junoser 0.4.6 → 0.5.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/CHANGELOG.md +19 -0
- data/Gemfile.lock +5 -5
- data/Rakefile +1 -1
- data/commitlint.config.js +1 -0
- data/example/mx-21.2R3-S2.9.rb +127432 -0
- data/example/vsrx-18.3R1.9.rb +380 -30
- data/lib/junoser/js_ruler.rb +27 -2
- data/lib/junoser/parser.rb +38212 -29081
- data/lib/junoser/ruler.rb +12 -6
- data/lib/junoser/version.rb +1 -1
- metadata +3 -2
data/example/vsrx-18.3R1.9.rb
CHANGED
|
@@ -2102,14 +2102,14 @@ rule(:configuration) do
|
|
|
2102
2102
|
"pki" ( /* PKI service configuration */
|
|
2103
2103
|
security_pki /* PKI service configuration */
|
|
2104
2104
|
),
|
|
2105
|
-
"
|
|
2106
|
-
|
|
2105
|
+
"group-vpn" ( /* Group VPN configuration */
|
|
2106
|
+
security_group_vpn /* Group VPN configuration */
|
|
2107
2107
|
),
|
|
2108
2108
|
"ipsec" ( /* IPSec configuration */
|
|
2109
2109
|
security_ipsec_vpn /* IPSec configuration */
|
|
2110
2110
|
),
|
|
2111
|
-
"
|
|
2112
|
-
|
|
2111
|
+
"ike" ( /* IKE configuration */
|
|
2112
|
+
security_ike /* IKE configuration */
|
|
2113
2113
|
),
|
|
2114
2114
|
"ipsec-policy" ( /* IPSec policy configuration */
|
|
2115
2115
|
security_ipsec_policies /* IPSec policy configuration */
|
|
@@ -2140,9 +2140,11 @@ rule(:configuration) do
|
|
|
2140
2140
|
ipv4addr /* Source address to be used for sending download request */
|
|
2141
2141
|
),
|
|
2142
2142
|
"proxy-profile" arg /* Proxy profile of security package download */,
|
|
2143
|
+
"routing-instance" arg /* Routing instance for security-package download */,
|
|
2143
2144
|
"install" ( /* Configure install command */
|
|
2144
2145
|
c(
|
|
2145
|
-
"ignore-version-check" /* Skip version check when attack database gets installed
|
|
2146
|
+
"ignore-version-check" /* Skip version check when attack database gets installed */,
|
|
2147
|
+
"ignore-appid-failure" /* Continue idp installation even if appid installation fails */
|
|
2146
2148
|
)
|
|
2147
2149
|
),
|
|
2148
2150
|
"automatic" ( /* Scheduled download and update */
|
|
@@ -2227,7 +2229,19 @@ rule(:configuration) do
|
|
|
2227
2229
|
"session-steering" /* Session steering for session anticipation */,
|
|
2228
2230
|
"idp-bypass-cpu-usg-overload" /* Enable IDP bypass of sessions/packets on CPU usage overload */,
|
|
2229
2231
|
"idp-bypass-cpu-threshold" arg /* Threshold of CPU usage in percentage for IDP bypass */,
|
|
2230
|
-
"idp-bypass-cpu-tolerance" arg /* Tolerance of CPU usage in percentage for IDP bypass
|
|
2232
|
+
"idp-bypass-cpu-tolerance" arg /* Tolerance of CPU usage in percentage for IDP bypass */,
|
|
2233
|
+
"idp-bypass-cpu-tolerance" arg /* Tolerance of CPU usage in percentage for IDP bypass */,
|
|
2234
|
+
"intel-inspect-enable" /* Minimizes IDP processing during system overload */,
|
|
2235
|
+
"intel-inspect-cpu-usg-threshold" arg /* CPU usage threshold percentage for intelligent inspection */,
|
|
2236
|
+
"intel-inspect-cpu-usg-tolerance" arg /* CPU usage tolerance percentage for intelligent inspection */,
|
|
2237
|
+
"intel-inspect-free-mem-threshold" arg /* Free memory threshold percentage for intelligent inspection */,
|
|
2238
|
+
"intel-inspect-mem-tolerance" arg /* Memory tolerance percentage for intelligent inspection */,
|
|
2239
|
+
"intel-inspect-disable-content-decompress" /* Disables payload content decompression */,
|
|
2240
|
+
"intel-inspect-session-bytes-depth" arg /* Session bytes scanning depth */,
|
|
2241
|
+
"intel-inspect-protocols" arg /* Protocols to be processed in Intelligent Inspection mode */,
|
|
2242
|
+
"intel-inspect-signature-severity" ( /* Signature severities to be considered for IDP processing */
|
|
2243
|
+
("minor" | "major" | "critical")
|
|
2244
|
+
)
|
|
2231
2245
|
)
|
|
2232
2246
|
),
|
|
2233
2247
|
"re-assembler" ( /* Re-assembler configuration */
|
|
@@ -2274,11 +2288,16 @@ rule(:configuration) do
|
|
|
2274
2288
|
c(
|
|
2275
2289
|
"enable-packet-pool" /* Enable packet pool */,
|
|
2276
2290
|
"no-enable-packet-pool" /* Don't enable packet pool */,
|
|
2291
|
+
"log-xff-header" /* Log xff header */,
|
|
2277
2292
|
"enable-all-qmodules" /* Enable all qmodules */,
|
|
2278
2293
|
"no-enable-all-qmodules" /* Don't enable all qmodules */,
|
|
2279
2294
|
"policy-lookup-cache" /* Policy lookup cache */,
|
|
2280
2295
|
"no-policy-lookup-cache" /* Don't policy lookup cache */,
|
|
2281
|
-
"memory-limit-percent" arg /* Memory limit percentage
|
|
2296
|
+
"memory-limit-percent" arg /* Memory limit percentage */,
|
|
2297
|
+
"disable-idp-processing" /* Flag to disable IDP processing */,
|
|
2298
|
+
"intelligent-offload" ( /* Intelligently offload the flow */
|
|
2299
|
+
("disable" | "conservative")
|
|
2300
|
+
)
|
|
2282
2301
|
)
|
|
2283
2302
|
),
|
|
2284
2303
|
"detector" ( /* Detector Configuration */
|
|
@@ -2316,7 +2335,10 @@ rule(:configuration) do
|
|
|
2316
2335
|
"logical-system" ( /* Configure max IDP sessions for the logial system */
|
|
2317
2336
|
logical_system_type /* Configure max IDP sessions for the logial system */
|
|
2318
2337
|
),
|
|
2319
|
-
"processes" /* Configure IDP Processes
|
|
2338
|
+
"processes" /* Configure IDP Processes */,
|
|
2339
|
+
"tenant-system" ( /* Configure max IDP sessions for the tenant */
|
|
2340
|
+
tenant_system_type /* Configure max IDP sessions for the tenant */
|
|
2341
|
+
)
|
|
2320
2342
|
)
|
|
2321
2343
|
),
|
|
2322
2344
|
"address-book" ( /* Security address book */
|
|
@@ -8652,7 +8674,7 @@ rule(:application_object) do
|
|
|
8652
8674
|
term_object /* Define individual application protocols */
|
|
8653
8675
|
),
|
|
8654
8676
|
"application-protocol" ( /* Application protocol type */
|
|
8655
|
-
("bootp" | "dce-rpc" | "dce-rpc-portmap" | "dns" | "exec" | "ftp" | "ftp-data" | "gprs-gtp-c" | "gprs-gtp-u" | "gprs-gtp-v0" | "gprs-sctp" | "h323" | "icmp" | "icmpv6" | "ignore" | "iiop" | "ike-esp-nat" | "ip" | "login" | "mgcp-ca" | "mgcp-ua" | "ms-rpc" | "netbios" | "netshow" | "none" | "pptp" | "q931" | "ras" | "realaudio" | "rpc" | "rpc-portmap" | "rsh" | "rtsp" | "sccp" | "sip" | "shell" | "snmp" | "sqlnet" | "sqlnet-v2" | "sun-rpc" | "talk" | "tftp" | "traceroute" | "http" | "winframe" | "https" | "imap" | "smtp" | "ssh" | "telnet" | "twamp")
|
|
8677
|
+
("bootp" | "dce-rpc" | "dce-rpc-portmap" | "dns" | "exec" | "ftp" | "ftp-data" | "gprs-gtp-c" | "gprs-gtp-u" | "gprs-gtp-v0" | "gprs-sctp" | "h323" | "icmp" | "icmpv6" | "ignore" | "iiop" | "ike-esp-nat" | "ip" | "login" | "mgcp-ca" | "mgcp-ua" | "ms-rpc" | "netbios" | "netshow" | "none" | "pptp" | "q931" | "ras" | "realaudio" | "rpc" | "rpc-portmap" | "rsh" | "rtsp" | "sccp" | "sip" | "shell" | "snmp" | "sqlnet" | "sqlnet-v2" | "sun-rpc" | "talk" | "tftp" | "traceroute" | "http" | "winframe" | "https" | "imap" | "smtp" | "ssh" | "telnet" | "twamp" | "pop3" | "smtps" | "imaps" | "pop3s")
|
|
8656
8678
|
),
|
|
8657
8679
|
"protocol" ( /* Match IP protocol type */
|
|
8658
8680
|
("icmp" | "igmp" | "ipip" | "tcp" | "egp" | "udp" | "rsvp" | "gre" | "esp" | "ah" | "icmp6" | "ospf" | "pim" | "sctp" | arg)
|
|
@@ -8664,7 +8686,9 @@ rule(:application_object) do
|
|
|
8664
8686
|
("ftp-data" | "ftp" | "ssh" | "telnet" | "smtp" | "tacacs" | "tacacs-ds" | "domain" | "dhcp" | "bootps" | "bootpc" | "tftp" | "finger" | "http" | "kerberos-sec" | "pop3" | "sunrpc" | "ident" | "nntp" | "ntp" | "netbios-ns" | "netbios-dgm" | "netbios-ssn" | "imap" | "snmp" | "snmptrap" | "xdmcp" | "bgp" | "ldap" | "mobileip-agent" | "mobilip-mn" | "msdp" | "https" | "snpp" | "biff" | "exec" | "login" | "who" | "cmd" | "syslog" | "printer" | "talk" | "ntalk" | "rip" | "timed" | "klogin" | "kshell" | "ldp" | "krb-prop" | "krbupdate" | "kpasswd" | "socks" | "afs" | "pptp" | "radius" | "radacct" | "zephyr-srv" | "zephyr-clt" | "zephyr-hm" | "nfsd" | "eklogin" | "ekshell" | "rkinit" | "cvspserver" | arg)
|
|
8665
8687
|
),
|
|
8666
8688
|
"ether-type" arg /* Match ether type */,
|
|
8667
|
-
"snmp-command"
|
|
8689
|
+
"snmp-command" ( /* Match SNMP command */
|
|
8690
|
+
("get" | "get-next" | "get-response" | "set" | "trap")
|
|
8691
|
+
),
|
|
8668
8692
|
"icmp-type" ( /* Match ICMP message type */
|
|
8669
8693
|
("echo-request" | "echo-reply" | "unreachable" | "source-quench" | "redirect" | "router-advertisement" | "router-solicit" | "time-exceeded" | "parameter-problem" | "timestamp" | "timestamp-reply" | "info-request" | "info-reply" | "mask-request" | "mask-reply" | arg)
|
|
8670
8694
|
),
|
|
@@ -10466,7 +10490,17 @@ rule(:custom_attack_type) do
|
|
|
10466
10490
|
"count" arg /* Number of times this attack is to be triggered */,
|
|
10467
10491
|
"scope" ( /* Scope within which the count occurs */
|
|
10468
10492
|
("peer" | "source" | "destination")
|
|
10469
|
-
)
|
|
10493
|
+
),
|
|
10494
|
+
"interval" arg /* Maximum time-gap between two instances of the attack. Format : MMm-SSs */
|
|
10495
|
+
)
|
|
10496
|
+
),
|
|
10497
|
+
"detection-filter" ( /* Detection filter params */
|
|
10498
|
+
c(
|
|
10499
|
+
"count" arg /* Number of matches for this attack to be triggered. Must be greater than 0 */,
|
|
10500
|
+
"scope" ( /* Scope within which the count occurs */
|
|
10501
|
+
("session" | "source" | "destination")
|
|
10502
|
+
),
|
|
10503
|
+
"interval" arg /* Time period over which count is accrued. Format : MMm-SSs. Minimum value is 1 second */
|
|
10470
10504
|
)
|
|
10471
10505
|
),
|
|
10472
10506
|
"attack-type" ( /* Type of attack */
|
|
@@ -10515,6 +10549,155 @@ rule(:custom_attack_type) do
|
|
|
10515
10549
|
"context" arg /* Context */,
|
|
10516
10550
|
"pattern" arg /* Pattern is the signature of the attack you want to detect */,
|
|
10517
10551
|
"pattern-pcre" arg /* Attack signature pattern in PCRE format */,
|
|
10552
|
+
"content" ( /* Mention the match-modifire parameters to enhance pattern matching */
|
|
10553
|
+
c(
|
|
10554
|
+
"pattern" arg /* Specify match-modifier pattern */,
|
|
10555
|
+
"pcre" arg /* PCRE expression */,
|
|
10556
|
+
"depth" ( /* Maximum depth to search pattern within a packet. Depth is not relative */
|
|
10557
|
+
c(
|
|
10558
|
+
"depth-value" arg /* Specify the value of 'depth' */,
|
|
10559
|
+
"depth-variable" arg /* Specify the variable name from which 'depth' should be extracted */
|
|
10560
|
+
)
|
|
10561
|
+
),
|
|
10562
|
+
"offset" ( /* Where to start searching for a pattern within a packet. Offset value is not relative */
|
|
10563
|
+
c(
|
|
10564
|
+
"offset-value" arg /* Specify the value of 'offset' */,
|
|
10565
|
+
"offset-variable" arg /* Specify the variable name from which 'offset' should be extracted */
|
|
10566
|
+
)
|
|
10567
|
+
),
|
|
10568
|
+
"within" ( /* Maximum Number of bytes present between two conjugative pattern match. within is relative */
|
|
10569
|
+
c(
|
|
10570
|
+
"within-value" arg /* Specify the value of 'within' */,
|
|
10571
|
+
"within-variable" arg /* Specify the variable name from which 'within' should be extracted */
|
|
10572
|
+
)
|
|
10573
|
+
),
|
|
10574
|
+
"distance" ( /* Maximum Length to ignore before searching next pattern match. Distance is relative */
|
|
10575
|
+
c(
|
|
10576
|
+
"distance-value" arg /* Specify the value of 'distance' */,
|
|
10577
|
+
"distance-variable" arg /* Specify the variable name from which 'distance' should be extracted */
|
|
10578
|
+
)
|
|
10579
|
+
),
|
|
10580
|
+
"byte-extract" ( /* Mention the byte-extract parameters for signature in length encoded protocols */
|
|
10581
|
+
c(
|
|
10582
|
+
"bytes" arg /* Specify the number of bytes to extract from packet */,
|
|
10583
|
+
"offset" arg /* Specify the number of bytes in to payload to start processing */,
|
|
10584
|
+
"var-name" arg /* Specify the name of the variable to reference in other rule options */,
|
|
10585
|
+
"relative" /* Specify whether to use an offset relative to last pattern match or not */,
|
|
10586
|
+
"multiplier" arg /* Specify the value to be multiplied against the bytes read */,
|
|
10587
|
+
"endianness" ( /* Specify the endianness with which bytes read should be processed */
|
|
10588
|
+
("Little" | "Big")
|
|
10589
|
+
),
|
|
10590
|
+
"align" ( /* Specify the byte alignment */
|
|
10591
|
+
("2-byte" | "4-byte")
|
|
10592
|
+
),
|
|
10593
|
+
"string" ( /* Specify the data type in which string data should be parsed */
|
|
10594
|
+
("hex" | "dec" | "oct")
|
|
10595
|
+
),
|
|
10596
|
+
"bitmask" arg /* Specify the bitmask (1-4 bytes) for AND operation in hexadecimal format */
|
|
10597
|
+
)
|
|
10598
|
+
),
|
|
10599
|
+
"byte-test" ( /* Mention the byte-test parameters for signature in length encoded protocols */
|
|
10600
|
+
c(
|
|
10601
|
+
"bytes" arg /* Specify the number of bytes to extract from packet */,
|
|
10602
|
+
"offset" ( /* Mention the offset variable name or offset value to be used */
|
|
10603
|
+
c(
|
|
10604
|
+
"offset-value" arg /* Specify the number of bytes in to payload to start processing */,
|
|
10605
|
+
"offset-variable" arg /* Specify the name of the offset variable */
|
|
10606
|
+
)
|
|
10607
|
+
),
|
|
10608
|
+
"rvalue" ( /* Specify the rvalue to test the converted value against */
|
|
10609
|
+
c(
|
|
10610
|
+
"rvalue-value" arg /* Specify the value */,
|
|
10611
|
+
"rvalue-variable" arg /* Specify the variable name */
|
|
10612
|
+
)
|
|
10613
|
+
),
|
|
10614
|
+
"relative" /* Specify whether to use an offset relative to last pattern match or not */,
|
|
10615
|
+
"operator" ( /* Specify the operation to perform on extracted value */
|
|
10616
|
+
("less-than" | "greater-than" | "less-than-or-equal" | "greater-than-or-equal" | "equal" | "bitwise-AND" | "bitwise-XOR")
|
|
10617
|
+
),
|
|
10618
|
+
"negate" /* Check if the operator is not true */,
|
|
10619
|
+
"endianness" ( /* Specify the endianness with which bytes read should be processed */
|
|
10620
|
+
("Little" | "Big")
|
|
10621
|
+
),
|
|
10622
|
+
"string" ( /* Specify the data type in which string data should be parsed */
|
|
10623
|
+
("hex" | "dec" | "oct")
|
|
10624
|
+
),
|
|
10625
|
+
"bitmask" arg /* Specify the bitmask (1-4 bytes) for AND operation in hexadecimal format */
|
|
10626
|
+
)
|
|
10627
|
+
),
|
|
10628
|
+
"byte-math" ( /* Mention the byte-math parameters for signature in length encoded protocols */
|
|
10629
|
+
c(
|
|
10630
|
+
"bytes" arg /* Specify the number of bytes to extract from packet */,
|
|
10631
|
+
"offset" arg /* Specify the number of bytes in to payload to start processing */,
|
|
10632
|
+
"rvalue" ( /* Specify the value to use mathematical operation against */
|
|
10633
|
+
c(
|
|
10634
|
+
"rvalue-value" arg /* Specify the value */,
|
|
10635
|
+
"rvalue-variable" arg /* Specify the variable name */
|
|
10636
|
+
)
|
|
10637
|
+
),
|
|
10638
|
+
"relative" /* Specify whether to use an offset relative to last pattern match or not */,
|
|
10639
|
+
"operator" ( /* Specify the operation to perform on extracted value */
|
|
10640
|
+
("addition" | "subtraction" | "multiplication" | "division" | "right-shift" | "left-shift")
|
|
10641
|
+
),
|
|
10642
|
+
"endianness" ( /* Specify the endianness with which bytes read should be processed */
|
|
10643
|
+
("Little" | "Big")
|
|
10644
|
+
),
|
|
10645
|
+
"string" ( /* Specify the data type in which string data should be parsed */
|
|
10646
|
+
("hex" | "dec" | "oct")
|
|
10647
|
+
),
|
|
10648
|
+
"bitmask" arg /* Specify the bitmask (1-4 bytes) for AND operation in hexadecimal format */,
|
|
10649
|
+
"result" arg /* Specify the variable name to which result should be stored */
|
|
10650
|
+
)
|
|
10651
|
+
),
|
|
10652
|
+
"byte-jump" ( /* Mention the byte-jump parameters for signature in length encoded protocols */
|
|
10653
|
+
c(
|
|
10654
|
+
"bytes" arg /* Specify the number of bytes to extract from packet */,
|
|
10655
|
+
"offset" ( /* Mention the offset variable name or offset value to be used */
|
|
10656
|
+
c(
|
|
10657
|
+
"offset-value" arg /* Specify the number of bytes in to payload to start processing */,
|
|
10658
|
+
"offset-variable" arg /* Specify the name of the offset variable */
|
|
10659
|
+
)
|
|
10660
|
+
),
|
|
10661
|
+
"relative" /* Specify whether to use an offset relative to last pattern match or not */,
|
|
10662
|
+
"multiplier" arg /* Specify the value to be multiplied against the bytes read */,
|
|
10663
|
+
"endianness" ( /* Specify the endianness with which bytes read should be processed */
|
|
10664
|
+
("Little" | "Big")
|
|
10665
|
+
),
|
|
10666
|
+
"align" ( /* Specify the endianness with which bytes read should be processed */
|
|
10667
|
+
("4-byte")
|
|
10668
|
+
),
|
|
10669
|
+
"string" ( /* Specify the data type in which string data should be parsed */
|
|
10670
|
+
("hex" | "dec" | "oct")
|
|
10671
|
+
),
|
|
10672
|
+
"bitmask" arg /* Specify the bitmask (1-4 bytes) for AND operation in hexadecimal format */,
|
|
10673
|
+
"from-beginning" /* Enable jump from the beginning of the payload */,
|
|
10674
|
+
"from-end" /* Enable jump from the end of the payload */,
|
|
10675
|
+
"post-offset" arg /* Specify the number of bytes to skip forward or backward */
|
|
10676
|
+
)
|
|
10677
|
+
),
|
|
10678
|
+
"is-data-at" ( /* Mention the is-data-at parameters for signature in length encoded protocols */
|
|
10679
|
+
c(
|
|
10680
|
+
"offset" ( /* Mention the offset variable name or offset value to be used */
|
|
10681
|
+
c(
|
|
10682
|
+
"offset-value" arg /* Specify the number of bytes in to payload to start processing */,
|
|
10683
|
+
"offset-variable" arg /* Specify the name of the offset variable */
|
|
10684
|
+
)
|
|
10685
|
+
),
|
|
10686
|
+
"relative" /* Specify whether to use an offset relative to last pattern match or not */,
|
|
10687
|
+
"negate" /* Negates the results of the isdataat test */
|
|
10688
|
+
)
|
|
10689
|
+
)
|
|
10690
|
+
)
|
|
10691
|
+
),
|
|
10692
|
+
"optional-parameters" ( /* Mention the optional parameters to enhance pattern matching */
|
|
10693
|
+
c(
|
|
10694
|
+
"min-offset" arg /* Minimum offset in data at which pattern-match can end */,
|
|
10695
|
+
"max-offset" arg /* Maximum offset in data at which pattern-match can end */,
|
|
10696
|
+
"min-length" arg /* Minimum match length required to match the pattern */,
|
|
10697
|
+
"edit-distance" arg /* Match the pattern within this edit distance */,
|
|
10698
|
+
"hamming-distance" arg /* Match the pattern within this hamming distance */
|
|
10699
|
+
)
|
|
10700
|
+
),
|
|
10518
10701
|
"regexp" arg /* Regular expression used for matching repetition of patterns */,
|
|
10519
10702
|
"negate" /* Trigger the attack if condition is not met */,
|
|
10520
10703
|
"direction" ( /* Connection direction of the attack */
|
|
@@ -12030,6 +12213,13 @@ rule(:dynamic_attack_group_type) do
|
|
|
12030
12213
|
"values" arg /* Values for vulnariability-type field */
|
|
12031
12214
|
)
|
|
12032
12215
|
),
|
|
12216
|
+
"excluded" /* Excluded Attacks */,
|
|
12217
|
+
"no-excluded" /* Don't excluded Attacks */,
|
|
12218
|
+
"attack-prefix" ( /* Prefix match for attack names */
|
|
12219
|
+
c(
|
|
12220
|
+
"values" arg /* Values for attack name prefix match */
|
|
12221
|
+
)
|
|
12222
|
+
),
|
|
12033
12223
|
"cvss-score" ("greater-than" | "less-than") ( /* CVSS score of Attack */
|
|
12034
12224
|
c(
|
|
12035
12225
|
"value" arg /* Match value */
|
|
@@ -13211,8 +13401,12 @@ rule(:idp_policy_type) do
|
|
|
13211
13401
|
"source-except" ( /* Don't match source address */
|
|
13212
13402
|
(arg)
|
|
13213
13403
|
),
|
|
13214
|
-
"source-prefix" /* Match source address
|
|
13215
|
-
|
|
13404
|
+
"source-prefix" ( /* Match source address */
|
|
13405
|
+
ipv4prefix /* Match source address */
|
|
13406
|
+
),
|
|
13407
|
+
"source-prefix-except" ( /* Don't match source address */
|
|
13408
|
+
ipv4prefix /* Don't match source address */
|
|
13409
|
+
)
|
|
13216
13410
|
),
|
|
13217
13411
|
"to-zone" ( /* Match to zone */
|
|
13218
13412
|
("any" | arg)
|
|
@@ -13224,8 +13418,12 @@ rule(:idp_policy_type) do
|
|
|
13224
13418
|
"destination-except" ( /* Don't match destination address */
|
|
13225
13419
|
(arg)
|
|
13226
13420
|
),
|
|
13227
|
-
"destination-prefix" /* Match destination address
|
|
13228
|
-
|
|
13421
|
+
"destination-prefix" ( /* Match destination address */
|
|
13422
|
+
ipv4prefix /* Match destination address */
|
|
13423
|
+
),
|
|
13424
|
+
"destination-prefix-except" ( /* Don't match destination address */
|
|
13425
|
+
ipv4prefix /* Don't match destination address */
|
|
13426
|
+
)
|
|
13229
13427
|
),
|
|
13230
13428
|
"application" ( /* Specify application or application-set name to match */
|
|
13231
13429
|
("any" | "default" | arg)
|
|
@@ -13302,6 +13500,16 @@ rule(:idp_policy_type) do
|
|
|
13302
13500
|
),
|
|
13303
13501
|
"severity" ( /* Set rule severity level */
|
|
13304
13502
|
("info" | "warning" | "minor" | "major" | "critical")
|
|
13503
|
+
),
|
|
13504
|
+
"application-services" ( /* Enable application services for this rule */
|
|
13505
|
+
c(
|
|
13506
|
+
"security-intelligence" ( /* Generate security intellegence feeds */
|
|
13507
|
+
c(
|
|
13508
|
+
"add-attacker-ip-to-feed" arg /* Specify the desired feed-name */,
|
|
13509
|
+
"add-target-ip-to-feed" arg /* Specify the desired feed-name */
|
|
13510
|
+
)
|
|
13511
|
+
)
|
|
13512
|
+
)
|
|
13305
13513
|
)
|
|
13306
13514
|
)
|
|
13307
13515
|
),
|
|
@@ -13327,8 +13535,12 @@ rule(:idp_policy_type) do
|
|
|
13327
13535
|
"source-except" ( /* Don't match source address */
|
|
13328
13536
|
(arg)
|
|
13329
13537
|
),
|
|
13330
|
-
"source-prefix" /* Match source address
|
|
13331
|
-
|
|
13538
|
+
"source-prefix" ( /* Match source address */
|
|
13539
|
+
ipv4prefix /* Match source address */
|
|
13540
|
+
),
|
|
13541
|
+
"source-prefix-except" ( /* Don't match source address */
|
|
13542
|
+
ipv4prefix /* Don't match source address */
|
|
13543
|
+
)
|
|
13332
13544
|
),
|
|
13333
13545
|
"to-zone" ( /* Match to zone */
|
|
13334
13546
|
("any" | arg)
|
|
@@ -13340,8 +13552,12 @@ rule(:idp_policy_type) do
|
|
|
13340
13552
|
"destination-except" ( /* Don't match destination address */
|
|
13341
13553
|
(arg)
|
|
13342
13554
|
),
|
|
13343
|
-
"destination-prefix" /* Match destination address
|
|
13344
|
-
|
|
13555
|
+
"destination-prefix" ( /* Match destination address */
|
|
13556
|
+
ipv4prefix /* Match destination address */
|
|
13557
|
+
),
|
|
13558
|
+
"destination-prefix-except" ( /* Don't match destination address */
|
|
13559
|
+
ipv4prefix /* Don't match destination address */
|
|
13560
|
+
)
|
|
13345
13561
|
),
|
|
13346
13562
|
"attacks" ( /* Match attack objects */
|
|
13347
13563
|
c(
|
|
@@ -55982,6 +56198,11 @@ rule(:nat_object) do
|
|
|
55982
56198
|
"pool" ( /* Define a NAT pool */
|
|
55983
56199
|
nat_pool_object /* Define a NAT pool */
|
|
55984
56200
|
),
|
|
56201
|
+
"ipv6-multicast-interfaces" ("all" | "interface-name") ( /* Enable IPv6 multicast filter for IPv6 NAT */
|
|
56202
|
+
c(
|
|
56203
|
+
"disable" /* Disable IPv6 multicast filter for IPv6 NAT */
|
|
56204
|
+
)
|
|
56205
|
+
),
|
|
55985
56206
|
"ipv6-multicast-interfaces" /* Enable IPv6 multicast filter for IPv6 NAT */,
|
|
55986
56207
|
"allow-overlapping-nat-pools" /* Allow usage of overlapping and same nat pools in multiple service sets */,
|
|
55987
56208
|
"rule" ( /* Define a NAT rule */
|
|
@@ -55990,16 +56211,31 @@ rule(:nat_object) do
|
|
|
55990
56211
|
"port-forwarding" ( /* Define a port-forwarding pool */
|
|
55991
56212
|
pf_mapping /* Define a port-forwarding pool */
|
|
55992
56213
|
),
|
|
55993
|
-
"rule-set" /* Defines a set of NAT rules */
|
|
56214
|
+
"rule-set" arg ( /* Defines a set of NAT rules */
|
|
56215
|
+
c(
|
|
56216
|
+
"rule" arg /* Rule to be included in this rule set */
|
|
56217
|
+
)
|
|
56218
|
+
)
|
|
55994
56219
|
)
|
|
55995
56220
|
end
|
|
55996
56221
|
|
|
55997
56222
|
rule(:nat_pool_object) do
|
|
55998
56223
|
arg.as(:arg) (
|
|
55999
56224
|
c(
|
|
56000
|
-
"pgcp" /* NAT pool should be used exclusive by the pgcp service
|
|
56225
|
+
"pgcp" ( /* NAT pool should be used exclusive by the pgcp service */
|
|
56226
|
+
c(
|
|
56227
|
+
"remotely-controlled" /* Remotely controlled NAT pool allocation */,
|
|
56228
|
+
"ports-per-session" arg /* Number of ports to allocate in each call setup */,
|
|
56229
|
+
"hint" arg /* NAT hints */,
|
|
56230
|
+
("tcp" | "udp" | "rtp-avp")
|
|
56231
|
+
)
|
|
56232
|
+
),
|
|
56001
56233
|
"address" arg /* Address or address prefix for NAT */,
|
|
56002
|
-
"interface" /* Interface for nat pool
|
|
56234
|
+
"interface" ( /* Interface for nat pool */
|
|
56235
|
+
sc(
|
|
56236
|
+
interface_unit
|
|
56237
|
+
)
|
|
56238
|
+
).as(:oneline),
|
|
56003
56239
|
"address-overload" /* Nat pool address overload with JunOS */,
|
|
56004
56240
|
"address-range" ( /* Range of addresses for NAT */
|
|
56005
56241
|
s(
|
|
@@ -60449,10 +60685,22 @@ rule(:security_authentication_key_chains) do
|
|
|
60449
60685
|
time /* Start time for key transmission (YYYY-MM-DD.HH:MM) */
|
|
60450
60686
|
),
|
|
60451
60687
|
"algorithm" ( /* Authentication algorithm */
|
|
60452
|
-
("md5" | "hmac-sha-1")
|
|
60688
|
+
("md5" | "hmac-sha-1" | "ao")
|
|
60453
60689
|
),
|
|
60454
60690
|
"options" ( /* Protocol's transmission encoding format */
|
|
60455
60691
|
("basic" | "isis-enhanced")
|
|
60692
|
+
),
|
|
60693
|
+
"ao-attribute" ( /* TCP Authentication option attributes */
|
|
60694
|
+
c(
|
|
60695
|
+
"send-id" arg /* Send id for TCP-AO entry */,
|
|
60696
|
+
"recv-id" arg /* Recv id for TCP-AO entry */,
|
|
60697
|
+
"tcp-ao-option" ( /* Include TCP-AO option within message header */
|
|
60698
|
+
("enabled" | "disabled")
|
|
60699
|
+
),
|
|
60700
|
+
"cryptographic-algorithm" ( /* Cryptographic algorithm for TCP-AO Traffic key and MAC digest generation */
|
|
60701
|
+
("hmac-sha-1-96" | "aes-128-cmac-96")
|
|
60702
|
+
)
|
|
60703
|
+
)
|
|
60456
60704
|
)
|
|
60457
60705
|
)
|
|
60458
60706
|
)
|
|
@@ -61071,6 +61319,7 @@ rule(:security_ike) do
|
|
|
61071
61319
|
"probe-idle-tunnel" /* Send probes same as in optimized mode and also when there is no outgoing & incoming data traffic */,
|
|
61072
61320
|
"always-send" /* Send probes periodically regardless of incoming and outgoing data traffic */
|
|
61073
61321
|
),
|
|
61322
|
+
"always-send" /* Send DPD messages periodically, regardless of traffic */,
|
|
61074
61323
|
"interval" arg /* The time between DPD probe messages Default :10 */,
|
|
61075
61324
|
"threshold" arg /* Maximum number of DPD retransmissions Default :5 */
|
|
61076
61325
|
)
|
|
@@ -61319,6 +61568,21 @@ rule(:security_ipsec_vpn) do
|
|
|
61319
61568
|
),
|
|
61320
61569
|
"security-association" ( /* Define a manual control plane SA */
|
|
61321
61570
|
ipsec_sa /* Define a manual control plane SA */
|
|
61571
|
+
),
|
|
61572
|
+
"internal" ( /* Define an IPSec SA for internal RE-RE communication */
|
|
61573
|
+
c(
|
|
61574
|
+
"security-association" ( /* Define an IPSec security association */
|
|
61575
|
+
ipsec_internal_sa /* Define an IPSec security association */
|
|
61576
|
+
)
|
|
61577
|
+
)
|
|
61578
|
+
),
|
|
61579
|
+
"trusted-channel" ( /* Define an IPSec SA for trusted-channel communication */
|
|
61580
|
+
c(
|
|
61581
|
+
"security-association" ( /* Define an IPSec security association */
|
|
61582
|
+
ipsec_trusted_channel_sa /* Define an IPSec security association */
|
|
61583
|
+
),
|
|
61584
|
+
"port-exclusion-list" arg /* Define port exlusion list */
|
|
61585
|
+
)
|
|
61322
61586
|
)
|
|
61323
61587
|
)
|
|
61324
61588
|
end
|
|
@@ -61603,20 +61867,50 @@ rule(:security_macsec) do
|
|
|
61603
61867
|
),
|
|
61604
61868
|
"connectivity-association" arg ( /* Configure connectivity association properties */
|
|
61605
61869
|
c(
|
|
61606
|
-
"cipher-suite"
|
|
61870
|
+
"cipher-suite" ( /* Cipher suite to be used for encryption */
|
|
61871
|
+
("gcm-aes-128" | "gcm-aes-256" | "gcm-aes-xpn-128" | "gcm-aes-xpn-256")
|
|
61872
|
+
),
|
|
61607
61873
|
"security-mode" ( /* Connectivity association mode */
|
|
61608
61874
|
("dynamic" | "static-sak" | "static-cak")
|
|
61609
61875
|
),
|
|
61610
|
-
"
|
|
61876
|
+
"sak-hash-128" /* Configure to generate 128bit SAK hash to program HW */,
|
|
61877
|
+
"secure-channel" arg ( /* Configure secure channel properties */
|
|
61878
|
+
c(
|
|
61879
|
+
"id" ( /* Secure channel identifier */
|
|
61880
|
+
c(
|
|
61881
|
+
"mac-address" ( /* MAC addresses */
|
|
61882
|
+
mac_addr /* MAC addresses */
|
|
61883
|
+
),
|
|
61884
|
+
"port-id" arg /* Port identifier */
|
|
61885
|
+
)
|
|
61886
|
+
),
|
|
61887
|
+
"direction" ( /* Secure channel direction */
|
|
61888
|
+
("inbound" | "outbound")
|
|
61889
|
+
),
|
|
61890
|
+
"encryption" /* Enable Encryption */,
|
|
61891
|
+
"offset" ( /* Confidentiality offset */
|
|
61892
|
+
("0" | "30" | "50")
|
|
61893
|
+
),
|
|
61894
|
+
"include-sci" /* Include secure channel identifier in MAC Security PDU */,
|
|
61895
|
+
"security-association" arg ( /* Security association */
|
|
61896
|
+
c(
|
|
61897
|
+
"key" arg /* Security association key in hexadecimal format of length 32 */
|
|
61898
|
+
)
|
|
61899
|
+
)
|
|
61900
|
+
)
|
|
61901
|
+
),
|
|
61611
61902
|
"mka" ( /* Configure MAC Security Key Agreement protocol properties */
|
|
61612
61903
|
c(
|
|
61613
61904
|
"transmit-interval" arg /* Configure MKA periodic transmit interval */,
|
|
61905
|
+
"sak-rekey-interval" arg /* Configure SAK rekeying interval */,
|
|
61614
61906
|
"bounded-delay" /* Configure Bounded Hello Time */,
|
|
61907
|
+
"suspend-on-request" /* Configure on key-server to accept suspend-on-request during gres or issu */,
|
|
61908
|
+
"suspend-for" /* Configure to suspend MKA during gres or issu */,
|
|
61615
61909
|
"key-server-priority" arg /* Configure MKA key server priority */,
|
|
61616
61910
|
"must-secure" /* Allow only secure dot1x traffic */,
|
|
61617
61911
|
"should-secure" /* Configure fail open mode for MKA protocol */,
|
|
61618
61912
|
"eapol-address" ( /* Configure EAPOL destination group address */
|
|
61619
|
-
("pae" | "provider-bridge" | "lldp-multicast")
|
|
61913
|
+
("pae" | "provider-bridge" | "lldp-multicast" | arg)
|
|
61620
61914
|
)
|
|
61621
61915
|
)
|
|
61622
61916
|
),
|
|
@@ -61626,6 +61920,7 @@ rule(:security_macsec) do
|
|
|
61626
61920
|
)
|
|
61627
61921
|
),
|
|
61628
61922
|
"no-encryption" /* Disable encryption */,
|
|
61923
|
+
"disable-preceding-key" /* Disable CA preceding key duing key switch-over */,
|
|
61629
61924
|
"offset" ( /* Confidentiality offset */
|
|
61630
61925
|
("0" | "30" | "50")
|
|
61631
61926
|
),
|
|
@@ -61633,14 +61928,35 @@ rule(:security_macsec) do
|
|
|
61633
61928
|
"pre-shared-key" ( /* Configure pre-shared connectivity association key */
|
|
61634
61929
|
c(
|
|
61635
61930
|
"ckn" arg /* Connectivity association key name in hexadecimal format */,
|
|
61636
|
-
"cak" arg /* Connectivity association key in hexadecimal format
|
|
61931
|
+
"cak" arg /* Connectivity association key in hexadecimal format */
|
|
61932
|
+
)
|
|
61933
|
+
),
|
|
61934
|
+
"fallback-key" ( /* Configure fallback key for connectivity association */
|
|
61935
|
+
c(
|
|
61936
|
+
"ckn" arg /* Connectivity association fallback key name in hexadecimal format */,
|
|
61937
|
+
"cak" arg /* Connectivity association fallback key secret in hexadecimal format */
|
|
61637
61938
|
)
|
|
61638
61939
|
),
|
|
61639
61940
|
"pre-shared-key-chain" arg /* Pre-shared key chain name for connectivity association */,
|
|
61640
61941
|
"exclude-protocol" enum(("cdp" | "lldp" | "lacp")) /* Configure protocols to exclude from MAC Security */.as(:oneline)
|
|
61641
61942
|
)
|
|
61642
61943
|
),
|
|
61643
|
-
"interfaces" /* Interfaces on which macsec configuration is applied
|
|
61944
|
+
"interfaces" arg ( /* Interfaces on which macsec configuration is applied */
|
|
61945
|
+
c(
|
|
61946
|
+
"unit" arg ( /* Logical interface */
|
|
61947
|
+
c(
|
|
61948
|
+
"connectivity-association" arg /* Connectivity association name */,
|
|
61949
|
+
"traceoptions" ( /* Tracing options of MKA protocol */
|
|
61950
|
+
mka_trace_options /* Tracing options of MKA protocol */
|
|
61951
|
+
)
|
|
61952
|
+
)
|
|
61953
|
+
),
|
|
61954
|
+
"connectivity-association" arg /* Connectivity association name */,
|
|
61955
|
+
"traceoptions" ( /* Tracing options of MKA protocol */
|
|
61956
|
+
mka_trace_options /* Tracing options of MKA protocol */
|
|
61957
|
+
)
|
|
61958
|
+
)
|
|
61959
|
+
),
|
|
61644
61960
|
"cluster-control-port" arg ( /* Cluster control port on which macsec configuration is applied */
|
|
61645
61961
|
c(
|
|
61646
61962
|
"connectivity-association" arg /* Connectivity association name */,
|
|
@@ -61803,6 +62119,25 @@ rule(:security_pki) do
|
|
|
61803
62119
|
"ca-profiles" arg /* Name of the CA profiles (maximum 20) */
|
|
61804
62120
|
)
|
|
61805
62121
|
),
|
|
62122
|
+
"trap" ( /* Trap options for PKI certificates */
|
|
62123
|
+
c(
|
|
62124
|
+
"certificate-id" arg ( /* Local certificate identifier */
|
|
62125
|
+
c(
|
|
62126
|
+
arg
|
|
62127
|
+
)
|
|
62128
|
+
),
|
|
62129
|
+
"ca-identity" arg ( /* CA identity */
|
|
62130
|
+
c(
|
|
62131
|
+
arg
|
|
62132
|
+
)
|
|
62133
|
+
),
|
|
62134
|
+
"all-certificates" ( /* Trap config for all certificates */
|
|
62135
|
+
c(
|
|
62136
|
+
arg
|
|
62137
|
+
)
|
|
62138
|
+
)
|
|
62139
|
+
)
|
|
62140
|
+
),
|
|
61806
62141
|
"auto-re-enrollment" ( /* Auto re-enroll of certificate */
|
|
61807
62142
|
c(
|
|
61808
62143
|
"cmpv2" ( /* CMPv2 auto re-enrollment configuration */
|
|
@@ -61912,8 +62247,16 @@ rule(:security_traceoptions) do
|
|
|
61912
62247
|
)
|
|
61913
62248
|
).as(:oneline),
|
|
61914
62249
|
"rate-limit" arg /* Limit the incoming rate of trace messages */,
|
|
61915
|
-
"filter" /* Filter parameters for IKE traceoptions
|
|
61916
|
-
|
|
62250
|
+
"filter" ( /* Filter parameters for IKE traceoptions */
|
|
62251
|
+
c(
|
|
62252
|
+
"fpc" arg /* FPC slot number */,
|
|
62253
|
+
"pic" arg /* PIC slot number */
|
|
62254
|
+
)
|
|
62255
|
+
),
|
|
62256
|
+
"flag" enum(("timer" | "routing-socket" | "parse" | "config" | "ike" | "policy-manager" | "general" | "database" | "certificates" | "snmp" | "thread" | "high-availability" | "next-hop-tunnels" | "all" | "ams" | "lic")) /* Tracing parameters */.as(:oneline),
|
|
62257
|
+
"level" ( /* Level of debugging output */
|
|
62258
|
+
("error" | "warning" | "notice" | "info" | "verbose" | "all")
|
|
62259
|
+
)
|
|
61917
62260
|
)
|
|
61918
62261
|
end
|
|
61919
62262
|
|
|
@@ -65982,3 +66325,10 @@ rule(:zone_system_services_object_type) do
|
|
|
65982
66325
|
)
|
|
65983
66326
|
end
|
|
65984
66327
|
|
|
66328
|
+
rule(:tenant_system_type) do
|
|
66329
|
+
arg.as(:arg) (
|
|
66330
|
+
c(
|
|
66331
|
+
"max-sessions" arg /* Max number of IDP sessions */
|
|
66332
|
+
)
|
|
66333
|
+
)
|
|
66334
|
+
end
|