Unknown UDP Application

L1 Bithead

Unknown UDP Application

I am looking for some documentation on how to use the custom application identification for unknown udp traffic. I have been successful with looking for strings within HTTP based traffic but am struggling to identify applications that aren't HTTP based.

Within the signature section I have tried to identify the application using the operator "pattern match" and entering the ascii string as I have done with HTTP and the application is not identified. I then reverted to utilizing the "equal to" operator choosing to identify the first 4 bytes of the payload. For this particular test, I am simply trying to identify UDP based traffic from the application Iperf. Attached is the payload from that traffic and the first 4 bytes are 00 00 04 dc(the first two bytes are always 00 00 for this traffic). For my mask I am entering 0xff000000 and for the value I enter 0x00000000.

The way I would interpret this would be to match the first byte only (because of the ff in the mask) and don't worry about the remaining 3 bytes. So, my value of 00 matches the actual value of the packet payload 00 but it still won't identify the traffic as my custom application.This is in a very isolated environment with only two laptops connected on each side of a vwire (no other competing traffic)

Can someone explain where my logic has gone wrong or show me a good document that outlines how to do this?

Thanks

L1 Bithead

Re: Unknown UDP Application

I've been doing some more digging on this and am wondering if this uses bitwise operations to perform the matching. I am able to follow the logic associated with the bitwise operation but cannot apply it to the application I am testing. Perhaps this is why you only have a palo alto based app for tcp based iperf and not udp based iperf?) Taking a few samples of the first four bytes yield different results when looking at this in binary

0000 0000 0000 0000 0000 0000 0000 0100 - 00 00 00 04
0000 0000 0000 0000 0000 0000 0000 0011 - 00 00 00 03
0000 0000 0000 0000 0000 0000 0000 0011 - 00 00 00 03
0000 0000 0000 0000 0000 0000 0000 0001 - 00 00 00 01
0000 0000 0000 0000 0000 0000 0000 0010 - 00 00 00 02
0000 0000 0000 0000 0000 0000 0000 0011 - 00 00 00 03
0000 0000 0000 0000 0000 0000 0000 0100 - 00 00 00 04

I would have to create a mask that would yield the same value for all of these packets for it to be correctly identified if my logic is correct. Being new to this logic, I'm not seeing a way to accomplish this off the top of my head.

Two more questions. Is the assumption that bitwise operations are used to perform the match correct? Could anyone help me with this application for example purposes?

If I'm way off, maybe someone has a document?

Thanks!

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!