I am stuck at a point with the configuration of a custom-attack signature in Junos. According to the Junos Custom Attack Definition documentation page, I can set up a custom attack based upon a signature in the packet. In the documentation you can specify a "pattern" to match, but it fails to describe what the pattern syntax should be. Particularly, I want to match the HEX values of
8C 00 13 00
in the first four bytes of the TCP data payload. Does anyone know how to accomplish this correctly?
You could look at other patterns on the defaul attack objects whit the command
show log /var/db/idpd/sec-download/SignatureUpdate.xml
here are a few exadecimal examples:
<Pattern><![CDATA[.*\xeb 2c 5b 89 d9 80 c1 06 39 d9 7c 07 80 01\x.*]]></Pattern>
<Pattern><![CDATA[.*\xffff ff2f 4249 4e2f 5348 00\x.*]]></Pattern>
<Pattern><![CDATA[.*\x7FFF FB78 7FFF FB78 7FFF FB78 7FFF FB78\x.*\x408A FFC8 4082 FFD8 3B36 FE03 3B76 FE02\x.*]]></Pattern>
<Pattern><![CDATA[.*\xeb23 5e33 c088 46fa 8946 f589 36\x.*]]></Pattern>
so your pattern shoul be:
<Pattern><![CDATA[.*\x8C 00 13 00\x.*]]></Pattern>
