topic Unable to negate Signature pattern-match. Why Custom Vulnerability has Negate option but Apps NOT? in Custom Signatures https://live.paloaltonetworks.com/t5/custom-signatures/unable-to-negate-signature-pattern-match-why-custom/m-p/256260#M296 <P>I created custom app for ldaps tcp/636 based on signature (ssl-rsp-certificate) which contains text from certificate</P><P>This caused https - tcp/443 (ssl based) traffic to match this new custom app.<BR />After some investigation I realised that https context ssl-req-client-hello contains http/version (i.e. http/1.1) and wanted to filter out this in my custom app so it will not match https any more.</P><P>Unfortunately I run into limitation where I am not able to Negate my pattern-match. Something that is possible in Custom vulnerability is not possible in Custom App, unfortunately and sadly.</P><P>Proposal to specify port 636 under Advanced/Defaults is not a solution.</P><P>&nbsp;</P><P>Reason: Custom application signature behaves similar way as pre-defined. App-ID does not work merely on default port information but also other conditions.<BR />For example, if you have web-application running on custom port, it will be identify as web-browsing as soon as it matches to web-browsing signatures.</P> Fri, 05 Apr 2019 09:14:38 GMT olukacko 2019-04-05T09:14:38Z Unable to negate Signature pattern-match. Why Custom Vulnerability has Negate option but Apps NOT? https://live.paloaltonetworks.com/t5/custom-signatures/unable-to-negate-signature-pattern-match-why-custom/m-p/256260#M296 <P>I created custom app for ldaps tcp/636 based on signature (ssl-rsp-certificate) which contains text from certificate</P><P>This caused https - tcp/443 (ssl based) traffic to match this new custom app.<BR />After some investigation I realised that https context ssl-req-client-hello contains http/version (i.e. http/1.1) and wanted to filter out this in my custom app so it will not match https any more.</P><P>Unfortunately I run into limitation where I am not able to Negate my pattern-match. Something that is possible in Custom vulnerability is not possible in Custom App, unfortunately and sadly.</P><P>Proposal to specify port 636 under Advanced/Defaults is not a solution.</P><P>&nbsp;</P><P>Reason: Custom application signature behaves similar way as pre-defined. App-ID does not work merely on default port information but also other conditions.<BR />For example, if you have web-application running on custom port, it will be identify as web-browsing as soon as it matches to web-browsing signatures.</P> Fri, 05 Apr 2019 09:14:38 GMT https://live.paloaltonetworks.com/t5/custom-signatures/unable-to-negate-signature-pattern-match-why-custom/m-p/256260#M296 olukacko 2019-04-05T09:14:38Z