I have a application that is currently being detected as unknown-tcp and would love to be able to create a custom app to allow it rather than having to allow uknown-tcp.
I have attached a capture from the Firewall, i am just uncertain as to what data to pull out of this and what fields to fill in in relation to signature (actually uncertain about it all..lol)
If anyone could help that would be fantastic.
welcome to our forums.
Your captures do not contain enough information for custom signature. It would be recommended to collect whole pcap of the conversation between hosts, so initialization of their communication can be reviewed and possible signature created on that base. In the pcaps you attached there are only four packets, seemingly starting some SSL encrypted tunnel (there are bytes "STARTTLS!EOT!DIASEND" in the data portion of packets). You might want to use those bytes as a placeholder - or anything else that will be recognizable in (any) such session for which you want to have a custom signature.
If this is SSL, it will get offloaded anyhow unless you use decryption rules; if it always remains as unknown-TCP and does never show as SSL you might need to open a TAC case to determine what whas the cause of it; as it is expected to show as SSL after several packets.
If you can upload the whole TCP conversation, we might help you by looking into it with you and determining items above. For more detailed but generic information on what is needed, please review this document: https://live.paloaltonetworks.com/t5/Custom-Signatures/Welcome-to-the-Palo-Alto-Networks-Custom-Sign...
this is encrypted traffic which would generally get offloaded and won't be inspected unless you have decryption policy running. For that reason, I think you will have much better results if you use IP address, rather than pattern-match. Pattern match is irrelevant once it get's offloaded, and it would get offloaded once it is recognized as ssl. Destination IP address, on the other hand, would be much more explicit.
I have also noticed you use diasenddata.com along with the diasend.com; both diasenddata.com and download.diasend.com resolve to the IP address of 184.108.40.206 (while top domain, diasend.com, resolves to 220.127.116.11). Can you try to use this 18.104.22.168 as an IP address for this application and see if your results are better? Than, regardless of the underlying protocol, traffic towards diasenddata.com (or downloads.diasend.com) would be seen as your custom app.
Let us know if you still have problems with it and what is your take on the whole situation.
Thankyou again for taking the time with assisting me.
I am very much a novice in custom app creation, could you help a bit with steps
1. create custom app called diasend
1a. on configuration page I have attached a screenshot
1b Advanced as suggested i need to add the ip somehow
1c ignore signature tab
2. Do I need to then create a appplication override ? and if so what fields need to be entered ?
here is a nice guide: https://live.paloaltonetworks.com/t5/Tech-Notes/Custom-Application-Signatures/ta-p/58625
Application override is used if you want to omit that traffic from inspection. That is usually done in a very targeted manner and only if such exception is needed for uninterrupted traffic, meaning firewall is creating problems and until problem is resolved workaround is to omit such traffic from inspection.
From your questions, I did not get an impression that application override is what you are trying to do, from my understanding - you just want to identify traffic to this host as a specific app in your logs, and possibly create security policies based on that.
Scratch my idea by defining it only based on ports and IP address, my idea is bad because traffic is not unique enough and we might interfere with properly identified apps running on the same ports (80 and 443).
It is worth investigating option of using SSL-req-client-halo with pattern "646f776e6c6f61642e64696173656e642e636f6d" (which is hex representation of download.diasend.com, I just copied that from your pcap). This should work, but I cannot be 100% sure without trying it. Can you try and see if comms are hitting this signature? If you are still having problems, I can try and create signature for you and export it.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!