Manual Chapter : Inspecting Protocol Anomalies

Applies To:

Show Versions Show Versions

BIG-IP AFM

  • 14.1.0
Manual Chapter

Inspecting Protocol Anomalies

About protocol anomaly inspection

In the BIG-IP® Network Firewall, you can configure profiles to inspect traffic against protocol inspection items. Protocol inspection items are arranged in categories by the Service type. You can assign protocol inspection items individually or in groups. You can add a new inspection item by writing a valid Snort rule and defining matching characteristics. You can assign protocol inspection items to a firewall rule, or directly to a virtual server.
Rule precedence applies to protocol inspection profiles. The protocol inspection rules for the most granular context are applied. The only exception is that a virtual server firewall rule takes precedence over a profile applied directly toa virtual server. The order of precedence is:
  1. Profile applied to a virtual server firewall rule
  2. Profile applied directly to a virtual server
  3. Profile applied to a route domain
  4. Profile applied to the global context

Task list

Creating a protocol inspection profile

A protocol inspection profile collects rules for protocol inspection using preinstalled signatures defined by the Snort project, or custom signatures defined using the Snort syntax. Signatures are selected and added to the profile by Service, and you can narrow the scope of signatures by a number of other characteristics. You can enforce signatures, compliance items, or both.
  1. On the Main tab, click
    Security
    Protocol Security
    Inspection Profiles
    .
    The Inspection Profiles screen opens.
  2. Click
    Add
    and select
    New
    .
    Alternatively, copy an existing inspection profile by selecting the profile and clicking
    Add
    , then
    Clone Existing
    .
  3. Type a profile name, and optionally add a description.
  4. From the
    Signatures
    menu, select
    Enabled
    to enforce signatures.
    If you are enforcing only Signature items, you can select
    Disabled
    for compliance items.
  5. From the
    Compliance
    menu, select
    Enabled
    to enforce compliance items.
    If you are enforcing only Compliance items, you can select
    Disabled
    for signatures.
  6. To collect AVR stats, from the
    AVR Stats Collect
    menu, select
    Enabled
    .
  7. From the
    Services
    menu, select the services you want to add to the inspection profile.
    Each selected service type displays as a new category at the bottom of the screen. By default, all inspection items are disabled. You must enable items or categories you want to inspect.
  8. From
    Auto Approval Trigger
    , configured the thresholds to automatically approve suggestions. You can choose either a time based threshold between 720-43200 minutes, or a confidence based threshold, between 0% and 100%. Only one threshold can be configured, enter
    0
    to disable the unused threshold.
    Confidence indicates the degree to which BIG-IP AFM calculates false positives for a signature based on traffic analysis. A high percentage indicates a low false positive risk and a low percentage indicates a high false positive risk.
  9. To enable inspections in the service, click the service category name on the screen.
    The service category expands to show the inspections.
  10. To enable an inspection, select the checkbox for the inspection.
    The Edit Selected Inspections panel opens on the right of the screen.
  11. To enable an inspection, select
    Enable
    , and click
    Apply
    .
  12. To change the action for the selected inspection, from the Action menu select
    Accept
    ,
    Reject
    , or
    Drop
    .
  13. To select whether the inspection item is logged, from the Log menu select
    Yes
    or
    No
    .
    You can select and edit multiple inspections at once. You can select the checkbox at the top of the category to select and edit all inspections in the category.
  14. When you have finished adding services and editing inspections, click
    Commit Changes to System
    .
The Inspection Profiles screen appears and the inspection profile you created is displayed in the list.
You can attach a protocol inspection profile to a firewall rule or to a virtual server.

Viewing protocol inspection items

View the list of protocol inspection items to see the checks and actions for a category, and to view properties and hits for an inspection item.
  1. On the Main tab, click
    Security
    Protocol Security
    Inspection List
    .
    The Inspection List screen opens.
  2. To filter the list, select the filter options.
    You can type text in the search field to narrow options, snd select options from any of the lists.You can add filter lists from the
    Add Filter
    list. The available categoru lists are
    Service
    ,
    Protocol
    ,
    Inspection Type
    ,
    Direction
    ,
    Risk
    ,
    Accuracy
    ,
    Performance Impact
    ,
    User Defined
    ,
    Action
    , and
    Log
    . You can select multiple items from each list, and you can make selections from multiple lists.
    For example, to filter items of medium and low accuracy that include the term
    blacklist
    , select
    medium
    and
    low
    from the
    Accuracy
    list, and type
    blacklist
    in the search field.
    The list of inspection items changes to show the results of the filter settings.
  3. To view the properties for an inspection item, click the item ID number,
    The item properties are displayed in the Properties pane on the right.
  4. To expand statistics for an inspection item, click the item description.
    Statistics for hits on the inspection item appear below the item.
  5. To change the duration for statistics, click
    1 Hour
    ,
    1 Day
    , or
    1 Week
    .
    You can click
    Refresh
    to refresh the statistics.
  6. To collapse the statistics, click the description again.
    You can expand multiple items on the same screen.

Creating protocol inspection items

Add inspection items to create new inspections based on Snort signatures. You write signatures in Snort format. For information on writing Snort rules, see https://www.snort.org/documents.
  1. On the Main tab, click
    Security
    Protocol Security
    Inspection List
    .
    The Inspection List screen opens.
  2. Click
    New Signature
    .
  3. In the
    Name
    field, type a name for the signature.
  4. In the
    Description
    field, type a description.
  5. In the
    Signature Definition
    field, type the valid snort syntax.
    All remaining fields are optional. However, the default settings accept the signature, and may not be configured correctly for your inspection. Configure settings that are appropriate to your security stance and the detection you want to accomplish.
  6. Specify an action for the signature.
  7. Select whether to log the signature.
  8. Specify the accuracy for the signature.
  9. Specify the direction on which the signature is detected.
  10. Specify the performance impact for the signature.
  11. Specify the protocol on which the signature acts.
  12. Specify the risk level for the attack.
  13. In the
    Documentation
    field, type any documentation for the signature.
  14. In the
    Attack Type
    field, specify the attack type.
  15. In the
    References
    field, type any references for the signature.
  16. In the
    Reference Links
    field, type any reference links.
  17. In the
    Revision
    field, type the revision number.
  18. In the
    Systems
    field, type the systems affected by the signature.
  19. Specify the service to which the signature applies.
  20. Click
    Create
    to create the inspection item.
The signature is created and appears in the inspection list.
Assign the inspection item to an inspection profile to enable detection and the action associated with the inspection item.
To view user defined inspection items, you can select
yes
from the
User Defined
list on the Inspection Profile or Inspection List screens.

Snort rule reference

This document includes the Snort commands that are currently supported when writing Snort rules.

Snort rule overview

Protocol Anomaly Inspection supports a subset of Snort rules. See the Snort users manual for more information. Snort rules can be written as pcre (perl-compatible regular expressions). Negation (
!
) is not supported.

Parameters supported with content and pcre

The following parameters are supported when using the
content
and
pcre
commands. See content and pcre.
  • nocase
  • depth
  • offset
  • distance
  • within
  • http_client_body
  • http_cookie
  • http_header
  • http_method
  • http_uri
  • http_stat_code
  • http_stat_msg
  • fast_pattern

Parameters supported with byte_test

All parameters for
byte_test
are supported except
dce
and
bitmask
. See the byte_test.

Parameters supported with byte_jump

All parameters for
byte_jump
are supported except
dce
,
multiplier
,
align
,
post_offset
, and
bitmask
. See byte_jump.

Parameters supported in metadata

The following parameters are supported in
metadata
. See metadata.
  • service
  • policy balanced-ips
The following parameters are supported in
reference
. See reference.
  • url
  • cve
  • bugtraq
The following additional commands are supported.
  • msg
  • classtype
  • flow
  • rev
The following parameters are added:
  • protocol
  • accuracy
  • risk
  • systems
  • documentation
  • last_updated
  • performance_impact

Assigning a protocol inspection profile to a virtual server

Add protocol inspection to a virtual server to detect the configured protocol inspection items on matched traffic on the virtual server.
  1. On the Main tab, click
    Local Traffic
    Virtual Servers
    .
    The Virtual Server List screen opens.
  2. In the Name column, click the name of the relevant virtual server.
    This displays the properties of the virtual server.
  3. On the menu bar, from the Security menu, choose Policies.
  4. For the Protocol Inspection Profile seting, Select
    Enabled
    .
  5. Select the name of the protocol inspection profile to apply to traffic on the virtual server.
  6. Click
    Update
    .
The protocol inspection profile is enabled on the virtual server.

Assigning a protocol inspection profile to a firewall rule

This task requires an existing network firewall policy.
Assign protocol inspection to a firewall rule to check protocol inspection items on traffic that matches the rule.
  1. On the Main tab, click
    Security
    Network Firewall
    Policies
    .
    The Policies screen opens.
  2. Click the name of a firewall policy to edit that policy.
    The Firewall Policy screen opens, or the policy expands on the screen.
  3. Click
    Add Rule
    to add a firewall rule to the policy.
    A blank rule appears in the policy.
  4. In the
    Name
    column, type the name and an optional description in the fields.
  5. From the
    State
    list, select the rule state.
    • Select
      Enabled
      to apply the firewall rule to the given context and addresses.
    • Select
      Disabled
      to set the firewall rule to not apply at all.
    • Select
      Scheduled
      to apply the firewall rule according to the selected schedule.
  6. From the
    Protocol
    list, select the protocol to which the firewall rule applies.
    • Select
      Any
      to apply the firewall rule to any protocol.
    • Select the protocol name to apply the rule to a single protocol.
    ICMP is handled by the BIG-IP system at the global or route domain level. Because of this, ICMP messages receive a response before they reach the virtual server context. You cannot create rule for ICMP or ICMPv6 on a self IP or virtual server context. You can apply a rule list to a self IP or virtual server that includes a rule for ICMP or ICMPv6; however, such a rule will be ignored. To apply firewall actions to the ICMP protocol, create a rule with the
    global
    or
    route domain
    context. ICMP rules are evaluated only for ICMP forwarding requests, and not for the IP addresses of the BIG-IP system itself.
  7. In the
    Source
    field, specify the addresses and ports that the rule should match.
    You can type an IP address, a contiguous range of IP addresses, an IP subnet, a port, a range of ports, a geographic location, a subscriber or subscriber group, an address list, or port list. After you complete an entry, click
    Add
    .
    You cannot specify a mix of IPv6 and IPv4 address types in a single NAT rule.
  8. In the
    Destination
    field, begin typing to specify a destination address.
    As you type, options will appear that match your input. Select the destination option you want to use when it appears, or press Return. You can add more addresses by typing in the field labeled
    add new destination
    .
    A destination address can be any of the following:
    • Any address
    • IPv4 or IPv6 address
    • IPv4 or IPv6 address range
    • FQDN
    • Geographic location
    • VLAN
    • Address list
    • Port
    • Port range
    • Port list
    • Address list
  9. From the
    Action
    list, select the firewall action for traffic originating from the specified source address on the specified protocol. Choose from one of the these actions:
    Accept
    Allows packets with the specified source, destination, and protocol to pass through the firewall. Packets that match the rule, and are accepted, traverse the system as if the firewall is not present.
    Drop
    Drops packets with the specified source, destination, and protocol. Dropping a packet is a silent action with no notification to the source or destination systems. Dropping the packet causes the connection to be retried until the retry threshold is reached.
    Reject
    Rejects packets with the specified source, destination, and protocol. When a packet is rejected the firewall sends a destination unreachable message to the sender.
    Accept Decisively
    Allows packets with the specified source, destination, and protocol to pass through the firewall, and does not require any further processing by any of the further firewalls. Packets that match the rule, and are accepted, traverse the system as if the firewall is not present.
  10. Optionally, to apply an iRule to traffic matched by this rule, from the
    iRule
    list, select an iRule.
  11. Optionally, to send traffic matched by this rule to a specific virtual server, from the
    Send to Virtual
    list, select the virtual server.
    Traffic that is sent to a virtual server is processed according to the DDoS rules and firewall rules on that virtual server, not according to the originating context.
  12. To apply custom timeouts or port misuse profiles to flows that match this rule, from the
    Service Policy
    field, specify a service policy.
  13. To apply a protocol inspection profile to check protocol inspection signatures against traffic that matches the rule, select a Protocol Inspection Profile.
  14. To apply a classification policy to traffic that matches the rule, select a Classification Policy.
  15. Click
    Done Editing
    .
  16. Click
    Commit Changes to System
    .
    The policy with the updated rule is displayed.
A firewall rule is created with a Protocol Inspection Profile attached.

Viewing protocol security inspection logs

View protocol security inspection logs to check for hits on protocol inspection items.
  1. On the Main tab, click
    Security
    Protocol Security
    Inspection Logs
    .
    The Inspection Logs screen opens.
  2. Use the search filters to narrow or expand your search.
    For example, you can change the search time range from the default
    Last Hour
    to see logs for the last week, by selecting
    Last Week
    . Type text to match in the text field.
  3. To customize the search, click
    Custom Search
    .
    With
    Custom Search
    , you can drag search results directly from the results list to the seach table, to provide a narrowed list of results.
  4. Click
    Search
    to search with the custom search parameters.
  5. Click
    Reset Search
    to return to the main search screen.
The search results for the protocol inspection log entries are displayed.