topic Patterns in custom app signature only recognizing half the tcp port traffic in Automation/API Discussions https://live.paloaltonetworks.com/t5/automation-api-discussions/patterns-in-custom-app-signature-only-recognizing-half-the-tcp/m-p/4865#M118 <HTML><HEAD></HEAD><BODY><P>Hello All,</P><P></P><P>Kind of at my wits end. I could sure use some assistance.</P><P>I have created some custom app-ids with signatures with success that recognize 100% of the traffic and other app-ids with signatures that fall short.</P><P>The ones that fall short only recognize 50% of the traffic with other half labeled as "Insufficient data."</P><P>The description that I am giving is more about the process of how I am trying to accomplish this. Hopefully you can point some basic thing that I am fundamentally not doing right.</P><P></P><P>I have created packet captures from the Palo Alto firewall of all the custom tcp port traffic that I need to make custom app-ids with pattern signatures for.</P><P>After analyzing the tcp sessions in the .pcap files in Wireshark, I found about 16 repeating patterns in the client data payload requests to the server for a particular custom tcp port traffic.</P><P>For the custom app-id, I made 1 Session based signature that consisted of 16 patterns. The patterns are all: 'or condition' (<SPAN style="text-decoration: underline;">not</SPAN> ordered), "pattern match",&nbsp; "unknown-rec-tcp-payload",&nbsp; and 7 byte in length.</P><P></P><P>When I commit the changes and monitor the traffic, the traffic I created the custom app-id for recognizes about 50% of the traffic with my custom app-id label correctly applied with other half of the same port traffic labeled as "Insufficient data."</P><P></P><P>I have created additional packet captures and analyzed all the tcp port client request payloads of all the tcp sessions labled as "Insufficient data."</P><P>Originally I thought I missed some repeating client traffic request patterns but the thing is, they all have payloads with the patterns that I have entered into my custom app-id signature already.</P><P></P><P>Did I miss something?</P><P></P><P>Your help and input is greatly appropriated.</P></BODY></HTML> Fri, 05 Jun 2015 03:08:29 GMT twheeler 2015-06-05T03:08:29Z Patterns in custom app signature only recognizing half the tcp port traffic https://live.paloaltonetworks.com/t5/automation-api-discussions/patterns-in-custom-app-signature-only-recognizing-half-the-tcp/m-p/4865#M118 <HTML><HEAD></HEAD><BODY><P>Hello All,</P><P></P><P>Kind of at my wits end. I could sure use some assistance.</P><P>I have created some custom app-ids with signatures with success that recognize 100% of the traffic and other app-ids with signatures that fall short.</P><P>The ones that fall short only recognize 50% of the traffic with other half labeled as "Insufficient data."</P><P>The description that I am giving is more about the process of how I am trying to accomplish this. Hopefully you can point some basic thing that I am fundamentally not doing right.</P><P></P><P>I have created packet captures from the Palo Alto firewall of all the custom tcp port traffic that I need to make custom app-ids with pattern signatures for.</P><P>After analyzing the tcp sessions in the .pcap files in Wireshark, I found about 16 repeating patterns in the client data payload requests to the server for a particular custom tcp port traffic.</P><P>For the custom app-id, I made 1 Session based signature that consisted of 16 patterns. The patterns are all: 'or condition' (<SPAN style="text-decoration: underline;">not</SPAN> ordered), "pattern match",&nbsp; "unknown-rec-tcp-payload",&nbsp; and 7 byte in length.</P><P></P><P>When I commit the changes and monitor the traffic, the traffic I created the custom app-id for recognizes about 50% of the traffic with my custom app-id label correctly applied with other half of the same port traffic labeled as "Insufficient data."</P><P></P><P>I have created additional packet captures and analyzed all the tcp port client request payloads of all the tcp sessions labled as "Insufficient data."</P><P>Originally I thought I missed some repeating client traffic request patterns but the thing is, they all have payloads with the patterns that I have entered into my custom app-id signature already.</P><P></P><P>Did I miss something?</P><P></P><P>Your help and input is greatly appropriated.</P></BODY></HTML> Fri, 05 Jun 2015 03:08:29 GMT https://live.paloaltonetworks.com/t5/automation-api-discussions/patterns-in-custom-app-signature-only-recognizing-half-the-tcp/m-p/4865#M118 twheeler 2015-06-05T03:08:29Z