amount of traffic before "unknown application" is determined

sylvia — Tue, 10 Jul 2012 16:35:45 GMT

Hi,

my questions deals with the application detection. As far as I know the heuristic engine is the last possibility after application signature and decoders weren't successful.

But does anybody know how much traffic (bytes or packets) will/can run through a PAN before the heuristic engine gives and the application is set to "unknown"?

Many thanks,

Sylvia

Re: amount of traffic before "unknown application" is determined

mikand — Tue, 10 Jul 2012 17:55:53 GMT

Page 2 at http://media.paloaltonetworks.com/documents/App_ID_tech.pdf have a brief description on whats going on inside a PA device when a packet arrives.

I have seen numbers of 14 and up to 20 packets being mentioned before final decision that a flow is unknown, but I dont know if these figures are true or not. However it can go faster to decide that a session is unknown.

For example:

CS: SYN

SC: SYN+ACK

CS: ACK

CS: "a b c\n\n"

SC: HTTP ERROR 400/Bad Request

= unknown (if im not mistaken).

In the above case there was only needed 2 packets (or 1 packet in each direction if we exclude the initial handshake) before the flow isnt recognised as any known application and because of that classified as unknown.

There are other cases aswell. For example if you start a session like DNS but in the middle start to do other things then the DNS decoder will not recognise the traffic and because of that switch the flow out of the DNS decoder and identify it as unknown. When next packet arrives the PA unit can take a new decision what kind of traffic is passing through (so you in the log can see how a single session hops between identified applications).

topic Re: amount of traffic before "unknown application" is determined in General Topics

amount of traffic before "unknown application" is determined

Re: amount of traffic before "unknown application" is determined