Custom Signature for Dahua NVR

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Custom Signature for Dahua NVR

L1 Bithead

Hello All,

 

I am working on creating a custome signature for a Dahua NVR that we would like to allow remote access to.  It operates on port 37777 which has been allowed, but traffic still shows up as unknown-tcp and is subsiquently blocked.  Does anyone have experience working with one of these devices or creating a signature for it?  

 

We opened up the rules to allow any application and was able to capture some traffic while using it.  Would this be enough to create a signature?

 

Thank you all in advance!

Jon

 

 

6 REPLIES 6

L6 Presenter

I'd suggest doing some packet captures of the traffic to see there is something you can use to identify it.

 

a tiny bit of googling suggests that the traffic is not encrypted so depending upon what you find in the captures it may be possible to build a signature using the combination of protocol, port, and pattern matching.

 

if you post a few packet capture samples here, or show us some snippets of what you see during session setup, then the folks who participate in this forum may be able to help.

 

-Benjamin

 

Hello Benjamin,

 

I have gathered some packets, but do not know what types of identifers I'm looking for to make up a signature.  Do you have any examples or could I PM you some of the capture?

 

Thank you!

Jon

 

 

Jon,

 

when you look at the captures in wireshark what do you see in the data portion of the packet? 

 

does every session start with a predictable string or sequence of bits/bytes? if so we can try to build a signature from that.

 

assuming that the capture doesn't contain any information that you would consider confidential (IP addresses, personally identifiable info, etc) you could share it here and then we can try to find a way to help you write a custom signature.

 

Benjamin

 

Here are a few lines from the capture with the source and destination IPs removed.  Is there enough info here or do you need more packet details.

 

 

 

 

No.,"Time","Source","Destination","Protocol","Length","Info"
1,"0.000000","EXTERNALIP","DESTIP","TCP","74","52771  >  37777 [SYN] Seq=0 Win=65535 Len=0 MSS=1390 SACK_PERM=1 TSval=27981135 TSecr=0 WS=4"
2,"0.000329","172.20.0.11","EXTERNALIP","TCP","74","37777  >  52771 [SYN, ACK] Seq=0 Ack=1 Win=28960 Len=0 MSS=1460 SACK_PERM=1 TSval=14910032 TSecr=27981135 WS=32"
3,"0.064911","EXTERNALIP","DESTIP","TCP","66","52771  >  37777 [ACK] Seq=1 Ack=1 Win=83400 Len=0 TSval=27981147 TSecr=14910032"
4,"0.122998","EXTERNALIP","DESTIP","TCP","98","52771  >  37777 [PSH, ACK] Seq=1 Ack=1 Win=83400 Len=32 TSval=27981152 TSecr=14910032"
5,"0.123359","172.20.0.11","EXTERNALIP","TCP","66","37777  >  52771 [ACK] Seq=1 Ack=33 Win=28960 Len=0 TSval=14910164 TSecr=27981152"
6,"0.125416","172.20.0.11","EXTERNALIP","TCP","150","37777  >  52771 [PSH, ACK] Seq=1 Ack=33 Win=28960 Len=84 TSval=14910166 TSecr=27981152"
7,"0.204895","EXTERNALIP","DESTIP","TCP","66","52771  >  37777 [ACK] Seq=33 Ack=85 Win=83400 Len=0 TSval=27981161 TSecr=14910166"
8,"0.212851","EXTERNALIP","DESTIP","TCP","169","52771  >  37777 [PSH, ACK] Seq=33 Ack=85 Win=83400 Len=103 TSval=27981162 TSecr=14910166"
9,"0.213332","172.20.0.11","EXTERNALIP","TCP","66","37777  >  52771 [ACK] Seq=85 Ack=136 Win=28960 Len=0 TSval=14910254 TSecr=27981162"
10,"0.217426","172.20.0.11","EXTERNALIP","TCP","98","37777  >  52771 [PSH, ACK] Seq=85 Ack=136 Win=28960 Len=32 TSval=14910258 TSecr=27981162"
11,"0.304043","EXTERNALIP","DESTIP","TCP","98","52771  >  37777 [PSH, ACK] Seq=136 Ack=117 Win=83400 Len=32 TSval=27981171 TSecr=14910258"
12,"0.304514","172.20.0.11","EXTERNALIP","TCP","66","37777  >  52771 [ACK] Seq=117 Ack=168 Win=28960 Len=0 TSval=14910345 TSecr=27981171"
13,"0.304870","172.20.0.11","EXTERNALIP","TCP","113","37777  >  52771 [PSH, ACK] Seq=117 Ack=168 Win=28960 Len=47 TSval=14910345 TSecr=27981171"
14,"0.391928","EXTERNALIP","DESTIP","TCP","183","52771  >  37777 [PSH, ACK] Seq=168 Ack=164 Win=83400 Len=117 TSval=27981179 TSecr=14910345"
15,"0.392632","172.20.0.11","EXTERNALIP","TCP","66","37777  >  52771 [ACK] Seq=164 Ack=285 Win=28960 Len=0 TSval=14910433 TSecr=27981179"
16,"0.392811","EXTERNALIP","DESTIP","TCP","343","52771  >  37777 [PSH, ACK] Seq=285 Ack=164 Win=83400 Len=277 TSval=27981179 TSecr=14910345"
17,"0.393398","172.20.0.11","EXTERNALIP","TCP","271","37777  >  52771 [PSH, ACK] Seq=164 Ack=285 Win=28960 Len=205 TSval=14910434 TSecr=27981179"
18,"0.399131","172.20.0.11","EXTERNALIP","TCP","66","37777  >  52771 [ACK] Seq=369 Ack=562 Win=30048 Len=0 TSval=14910434 TSecr=27981179"
19,"0.399360","172.20.0.11","EXTERNALIP","TCP","187","37777  >  52771 [PSH, ACK] Seq=369 Ack=562 Win=30048 Len=121 TSval=14910440 TSecr=27981179"
20,"0.399531","172.20.0.11","EXTERNALIP","TCP","187","37777  >  52771 [PSH, ACK] Seq=490 Ack=562 Win=30048 Len=121 TSval=14910440 TSecr=27981179"
21,"0.409293","172.20.0.11","EXTERNALIP","TCP","774","37777  >  52771 [PSH, ACK] Seq=611 Ack=562 Win=30048 Len=708 TSval=14910445 TSecr=27981179"
22,"0.469436","EXTERNALIP","DESTIP","TCP","66","52771  >  37777 [ACK] Seq=562 Ack=611 Win=84472 Len=0 TSval=27981189 TSecr=14910433"
23,"0.501429","EXTERNALIP","DESTIP","TCP","187","52771  >  37777 [PSH, ACK] Seq=562 Ack=1319 Win=85888 Len=121 TSval=27981190 TSecr=14910445"
24,"0.502095","172.20.0.11","EXTERNALIP","TCP","66","37777  >  52771 [ACK] Seq=1319 Ack=683 Win=30048 Len=0 TSval=14910543 TSecr=27981190"
25,"0.504167","172.20.0.11","EXTERNALIP","TCP","342","37777  >  52771 [PSH, ACK] Seq=1319 Ack=683 Win=30048 Len=276 TSval=14910545 TSecr=27981190"
26,"0.573642","EXTERNALIP","DESTIP","TCP","98","52771  >  37777 [PSH, ACK] Seq=683 Ack=1319 Win=85888 Len=32 TSval=27981198 TSecr=14910445"
27,"0.574079","172.20.0.11","EXTERNALIP","TCP","66","37777  >  52771 [ACK] Seq=1595 Ack=715 Win=30048 Len=0 TSval=14910615 TSecr=27981198"
28,"0.613621","172.20.0.11","EXTERNALIP","TCP","98","37777  >  52771 [PSH, ACK] Seq=1595 Ack=715 Win=30048 Len=32 TSval=14910615 TSecr=27981198"
29,"0.613814","EXTERNALIP","DESTIP","TCP","98","52771  >  37777 [PSH, ACK] Seq=715 Ack=1595 Win=87304 Len=32 TSval=27981202 TSecr=14910545"
30,"0.614158","172.20.0.11","EXTERNALIP","TCP","66","37777  >  52771 [ACK] Seq=1627 Ack=747 Win=30048 Len=0 TSval=14910655 TSecr=27981202"
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!