Custom Signature Help

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Custom Signature Help

L1 Bithead

Hi, 

 

I'm attempting to create an application signature to detect Amazon AWS backups. I captured SSL client hello packets to get the the below hex for the pattern match, but signature is not fireing. 

 

Packet,

Amazon_TLS.PNG 

 

Hex value,

/x 3531333438623763302d646432372d313164662d393337622d3038303032303063396136362e73332e616d617a6f6e6177732e636f6d /x

 

Signature condition match,

Amazon_sig.PNG

1 accepted solution

Accepted Solutions

Looks like my issue was due to spaces on the hex indicators and I was using /x instead of \x. It worked after modifying the pattern match to the below,

 

\x3531333438623763302d646432372d313164662d393337622d3038303032303063396136362e73332e616d617a6f6e6177732e636f6d\x

 

 

View solution in original post

2 REPLIES 2

L5 Sessionator

Hello,

 

does it work when you chop it up in smaller pieces?

 

Best regards,
Luciano

Looks like my issue was due to spaces on the hex indicators and I was using /x instead of \x. It worked after modifying the pattern match to the below,

 

\x3531333438623763302d646432372d313164662d393337622d3038303032303063396136362e73332e616d617a6f6e6177732e636f6d\x

 

 

  • 1 accepted solution
  • 3160 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!