topic Re: Signature for Clash of Clans game in Custom Signatures

Signature for Clash of Clans game

david3 — Tue, 31 May 2016 15:49:05 GMT

I built the attached custom application signature for the Clash of Clans game (previously identified as unknown-tcp) based on taking multiple pcaps and finding the first 7 bytes of the first 4 data packets appear to be constant across sessions. However, I have a rather limited test bed of one iPad accessing one clan at this time. Comments and refinements welcome.

Re: Signature for Clash of Clans game

bpappas — Wed, 01 Jun 2016 22:16:55 GMT

are you trying to identify and block this app? or.... ?

Re: Signature for Clash of Clans game

david3 — Wed, 01 Jun 2016 22:37:44 GMT

I use this signature to positively identify the application as the firewall policy is configured to block all unknown-tcp and unknown-udp.

-David

Re: Signature for Clash of Clans game

BenjAudy.MTL — Thu, 02 Jun 2016 20:33:54 GMT

Hi,

I also recently created a signature to identify that game. First, the protocol used is common to all Supercell games, not just Clash of Clans. I haven't seen a way yet to differentiate between the different games (not that I care about that). My signature was pretty similar to yours at first, but sometimes it would not match, like when an Android user needs to install an update for the game. I also sometimes see UDP traffic on the same port, after the game connects using TCP. I haven't been able to reproduce that traffic on my iPhone though. I suspect the UDP traffic is only used on Android clients. Also, I don't see any repeating pattern in it, probably because the negotiation happens in the TCP stream. I will try to get my hands on an Android device to reproduce the traffic.

Benjamin