Singature for Jabber tcp/2748

Reply
L1 Bithead

Singature for Jabber tcp/2748

Hi, I try to create a custom signature for Jabber CTI (http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucm/port/9_0_1/CUCM_BK_T98E8963_00_tcp-port-usag... running on port 2748.

 

The packet dump give me this result for the client request:

 

5e 00 00 00 00 00 00 00 dd dd ff ff 00 00 0f 00 ^....... ........
36 01 00 00 20 00 00 00 24 00 00 00 22 00 00 00 6... ... $..."...
01 00 00 00 44 00 00 00 0b 00 00 00 4f 00 00 00 ....D... ....O...
04 00 00 00 53 00 00 00 07 00 00 00 5a 00 00 00 ....S... ....Z...
0c 00 00 00 55 43 50 72 6f 76 69 64 65 72 00 31 ....UCPr ovider.1
2e 30 00 53 68 69 62 75 69 00 43 69 73 63 6f 20 .0.Shibu i.Cisco
4a 54 41 50 49 00 JTAPI.

and I want to intercept the string "UCProvider 1.0"

 

I tried with a signatures with:

parent App: jabber

port: tcp/2748

Signature: Pattern Match

Scope: Session (also I tried with Transaction )

Context: unknown-req-tcp-payload (also I tried with unknown-rsp-tcp-payload )

Pattern: follow all the patterns that I've tried, one for a time...

UCProvider 1.0

\x 55 43 50 72 6f 76 69 64 65 72 20 31 2e 30 \x

 

BUT NOT WORK everytime unknown-tcp or insufficent-data result on traffic monitor

 

How can resolve this problem without write a policies with any in application and a custom service (tcp/2748) ???

 

thank you

 

 

 

 

L4 Transporter

Re: Singature for Jabber tcp/2748

Good morning.

 

My skillset is more around writing threat signatures (vulnerability and anti-spyware) rather than application signatures. However, if you provide a packet capture of some sample traffic you'd like to identify, this would likely be helpful, as many folks with varying skillsets frequent this forum. In order to test any of our ideas, having a packet capture of some sample traffic to replay in our lab environments would help to lead towards resolution.

 

Is this possible?

L1 Bithead

Re: Singature for Jabber tcp/2748

Yes it's possible, but I cannot attach the pcap file on my post.
Perhaps a account limitation ?

 

 

L1 Bithead

Re: Singature for Jabber tcp/2748

download.jpg

Ok bypass the limitation

-Download this file.

-Rename it to download.rar

-Exctract two file (a unusefull jpg, and the dump file)

 

The dump it's take from my Desktop (192.168.3.117) when jabber login to remote server (192.168.32.40)

I send only the first transaction packet because inside the other packet I have in cleartext some reserved information.

 

Regards

Max

 

L4 Transporter

Re: Singature for Jabber tcp/2748

Thank you. That was a creative work around.

 

One thing I've noticed is that the data pattern you are matching on is not present in the packet capture (or the excerpt from your initial post).

 

Your pattern is:

 

\x 55 43 50 72 6f 76 69 64 65 72 20 31 2e 30 \x

 

 

However, the pattern in the packet capture and your excerpt is as follows:

 

\x 55 43 50 72 6f 76 69 64 65 72 00 31 2e 30 \x

 

 

Note that the 11th byte in your pattern is 20 (a space). The actual byte is a null byte (00).

 

This may be a good place to start troubleshooting, if I have not overlooked anything.

 

Respectfully,

- rcole

L1 Bithead

Re: Singature for Jabber tcp/2748

Ok RCole, I went in deep.

 

After change the signature Palo Alto recognize logoff process as Cisco Jabber (cti_cisco) application, but for the login process the result is "insufficent-data".

 

Summary of example transaction:

CISCO Jabber logoff => tcp.src 51084 tcp.dst 2748

CISCO Jabber login => tcp.src 51351 tcp.dst 2748

 

thake a look of this picture:

 

capture03.JPGcapture03-logoff.JPG

capture03-login.JPG

 

And you know something even stranger?

Take a look on the logoff/login process from the following tcpdump:

download.jpg

On the logoff process we dont have any byte like our singature, and this is RECOGNISED as cti_cisco, instead on the login process we have some byte equal the singature, and this is NOT recognized, it's insufficend-data.

 

?????????

Crazy! I get hold of the wrong end of the stick ?

 

 

 

 

L4 Transporter

Re: Singature for Jabber tcp/2748

Good morning! :)

 

Would it be possible for you to export and attach the signature you've created so far so I can inspect it?

L1 Bithead

Re: Singature for Jabber tcp/2748

 

download.jpg

 

I try combination of:

-both CONDITION in OR or in AND

-SCOPE as Transaction or Session

-Context Unknown-req-tcp-payload or telnet-req-client-data

-Ordered Condition Match flagged or not flagged.

L4 Transporter

Re: Singature for Jabber tcp/2748

Thank you for the complete packet capture! However, what I'm hoping for is the actual signature you've written. Can you export it from the firewall and upload it here? Additionally, .RAR and .PCAP formats should no longer require you to obfuscate them to upload.

Highlighted
L1 Bithead

Re: Singature for Jabber tcp/2748

Sorry I had atteched a worg file, this is the current signatures xml.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!