04-05-2019 02:14 AM
I created custom app for ldaps tcp/636 based on signature (ssl-rsp-certificate) which contains text from certificate
This caused https - tcp/443 (ssl based) traffic to match this new custom app.
After some investigation I realised that https context ssl-req-client-hello contains http/version (i.e. http/1.1) and wanted to filter out this in my custom app so it will not match https any more.
Unfortunately I run into limitation where I am not able to Negate my pattern-match. Something that is possible in Custom vulnerability is not possible in Custom App, unfortunately and sadly.
Proposal to specify port 636 under Advanced/Defaults is not a solution.
Reason: Custom application signature behaves similar way as pre-defined. App-ID does not work merely on default port information but also other conditions.
For example, if you have web-application running on custom port, it will be identify as web-browsing as soon as it matches to web-browsing signatures.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
