Unable to negate Signature pattern-match. Why Custom Vulnerability has Negate option but Apps NOT?

Reply
L0 Member

Unable to negate Signature pattern-match. Why Custom Vulnerability has Negate option but Apps NOT?

I created custom app for ldaps tcp/636 based on signature (ssl-rsp-certificate) which contains text from certificate

This caused https - tcp/443 (ssl based) traffic to match this new custom app.
After some investigation I realised that https context ssl-req-client-hello contains http/version (i.e. http/1.1) and wanted to filter out this in my custom app so it will not match https any more.

Unfortunately I run into limitation where I am not able to Negate my pattern-match. Something that is possible in Custom vulnerability is not possible in Custom App, unfortunately and sadly.

Proposal to specify port 636 under Advanced/Defaults is not a solution.

 

Reason: Custom application signature behaves similar way as pre-defined. App-ID does not work merely on default port information but also other conditions.
For example, if you have web-application running on custom port, it will be identify as web-browsing as soon as it matches to web-browsing signatures.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!