Patterns in custom app signature only recognizing half the tcp port traffic

Showing results for 
Show  only  | Search instead for 
Did you mean: 
Please sign in to see details of an important advisory in our Customer Advisories area.

Patterns in custom app signature only recognizing half the tcp port traffic

Not applicable

Hello All,

Kind of at my wits end. I could sure use some assistance.

I have created some custom app-ids with signatures with success that recognize 100% of the traffic and other app-ids with signatures that fall short.

The ones that fall short only recognize 50% of the traffic with other half labeled as "Insufficient data."

The description that I am giving is more about the process of how I am trying to accomplish this. Hopefully you can point some basic thing that I am fundamentally not doing right.

I have created packet captures from the Palo Alto firewall of all the custom tcp port traffic that I need to make custom app-ids with pattern signatures for.

After analyzing the tcp sessions in the .pcap files in Wireshark, I found about 16 repeating patterns in the client data payload requests to the server for a particular custom tcp port traffic.

For the custom app-id, I made 1 Session based signature that consisted of 16 patterns. The patterns are all: 'or condition' (not ordered), "pattern match",  "unknown-rec-tcp-payload",  and 7 byte in length.

When I commit the changes and monitor the traffic, the traffic I created the custom app-id for recognizes about 50% of the traffic with my custom app-id label correctly applied with other half of the same port traffic labeled as "Insufficient data."

I have created additional packet captures and analyzed all the tcp port client request payloads of all the tcp sessions labled as "Insufficient data."

Originally I thought I missed some repeating client traffic request patterns but the thing is, they all have payloads with the patterns that I have entered into my custom app-id signature already.

Did I miss something?

Your help and input is greatly appropriated.

  • 0 replies
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!