topic Behaviour app override in General Topics

Behaviour app override

soporteseguridad — Wed, 01 Jun 2016 18:39:11 GMT

Hi, we are having an issue using app override.

1) We have created a custom app for Oracle (without timeout). Using these ports: tcp1521-1541.

This is the config

This is the app override policy:

This is the security policy (app any and ports involved in this app 1533 and 60xxx):

Service profile for ports open in this ORACLE connection (1023-65535)

After doing all these changes, the Oracle (custom app) connections stopped working so we check the monitor traffic logs and we saw this:

Well, we decided to configure a source filter in our app override policy, in order not matching "app override" policy with any.

After doing that we realised that these Oracle connections open another ports in range 606xx, but using app override these others ports didnt appear.

In the this screenshot we can see what monitor shows using app_overrise and Oracle default. Using our custom app (Iracle_1521_1541) is taking the connection in ports 1533 fine but not another ports are appearing so its not working fine.

At 13:17:00 we disabled app override policy and it started working.

So its like using app override for this custom app, if another ports in the connections are used its not working.

Why using our custom app we cant see the ports open over this Oracle_custom connection?? How could we solve this???

Re: Behaviour app override

reaper — Thu, 02 Jun 2016 07:49:58 GMT

looks like your oracle deployment may have been customized somehow to use other ports than expected

can you try this: set the custom app with 'parent app' oracle, set the ports to tcp/dynamic and disable app override:

Re: Behaviour app override

soporteseguridad — Thu, 02 Jun 2016 10:37:25 GMT

But if i disable "app override", the custom app will not applied, right??

With app override policy i say what source/destination range will ovewrite the app.

should i configure the ports in app like this??:

All the previous changes will affect to another apps???

thanks a lot reaper.

Re: Behaviour app override

reaper — Thu, 02 Jun 2016 11:33:36 GMT

app override is not required if you only want to identify an application differently.

App override forces AppID to not inspect certain sessions and instead acts as a stateful firewall. it disabled AppID

a custom app without override let's AppID do it's job of inspecting the session and you tell it to identify an application differently. since oracle is set as parent app, it should only apply to sessions identified as oracle

usually your method should work just fine, but the fact that it doesn't and without the override it starts using different ports may mean your deployment may be somewhat special and the heavy handed approach with app override might break something

i'd start with only tcp/dynamic, once you get it to work you can tone that down to the actual set of ports you would like to use (you could also add the tcp/606** instead of dynamic if you prefer)