- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
12-22-2017 09:04 AM
Hello All,
I am working on creating a custome signature for a Dahua NVR that we would like to allow remote access to. It operates on port 37777 which has been allowed, but traffic still shows up as unknown-tcp and is subsiquently blocked. Does anyone have experience working with one of these devices or creating a signature for it?
We opened up the rules to allow any application and was able to capture some traffic while using it. Would this be enough to create a signature?
Thank you all in advance!
Jon
12-22-2017 09:18 AM
I'd suggest doing some packet captures of the traffic to see there is something you can use to identify it.
a tiny bit of googling suggests that the traffic is not encrypted so depending upon what you find in the captures it may be possible to build a signature using the combination of protocol, port, and pattern matching.
if you post a few packet capture samples here, or show us some snippets of what you see during session setup, then the folks who participate in this forum may be able to help.
-Benjamin
12-22-2017 10:42 AM
Hello Benjamin,
I have gathered some packets, but do not know what types of identifers I'm looking for to make up a signature. Do you have any examples or could I PM you some of the capture?
Thank you!
Jon
12-22-2017 10:48 AM
Jon,
when you look at the captures in wireshark what do you see in the data portion of the packet?
does every session start with a predictable string or sequence of bits/bytes? if so we can try to build a signature from that.
assuming that the capture doesn't contain any information that you would consider confidential (IP addresses, personally identifiable info, etc) you could share it here and then we can try to find a way to help you write a custom signature.
Benjamin
12-22-2017 11:17 AM
Here are a few lines from the capture with the source and destination IPs removed. Is there enough info here or do you need more packet details.
No.,"Time","Source","Destination","Protocol","Length","Info" |
1,"0.000000","EXTERNALIP","DESTIP","TCP","74","52771 > 37777 [SYN] Seq=0 Win=65535 Len=0 MSS=1390 SACK_PERM=1 TSval=27981135 TSecr=0 WS=4" |
2,"0.000329","172.20.0.11","EXTERNALIP","TCP","74","37777 > 52771 [SYN, ACK] Seq=0 Ack=1 Win=28960 Len=0 MSS=1460 SACK_PERM=1 TSval=14910032 TSecr=27981135 WS=32" |
3,"0.064911","EXTERNALIP","DESTIP","TCP","66","52771 > 37777 [ACK] Seq=1 Ack=1 Win=83400 Len=0 TSval=27981147 TSecr=14910032" |
4,"0.122998","EXTERNALIP","DESTIP","TCP","98","52771 > 37777 [PSH, ACK] Seq=1 Ack=1 Win=83400 Len=32 TSval=27981152 TSecr=14910032" |
5,"0.123359","172.20.0.11","EXTERNALIP","TCP","66","37777 > 52771 [ACK] Seq=1 Ack=33 Win=28960 Len=0 TSval=14910164 TSecr=27981152" |
6,"0.125416","172.20.0.11","EXTERNALIP","TCP","150","37777 > 52771 [PSH, ACK] Seq=1 Ack=33 Win=28960 Len=84 TSval=14910166 TSecr=27981152" |
7,"0.204895","EXTERNALIP","DESTIP","TCP","66","52771 > 37777 [ACK] Seq=33 Ack=85 Win=83400 Len=0 TSval=27981161 TSecr=14910166" |
8,"0.212851","EXTERNALIP","DESTIP","TCP","169","52771 > 37777 [PSH, ACK] Seq=33 Ack=85 Win=83400 Len=103 TSval=27981162 TSecr=14910166" |
9,"0.213332","172.20.0.11","EXTERNALIP","TCP","66","37777 > 52771 [ACK] Seq=85 Ack=136 Win=28960 Len=0 TSval=14910254 TSecr=27981162" |
10,"0.217426","172.20.0.11","EXTERNALIP","TCP","98","37777 > 52771 [PSH, ACK] Seq=85 Ack=136 Win=28960 Len=32 TSval=14910258 TSecr=27981162" |
11,"0.304043","EXTERNALIP","DESTIP","TCP","98","52771 > 37777 [PSH, ACK] Seq=136 Ack=117 Win=83400 Len=32 TSval=27981171 TSecr=14910258" |
12,"0.304514","172.20.0.11","EXTERNALIP","TCP","66","37777 > 52771 [ACK] Seq=117 Ack=168 Win=28960 Len=0 TSval=14910345 TSecr=27981171" |
13,"0.304870","172.20.0.11","EXTERNALIP","TCP","113","37777 > 52771 [PSH, ACK] Seq=117 Ack=168 Win=28960 Len=47 TSval=14910345 TSecr=27981171" |
14,"0.391928","EXTERNALIP","DESTIP","TCP","183","52771 > 37777 [PSH, ACK] Seq=168 Ack=164 Win=83400 Len=117 TSval=27981179 TSecr=14910345" |
15,"0.392632","172.20.0.11","EXTERNALIP","TCP","66","37777 > 52771 [ACK] Seq=164 Ack=285 Win=28960 Len=0 TSval=14910433 TSecr=27981179" |
16,"0.392811","EXTERNALIP","DESTIP","TCP","343","52771 > 37777 [PSH, ACK] Seq=285 Ack=164 Win=83400 Len=277 TSval=27981179 TSecr=14910345" |
17,"0.393398","172.20.0.11","EXTERNALIP","TCP","271","37777 > 52771 [PSH, ACK] Seq=164 Ack=285 Win=28960 Len=205 TSval=14910434 TSecr=27981179" |
18,"0.399131","172.20.0.11","EXTERNALIP","TCP","66","37777 > 52771 [ACK] Seq=369 Ack=562 Win=30048 Len=0 TSval=14910434 TSecr=27981179" |
19,"0.399360","172.20.0.11","EXTERNALIP","TCP","187","37777 > 52771 [PSH, ACK] Seq=369 Ack=562 Win=30048 Len=121 TSval=14910440 TSecr=27981179" |
20,"0.399531","172.20.0.11","EXTERNALIP","TCP","187","37777 > 52771 [PSH, ACK] Seq=490 Ack=562 Win=30048 Len=121 TSval=14910440 TSecr=27981179" |
21,"0.409293","172.20.0.11","EXTERNALIP","TCP","774","37777 > 52771 [PSH, ACK] Seq=611 Ack=562 Win=30048 Len=708 TSval=14910445 TSecr=27981179" |
22,"0.469436","EXTERNALIP","DESTIP","TCP","66","52771 > 37777 [ACK] Seq=562 Ack=611 Win=84472 Len=0 TSval=27981189 TSecr=14910433" |
23,"0.501429","EXTERNALIP","DESTIP","TCP","187","52771 > 37777 [PSH, ACK] Seq=562 Ack=1319 Win=85888 Len=121 TSval=27981190 TSecr=14910445" |
24,"0.502095","172.20.0.11","EXTERNALIP","TCP","66","37777 > 52771 [ACK] Seq=1319 Ack=683 Win=30048 Len=0 TSval=14910543 TSecr=27981190" |
25,"0.504167","172.20.0.11","EXTERNALIP","TCP","342","37777 > 52771 [PSH, ACK] Seq=1319 Ack=683 Win=30048 Len=276 TSval=14910545 TSecr=27981190" |
26,"0.573642","EXTERNALIP","DESTIP","TCP","98","52771 > 37777 [PSH, ACK] Seq=683 Ack=1319 Win=85888 Len=32 TSval=27981198 TSecr=14910445" |
27,"0.574079","172.20.0.11","EXTERNALIP","TCP","66","37777 > 52771 [ACK] Seq=1595 Ack=715 Win=30048 Len=0 TSval=14910615 TSecr=27981198" |
28,"0.613621","172.20.0.11","EXTERNALIP","TCP","98","37777 > 52771 [PSH, ACK] Seq=1595 Ack=715 Win=30048 Len=32 TSval=14910615 TSecr=27981198" |
29,"0.613814","EXTERNALIP","DESTIP","TCP","98","52771 > 37777 [PSH, ACK] Seq=715 Ack=1595 Win=87304 Len=32 TSval=27981202 TSecr=14910545" |
30,"0.614158","172.20.0.11","EXTERNALIP","TCP","66","37777 > 52771 [ACK] Seq=1627 Ack=747 Win=30048 Len=0 TSval=14910655 TSecr=27981202" |
12-22-2017 11:42 AM
We'd need to see what's in some of those packets to build a signature. the pattern matching engine works against the data portion of the packet if memory serves me.
12-22-2017 01:08 PM
I thought that might be the case. Here are some data sections:
0000 a0 05 00 60 00 00 00 00 c4 a3 af 48 99 56 b6 b4
0010 c7 8e 9e d1 c8 55 20 37 04 02 03 01 00 01 a1 aa
0000 a0 05 00 60 47 00 00 00 00 00 00 00 00 00 00 00
0010 00 00 00 00 00 00 00 00 04 02 03 08 00 00 a1 aa
0020 61 64 6d 69 6e 26 26 44 37 31 41 45 39 38 33 37
0030 31 42 33 33 35 37 42 36 34 45 38 31 34 30 32 36
0040 41 37 44 39 44 33 42 41 43 33 41 43 43 31 41 39
0050 46 31 30 46 31 46 32 32 43 44 32 42 43 35 43 46
0060 31 36 38 39 38 32 43
0000 a4 00 00 00 00 00 00 00 07 00 00 00 00 00 00 00
0010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0000 f4 00 00 00 55 00 00 00 00 00 00 00 00 00 00 00
0010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0020 54 72 61 6e 73 61 63 74 69 6f 6e 49 44 3a 31 0d
0030 0a 4d 65 74 68 6f 64 3a 47 65 74 50 61 72 61 6d
0040 65 74 65 72 56 61 6c 75 65 73 0d 0a 50 61 72 61
0050 6d 65 74 65 72 4e 61 6d 65 3a 44 61 68 75 61 2e
0060 44 65 76 69 63 65 2e 44 65 63 6f 64 65 2e 43 66
0070 67 0d 0a 0d 0a
0000 f6 00 00 00 5a 00 00 00 34 02 00 00 00 00 00 00
0010 5a 00 00 00 00 00 00 00 fa 02 d2 13 00 00 00 00
0020 7b 20 22 69 64 22 20 3a 20 35 36 34 2c 20 22 6d
0030 65 74 68 6f 64 22 20 3a 20 22 61 6c 61 72 6d 2e
0040 67 65 74 41 6c 6c 49 6e 53 6c 6f 74 73 22 2c 20
0050 22 70 61 72 61 6d 73 22 20 3a 20 6e 75 6c 6c 2c
0060 20 22 73 65 73 73 69 6f 6e 22 20 3a 20 33 33 32
0070 35 33 30 34 32 36 20 7d 0a 00 f6 00 00 00 5b 00
0080 00 00 35 03 00 00 00 00 00 00 5b 00 00 00 00 00
0090 00 00 fa 02 d2 13 00 00 00 00 7b 20 22 69 64 22
00a0 20 3a 20 38 32 31 2c 20 22 6d 65 74 68 6f 64 22
00b0 20 3a 20 22 61 6c 61 72 6d 2e 67 65 74 41 6c 6c
00c0 4f 75 74 53 6c 6f 74 73 22 2c 20 22 70 61 72 61
00d0 6d 73 22 20 3a 20 6e 75 6c 6c 2c 20 22 73 65 73
00e0 73 69 6f 6e 22 20 3a 20 33 33 32 35 33 30 34 32
00f0 36 20 7d 0a 00 a4 00 00 00 00 00 00 00 1a 00 00
0100 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0110 00 00 00 00 00
0000 f4 00 00 00 59 00 00 00 00 00 00 00 00 00 00 00
0010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0020 54 72 61 6e 73 61 63 74 69 6f 6e 49 44 3a 34 0d
0030 0a 4d 65 74 68 6f 64 3a 47 65 74 50 61 72 61 6d
0040 65 74 65 72 56 61 6c 75 65 73 0d 0a 50 61 72 61
0050 6d 65 74 65 72 4e 61 6d 65 3a 44 61 68 75 61 2e
0060 44 65 76 69 63 65 2e 52 65 63 6f 72 64 2e 47 65
0070 6e 65 72 61 6c 0d 0a 0d 0a
0000 a1 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0000 a4 00 00 00 00 00 00 00 08 00 00 00 00 00 00 00
0010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!