Help with creating a custom App

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Help with creating a custom App

L2 Linker

Hi Everyone,

I have a application that is currently being detected as unknown-tcp and would love to be able to create a custom app to allow it rather than having to allow uknown-tcp.

I have attached a capture from the Firewall, i am just uncertain as to what data to pull out of this and what fields to fill in in relation to signature (actually uncertain about it all..lol)

If anyone could help that would be fantastic.

 

 

 

8 REPLIES 8

L5 Sessionator

Hello Paul,

 

welcome to our forums.

 

Your captures do not contain enough information for custom signature. It would be recommended to collect whole pcap of the conversation between hosts, so initialization of their communication can be reviewed and possible signature created on that base. In the pcaps you attached there are only four packets, seemingly starting some SSL encrypted tunnel (there are bytes "STARTTLS!EOT!DIASEND" in the data portion of packets). You might want to use those bytes as a placeholder - or anything else that will be recognizable in (any) such session for which you want to have a custom signature.

 

If this is SSL, it will get offloaded anyhow unless you use decryption rules; if it always remains as unknown-TCP and does never show as SSL you might need to open a TAC case to determine what whas the cause of it; as it is expected to show as SSL after several packets.

 

If you can upload the whole TCP conversation, we might help you by looking into it with you and determining items above. For more detailed but generic information on what is needed, please review this document: https://live.paloaltonetworks.com/t5/Custom-Signatures/Welcome-to-the-Palo-Alto-Networks-Custom-Sign...

 

Best regards

Luciano

Thankyou for your response Lucky and sorry for the delay,

I was able to do a packet capture and now upload it

I can see it uses a server name: download.diasend.com

IP of dest is 54.72.239.101

src user IP was 10.10.60.88

 

Hi Paul,

 

this is encrypted traffic which would generally get offloaded and won't be inspected unless you have decryption policy running. For that reason, I think you will have much better results if you use IP address, rather than pattern-match. Pattern match is irrelevant once it get's offloaded, and it would get offloaded once it is recognized as ssl. Destination IP address, on the other hand, would be much more explicit.

 

I have also noticed you use diasenddata.com along with the diasend.com; both diasenddata.com and download.diasend.com resolve to the IP address of 54.72.239.101 (while top domain, diasend.com, resolves to 52.16.54.164). Can you try to use this 54.72.239.101 as an IP address for this application and see if your results are better? Than, regardless of the underlying protocol, traffic towards diasenddata.com (or downloads.diasend.com) would be seen as your custom app.

 

Let us know if you still have problems with it and what is your take on the whole situation.

 

Best regards

Luciano

Hi Luciano,

Thankyou again for taking the time with assisting me.

I am very much a novice in custom app creation, could you help a bit with steps

1. create custom app called diasend

1a. on configuration page I have attached a screenshot

1b Advanced as suggested i need to add the ip somehow

1c ignore signature tab

 

2. Do I need to then create a appplication override ? and if so what fields need to be entered ?

 

Regards

Paul

 

 

Hi Paul,

 

here is a nice guide: https://live.paloaltonetworks.com/t5/Tech-Notes/Custom-Application-Signatures/ta-p/58625

 

Application override is used if you want to omit that traffic from inspection. That is usually done in a very targeted manner and only if such exception is needed for uninterrupted traffic, meaning firewall is creating problems and until problem is resolved workaround is to omit such traffic from inspection.

 

From your questions, I did not get an impression that application override is what you are trying to do, from my understanding - you just want to identify traffic to this host as a specific app in your logs, and possibly create security policies based on that.

 

Scratch my idea by defining it only based on ports and IP address, my idea is bad because traffic is not unique enough and we might interfere with properly identified apps running on the same ports (80 and 443).

 

It is worth investigating option of using SSL-req-client-halo with pattern "646f776e6c6f61642e64696173656e642e636f6d" (which is hex representation of download.diasend.com, I just copied that from your pcap). This should work, but I cannot be 100% sure without trying it. Can you try and see if comms are hitting this signature? If you are still having problems, I can try and create signature for you and export it.

 

Best regards

Luciano

Hi Luciano,

thanks again for all your help, is there any chance i could get you to create the signature for me please

I am having the same exact issue with an application that does not seem to have a signature right now.  If I send over a capture that I took of this traffic might you be so kind as to help create a custom signature? 

 

 

I'm sure someone here would be willing to help.  Be sure to start a new thread for your application.  

  • 5743 Views
  • 8 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!