topic Re: Custom signature for unknown tcp in General Topics

Custom signature for unknown tcp

oguzhan-sanatci — Mon, 05 Mar 2018 15:14:30 GMT

this is a capture from a tcp traffic.

i want to make a custom app id because in my log it say my application is an unknown-TCP application

how can i get the signature from the digits (image) ?

can someone thell me or give me tips how i should make a custom app id from a packet capture

thanks!

Re: Custom signature for unknown tcp

jvalentine — Mon, 05 Mar 2018 15:23:42 GMT

Coulds you share PCAPs of this application, preferrably from a few different sessions? That would make it much easier to create a custom signature.

Another option is to create an "empty" AppID (essentially an AppID without a Layer-7 signature). Then you can create an App-Override policy that maps traffic to your custom application server (using both IP Address & TCP Port #) to your newly-created AppID.

Re: Custom signature for unknown tcp

BPry — Mon, 05 Mar 2018 15:40:53 GMT

@oguzhan-sanatci,

As @jvalentine pointed out you'll need to provide PCAPs of the traffic to help build the signature or you can create a custom application. WIthin the application you would simply give it any Properties that you actually want it to have, set the default ports if desired, and then leave the actual 'Signature' section empty.

You can then build an application override policy that lets you specify a wide range of information. If you know that an internal source reaching out to a specific destination server over tcp 41794-41795 is going to be your custom application you can build a policy for that and it will simply map that traffic to the custom application ID that you created.

Re: Custom signature for unknown tcp

oguzhan-sanatci — Tue, 06 Mar 2018 11:49:51 GMT

@BPry @jvalentine
Thank you both for the fast reply this morning i 've solved the problem by picking the right hexa digits