I'm trying to write a custom threat signature. The pattern matches just fine if I send it using netcat, but it does not match the actual application traffic. I believe that this is because the actual traffic is processed and detected as a known application, whereas the signature Context is "unknown-req-tcp-payload".
Is this context only for traffic that is application = unknown-tcp? If a known application is detected, does "unknown-req-tcp-payload" not apply?
Solved! Go to Solution.
You are correct in that versions prior to 10.0 you can not write a custom signature against a known application unless the decoder for that protocol/context is "exposed" in the user interface.
In 10.0, there is more flexibility, including a "context-less" signature that may meet your requirements. Be advised that there can be performance penalties when using these expanded capabilities. More info here:
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!