11-30-2015 11:14 PM
Recently, URL filter evasion application often use tcp segment field.
How to make custom application with tcp segment field?
Protocol sequence.
1. SYN
2. SYN,ACK
3. ACK
4. PSH,ACK : TCP segment data has GET / HTTP/1.1
It can bypass our URL filtering.
You can download and reproduce using below link.
http://1bil.net/DodgeChrome-31.zip
Thanks.
12-01-2015 06:33 AM - edited 12-01-2015 06:51 AM
bkim:
Given that the traffic is being classified as "unknown-tcp," you may be able to write signatures to pick off at least one of the methods being used in this app, by inspecting unknown-req-tcp-payload for some specific strings indicative of HTTP traffic. (GET / HTTP/1.1, etc)
However, the obvious quick and blunt solution would be, "Don't allow unknown-tcp traffic" to egress to the web, which appears to defeat this tool entirely. This is probably a better solution than writing custom signatures.
12-01-2015 06:28 PM
Bkim;
I agree with rcole. If the evasion technique creates an unknown application then you should already have policies in place to deny unknown udp and tcp traffic. While a signature (if possible ) would work in this situation the more encompasing approach would be to block unknown apps as mentioned. If the traffic causes a url category of "unknown" to be generated then you should deal with that situation within yout URL filtering policy. Signatures are great for specific or unique traffic patterns when other methods can't address the problem / situation. Glad you thinking out of the box.
Phil
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
