uses apply-advanced; leaf description { type string { length "1 .. 80"; } description "Text description of this authentication-key-chain"; } leaf tolerance { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 4294967295"; } } units "seconds"; default "3600"; description "Clock skew tolerance"; } list key { key "name"; description "Authentication element configuration"; leaf name { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 63"; } } description "Authentication element identifier"; } uses apply-advanced; leaf secret { type string { length "1 .. 126"; } description "Authentication key"; } leaf key-name { type string { junos:posix-pattern "^([0-9a-fA-F][0-9a-fA-F]){1,32}$"; junos:pattern-message "Must be an even-length string up to 64 hexadecimal digits (0-9, a-f, A-F)"; length "2 .. 64"; } description "Key name in hexadecimal format used for macsec"; } leaf start-time { type jt:time; description "Start time for key transmission (YYYY-MM-DD.HH:MM)"; } leaf algorithm { type enumeration { enum "md5" { value 0; description "Message Digest 5"; } enum "hmac-sha-1" { junos:must "(".. options isis-enhanced")"; junos:must-message "sha algorithm required isis-enhanced"; value 1; description "Hash-based Message Authentication Code (SHA1) (96 bits)"; } enum "ao" { value 2; description "TCP Authentication Option"; } } default "md5"; description "Authentication algorithm"; } leaf options { type enumeration { enum "basic" { value 0; description "Rudimentary encoding format"; } enum "isis-enhanced" { value 1; description "RFC 5310 based encoding"; } } default "basic"; description "Protocol's transmission encoding format"; } container ao-attribute { junos:must "(!(".. authentication-key"))"; junos:must-message "Cannot be configured with authentication-key"; junos:must "(".. algorithm ao")"; junos:must-message "Can only be configured with authentication-algorithm ao"; description "TCP Authentication option attributes"; uses apply-advanced; leaf send-id { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 255"; } } description "Send id for TCP-AO entry"; } leaf recv-id { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 255"; } } description "Recv id for TCP-AO entry"; } leaf tcp-ao-option { type enumeration { enum "enabled" { value 0; description "Include the TCP-AO option"; } enum "disabled" { value 1; description "Not include the TCP-AO option"; } } default "disabled"; description "Include TCP-AO option within message header"; } leaf cryptographic-algorithm { type enumeration { enum "hmac-sha-1-96" { value 0; description "Hash-based Message Authentication Code (SHA1) (96 bits)"; } enum "aes-128-cmac-96" { value 1; description "Cipher-based Message Authentication Code (AES128) (96 bits)"; } } default "hmac-sha-1-96"; description "Cryptographic algorithm for TCP-AO Traffic key and MAC digest generation"; } } // container ao-attribute } // list key } // list key-chain } // grouping security-authentication-key-chains grouping security-pki { uses apply-advanced; list ca-profile { key "name"; ordered-by user; description "Certificate authority profile configuration"; leaf name { type string { junos:posix-pattern "![/%. ]"; junos:pattern-message "Must not contain '/', %, '.' or a space"; length "1 .. 32"; } description "Name of certificate authority profile"; } uses apply-advanced; leaf ca-identity { type string; description "Certificate authority identifier"; } leaf source-address { type jt:ipaddr; description "Use specified address as source address"; } leaf proxy-profile { junos:must "("services proxy profile $$")"; junos:must-message "Referenced Proxy profile must be defined under [edit services proxy profile]"; type string; description "Use specified proxy server"; } leaf routing-instance { junos:must "(("routing-instances $$" || any "tenants <*> routing-instances $$"))"; junos:must-message "referenced routing-instance must be defined"; type string; description "Use specified routing instance"; } container enrollment { description "Enrollment parameters for certificate authority"; uses apply-advanced; leaf url { type string; description "Enrollment URL of certificate authority"; } leaf retry { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 1080"; } } default "1000"; description "Number of enrollment retry attempts before aborting"; } leaf retry-interval { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 3600"; } } default "600"; description "Interval in seconds between the enrollment retries"; } } // container enrollment container revocation-check { description "Method for checking certificate revocations"; uses apply-advanced; choice revocation-check-options { leaf use-crl { type empty; description "Use CRL for revocation check"; } leaf use-ocsp { type empty; description "Use OCSP for revocation check"; } leaf disable { type empty; description "Disable revocation check"; } } // choice revocation-check-options container ocsp { presence "enable ocsp"; description "Online Certificate Status Protocol (OCSP) configuration"; uses apply-advanced; list url { key "name"; ordered-by user; leaf name { type string { length "1 .. 500"; } description "HTTP URL for OCSP access location"; } uses apply-advanced; } // list url leaf nonce-payload { type enumeration { enum "enable" { value 0; description "Send nonce paylod in OCSP request"; } enum "disable" { value 1; description "Do not send nonce payload in OCSP request"; } } description "Include nonce payload in OCSP requests"; } leaf disable-responder-revocation-check { type empty; description "Disable OCSP responder certificate revocation check"; } leaf accept-unknown-status { type empty; description "Accept certificates with unknown status"; } container connection-failure { presence "enable connection-failure"; description "Actions on failure to connect to OCSP Responder"; uses apply-advanced; choice connection-failure-options { leaf fallback-crl { type empty; description "Use CRL for revocation check"; } leaf disable { type empty; description "Disable OCSP check on connection failure"; } } // choice connection-failure-options } // container connection-failure } // container ocsp container crl { description "Certificate revocation list configuration"; uses apply-advanced; container disable { leaf on-download-failure { type empty; description "Check revocation status with existing CRL file if present, otherwise skip. This feature must be enabled for manual CRL download."; } } // container disable list url { key "name"; ordered-by user; leaf name { type string { length "1 .. 500"; } description "URL of CRL distribution point for certificate authority"; } uses apply-advanced; leaf password { type jt:unreadable; description "Password for authentication with the server"; } } // list url leaf refresh-interval { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 8784"; } } units "hours"; description "CRL refresh interval"; } } // container crl } // container revocation-check container administrator { description "Administrator information"; uses apply-advanced; leaf email-address { type string; description "Administrator e-mail to which to send certificate requests"; } } // container administrator } // list ca-profile list trusted-ca-group { key "name"; ordered-by user; description "Trusted Certificate Authority group configuration"; leaf name { type string { length "1 .. 63"; } description "Name of the trusted CA group"; } uses apply-advanced; leaf-list ca-profiles { type string { length "1 .. 63"; } max-elements 20; ordered-by user; description "Name of the CA profiles (maximum 20)"; } } // list trusted-ca-group container trap { presence "enable trap"; description "Trap options for PKI certificates"; uses apply-advanced; list certificate-id { key "name"; ordered-by user; description "Local certificate identifier"; leaf name { type string; description "Local cert id"; } uses apply-advanced; leaf days { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 100"; } } default "60"; description "Number of days to generate trap (default 60)"; } } // list certificate-id list ca-identity { key "name"; ordered-by user; description "CA identity"; leaf name { junos:must "("security pki ca-profile $$")"; junos:must-message "Referenced ca-profile must be defined under [edit security pki ca-profile]"; type string; description "CA profile"; } uses apply-advanced; leaf days { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 100"; } } default "60"; description "Number of days to generate trap (default 60)"; } } // list ca-identity container all-certificates { presence "enable all-certificates"; description "Trap config for all certificates"; uses apply-advanced; leaf days { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 100"; } } default "60"; description "Number of days to generate trap (default 60)"; } } // container all-certificates } // container trap container auto-re-enrollment { description "Auto re-enroll of certificate"; uses apply-advanced; container cmpv2 { presence "enable cmpv2"; description "CMPv2 auto re-enrollment configuration"; uses apply-advanced; list certificate-id { key "name"; ordered-by user; description "CMPv2 auto re-enrollment configuration for certificate-id"; leaf name { type string { junos:posix-pattern "^.{1,32}$"; junos:pattern-message "Must be string of 32 characters or less"; } description "Certificate identifier that needs auto re-enrollment"; } uses apply-advanced; leaf ca-profile-name { junos:must "("security pki ca-profile $$ enrollment url")"; junos:must-message "Referenced ca-profile must have enrollment url configured under [edit security pki ca-profile <ca-profile-name> enrollment url]"; junos:must "("security pki ca-profile $$")"; junos:must-message "Referenced ca-profile must be defined under [edit security pki ca-profile]"; type string { junos:posix-pattern "^.{1,32}$"; junos:pattern-message "Must be string of 32 characters or less"; } description "Name of certificate authority profile"; } leaf re-enroll-trigger-time-percentage { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 99"; } } description "Re-enrollment trigger time before expiration as percentage"; } leaf re-generate-keypair { type empty; description "Generate new key-pair for auto-re-enrollment"; } } // list certificate-id } // container cmpv2 container scep { presence "enable scep"; description "SCEP auto re-enrollment configuration"; uses apply-advanced; list certificate-id { key "name"; ordered-by user; description "SCEP auto re-enrollment configuration for certificate-id"; leaf name { type string { junos:posix-pattern "^.{1,32}$"; junos:pattern-message "Must be string of 32 characters or less"; } description "Certificate identifier that needs auto re-enrollment"; } uses apply-advanced; leaf ca-profile-name { junos:must "("security pki ca-profile $$ enrollment url")"; junos:must-message "Referenced ca-profile must have enrollment url configured under [edit security pki ca-profile <ca-profile-name> enrollment url]"; junos:must "("security pki ca-profile $$")"; junos:must-message "Referenced ca-profile must be defined under [edit security pki ca-profile]"; type string { junos:posix-pattern "^.{1,32}$"; junos:pattern-message "Must be string of 32 characters or less"; } description "Name of certificate authority profile"; } leaf re-generate-keypair { type empty; description "Generate new key-pair for auto-re-enrollment"; } leaf re-enroll-trigger-time-percentage { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 99"; } } description "Re-enrollment trigger time before expiration as percentage"; } leaf challenge-password { type jt:unreadable; description "Password used by CA for enrollment and revocation"; } container scep-encryption-algorithm { presence "enable scep-encryption-algorithm"; description "SCEP encryption algorithm"; uses apply-advanced; choice scep-encryption-algorithm-options { leaf des { type empty; description "Use DES as SCEP encryption algorithm"; } leaf des3 { type empty; description "Use DES3 as SCEP encryption algorithm"; } } // choice scep-encryption-algorithm-options } // container scep-encryption-algorithm container scep-digest-algorithm { presence "enable scep-digest-algorithm"; description "SCEP digest algorithm"; uses apply-advanced; choice scep-digest-algorithm-options { leaf md5 { type empty; description "Use MD5 as SCEP digest algorithm"; } leaf sha1 { type empty; description "Use SHA1 as SCEP digest algorithm"; } } // choice scep-digest-algorithm-options } // container scep-digest-algorithm } // list certificate-id } // container scep list certificate-id { key "name"; ordered-by user; description "Auto re-enrollment configuration for certificate-id"; leaf name { type string { junos:posix-pattern "^.{1,32}$"; junos:pattern-message "Must be string of 32 characters or less"; } description "Certificate identifier that needs auto re-enrollment"; } uses apply-advanced; leaf ca-profile-name { junos:must "("security pki ca-profile $$ enrollment url")"; junos:must-message "Referenced ca-profile must have enrollment url configured under [edit security pki ca-profile <ca-profile-name> enrollment url]"; junos:must "("security pki ca-profile $$")"; junos:must-message "Referenced ca-profile must be defined under [edit security pki ca-profile]"; type string { junos:posix-pattern "^.{1,32}$"; junos:pattern-message "Must be string of 32 characters or less"; } description "Name of certificate authority profile"; } leaf re-generate-keypair { type empty; description "Generate new key-pair for auto-re-enrollment"; } leaf re-enroll-trigger-time-percentage { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 99"; } } description "Re-enrollment trigger time before expiration as percentage"; } leaf challenge-password { type jt:unreadable; description "Password used by CA for enrollment and revocation"; } container scep-encryption-algorithm { presence "enable scep-encryption-algorithm"; description "SCEP encryption algorithm"; uses apply-advanced; choice scep-encryption-algorithm-options { leaf des { type empty; description "Use DES as SCEP encryption algorithm"; } leaf des3 { type empty; description "Use DES3 as SCEP encryption algorithm"; } } // choice scep-encryption-algorithm-options } // container scep-encryption-algorithm container scep-digest-algorithm { presence "enable scep-digest-algorithm"; description "SCEP digest algorithm"; uses apply-advanced; choice scep-digest-algorithm-options { leaf md5 { type empty; description "Use MD5 as SCEP digest algorithm"; } leaf sha1 { type empty; description "Use SHA1 as SCEP digest algorithm"; } } // choice scep-digest-algorithm-options } // container scep-digest-algorithm leaf validity-period { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 4095"; } } status deprecated; description "Certificate validity period in days from enrollment start date"; } } // list certificate-id } // container auto-re-enrollment container traceoptions { description "PKI trace options"; uses apply-advanced; leaf no-remote-trace { junos:must "("system tracing")"; junos:must-message "'no-remote-trace' is valid only when [system tracing] is configured"; type empty; description "Disable remote tracing"; } container file { description "Trace file information"; leaf filename { type string { junos:posix-pattern "![/ %]"; junos:pattern-message "Must not contain '/', % or a space"; length "1 .. 1024"; } description "Name of file in which to write trace information"; } leaf size { type string; description "Maximum trace file size"; } leaf files { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "2 .. 1000"; } } default "3"; description "Maximum number of trace files"; } choice world-readable-choice { leaf world-readable { type empty; description "Allow any user to read the log file"; } leaf no-world-readable { type empty; description "Don't allow any user to read the log file"; } } // choice world-readable-choice leaf match { type jt:regular-expression; description "Regular expression for lines to be logged"; } } // container file list flag { key "name"; ordered-by user; description "Tracing parameters"; leaf name { type enumeration { enum "certificate-verification" { value 0; description "PKI certificate verification tracing"; } enum "online-crl-check" { value 1; description "PKI online crl tracing"; } enum "enrollment" { value 2; description "PKI certificate enrollment tracing"; } enum "all" { value 3; description "Trace with all flags enabled"; } } } } // list flag } // container traceoptions } // grouping security-pki grouping tenant-system-type { description "Tenant name"; leaf name { junos:must "("tenants $$")"; junos:must-message "Tenants must be defined under [tenants] "; type string; description "Tenant name"; } uses apply-advanced; leaf max-sessions { type union { type uint32; type string { pattern "<.*>|$.*"; } } description "Max number of IDP sessions"; } } // grouping tenant-system-type grouping tunable-object { leaf name { type string; } uses apply-advanced; leaf tunable-value { type union { type uint32; type string { pattern "<.*>|$.*"; } } description "Protocol tunable value"; } } // grouping tunable-object grouping vendor-object { leaf name { type string; description "Values for vendor field"; } uses apply-advanced; leaf product-name { type string; description "Values for product field"; } } // grouping vendor-object } // module junos-conf-security
© 2023 YumaWorks, Inc. All rights reserved.