How to make custom signature with segment field?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

How to make custom signature with segment field?

L0 Member

Recently, URL filter evasion application often use tcp segment field.

How to make custom application with tcp segment field?

 

Protocol sequence.

1. SYN 

2. SYN,ACK

3. ACK

4. PSH,ACK : TCP segment data has GET / HTTP/1.1

 

dodgechrome_tcp_segment.png

 

 

It can bypass our URL filtering.

You can download and reproduce using below link.

http://1bil.net/DodgeChrome-31.zip

 

Thanks.

 

2 REPLIES 2

L4 Transporter

bkim:

 

Given that the traffic is being classified as "unknown-tcp," you may be able to write signatures to pick off at least one of the methods being used in this app, by inspecting unknown-req-tcp-payload for some specific strings indicative of HTTP traffic. (GET / HTTP/1.1, etc)

 

However, the obvious quick and blunt solution would be, "Don't allow unknown-tcp traffic" to egress to the web, which appears to defeat this tool entirely. This is probably a better solution than writing custom signatures.

L4 Transporter

Bkim;

 

I agree with rcole.  If the evasion technique creates an unknown application  then you should already have policies in place to deny unknown udp and tcp traffic. While a signature (if possible ) would work in this situation the more encompasing approach would be to block unknown apps as mentioned. If the traffic causes a url category of "unknown" to be generated then you should deal with that situation within yout URL filtering policy.  Signatures are great for specific or unique traffic patterns when other methods can't address the problem / situation. Glad you thinking out of the box.

 

Phil

  • 4207 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!