Custom threat signature- search full TCP payload of any AppId


Changes to the LIVEcommunity experience are coming soon... Here's what you need to know.

L2 Linker

Custom threat signature- search full TCP payload of any AppId

I'm trying to write a custom threat signature.  The pattern matches just fine if I send it using netcat, but it does not match the actual application traffic.  I believe that this is because the actual traffic is processed and detected as a known application, whereas the signature Context is "unknown-req-tcp-payload".


Is this context only for traffic that is application = unknown-tcp?  If a known application is detected, does "unknown-req-tcp-payload" not apply?


L2 Linker

Hi John,


You are correct in that versions prior to 10.0 you can not write a custom signature against a known application unless the decoder for that protocol/context is "exposed" in the user interface.


In 10.0, there is more flexibility, including a "context-less" signature that may meet your requirements.  Be advised that there can be performance penalties when using these expanded capabilities.  More info here:



View solution in original post

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!