topic How to make custom signature with segment field? in Custom Signatures

How to make custom signature with segment field?

Retired Member — Tue, 01 Dec 2015 07:14:57 GMT

Recently, URL filter evasion application often use tcp segment field.

How to make custom application with tcp segment field?

Protocol sequence.

1. SYN

2. SYN,ACK

3. ACK

4. PSH,ACK : TCP segment data has GET / HTTP/1.1

It can bypass our URL filtering.

You can download and reproduce using below link.

http://1bil.net/DodgeChrome-31.zip

Thanks.

Re: How to make custom signature with segment field?

rcole — Tue, 01 Dec 2015 14:51:09 GMT

bkim:

Given that the traffic is being classified as "unknown-tcp," you may be able to write signatures to pick off at least one of the methods being used in this app, by inspecting unknown-req-tcp-payload for some specific strings indicative of HTTP traffic. (GET / HTTP/1.1, etc)

However, the obvious quick and blunt solution would be, "Don't allow unknown-tcp traffic" to egress to the web, which appears to defeat this tool entirely. This is probably a better solution than writing custom signatures.

Re: How to make custom signature with segment field?

HITSSEC — Wed, 02 Dec 2015 02:28:28 GMT

Bkim;

I agree with rcole. If the evasion technique creates an unknown application then you should already have policies in place to deny unknown udp and tcp traffic. While a signature (if possible ) would work in this situation the more encompasing approach would be to block unknown apps as mentioned. If the traffic causes a url category of "unknown" to be generated then you should deal with that situation within yout URL filtering policy. Signatures are great for specific or unique traffic patterns when other methods can't address the problem / situation. Glad you thinking out of the box.

Phil