Singature for Jabber tcp/2748

RepartoSistemi · ‎05-17-2016

Hi, I try to create a custom signature for Jabber CTI (http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucm/port/9_0_1/CUCM_BK_T98E8963_00_tcp-port-usag... running on port 2748.

The packet dump give me this result for the client request:

5e 00 00 00 00 00 00 00 dd dd ff ff 00 00 0f 00 ^....... ........
36 01 00 00 20 00 00 00 24 00 00 00 22 00 00 00 6... ... $..."...
01 00 00 00 44 00 00 00 0b 00 00 00 4f 00 00 00 ....D... ....O...
04 00 00 00 53 00 00 00 07 00 00 00 5a 00 00 00 ....S... ....Z...
0c 00 00 00 55 43 50 72 6f 76 69 64 65 72 00 31 ....UCPr ovider.1
2e 30 00 53 68 69 62 75 69 00 43 69 73 63 6f 20 .0.Shibu i.Cisco
4a 54 41 50 49 00 JTAPI.

and I want to intercept the string "UCProvider 1.0"

I tried with a signatures with:

parent App: jabber

port: tcp/2748

Signature: Pattern Match

Scope: Session (also I tried with Transaction )

Context: unknown-req-tcp-payload (also I tried with unknown-rsp-tcp-payload )

Pattern: follow all the patterns that I've tried, one for a time...

UCProvider 1.0

\x 55 43 50 72 6f 76 69 64 65 72 20 31 2e 30 \x

BUT NOT WORK everytime unknown-tcp or insufficent-data result on traffic monitor

How can resolve this problem without write a policies with any in application and a custom service (tcp/2748) ???

thank you

rcole · ‎05-23-2016

Good morning!

It appears that this may be a limitation of the current custom signature engine. I've confirmed with some peers that unknown-xxx applications require a specific amount of traffic in order to begin matching against custom signatures.

This knowledge base article will assist:

https://live.paloaltonetworks.com/t5/Management-Articles/Not-Applicable-Incomplete-Insufficient-Data...

The issue here appears to be that there is not enough data occurring in the session for the custom signature engine to begin matching against unknown-tcp.

View solution in original post

rcole · ‎05-17-2016

Good morning.

My skillset is more around writing threat signatures (vulnerability and anti-spyware) rather than application signatures. However, if you provide a packet capture of some sample traffic you'd like to identify, this would likely be helpful, as many folks with varying skillsets frequent this forum. In order to test any of our ideas, having a packet capture of some sample traffic to replay in our lab environments would help to lead towards resolution.

Is this possible?

RepartoSistemi · ‎05-17-2016

Yes it's possible, but I cannot attach the pcap file on my post.
Perhaps a account limitation ?

RepartoSistemi · ‎05-17-2016

Ok bypass the limitation

-Download this file.

-Rename it to download.rar

-Exctract two file (a unusefull jpg, and the dump file)

The dump it's take from my Desktop (192.168.3.117) when jabber login to remote server (192.168.32.40)

I send only the first transaction packet because inside the other packet I have in cleartext some reserved information.

Regards

Max

rcole · ‎05-17-2016

Thank you. That was a creative work around.

One thing I've noticed is that the data pattern you are matching on is not present in the packet capture (or the excerpt from your initial post).

Your pattern is:

\x 55 43 50 72 6f 76 69 64 65 72 20 31 2e 30 \x

However, the pattern in the packet capture and your excerpt is as follows:

\x 55 43 50 72 6f 76 69 64 65 72 00 31 2e 30 \x

Note that the 11th byte in your pattern is 20 (a space). The actual byte is a null byte (00).

This may be a good place to start troubleshooting, if I have not overlooked anything.

Respectfully,

- rcole

RepartoSistemi · ‎05-19-2016

Ok RCole, I went in deep.

After change the signature Palo Alto recognize logoff process as Cisco Jabber (cti_cisco) application, but for the login process the result is "insufficent-data".

Summary of example transaction:

CISCO Jabber logoff => tcp.src 51084 tcp.dst 2748

CISCO Jabber login => tcp.src 51351 tcp.dst 2748

thake a look of this picture:

And you know something even stranger?

Take a look on the logoff/login process from the following tcpdump:

On the logoff process we dont have any byte like our singature, and this is RECOGNISED as cti_cisco, instead on the login process we have some byte equal the singature, and this is NOT recognized, it's insufficend-data.

?????????

Crazy! I get hold of the wrong end of the stick ?

rcole · ‎05-19-2016

Good morning! 🙂

Would it be possible for you to export and attach the signature you've created so far so I can inspect it?

RepartoSistemi · ‎05-19-2016

I try combination of:

-both CONDITION in OR or in AND

-SCOPE as Transaction or Session

-Context Unknown-req-tcp-payload or telnet-req-client-data

-Ordered Condition Match flagged or not flagged.

rcole · ‎05-19-2016

Thank you for the complete packet capture! However, what I'm hoping for is the actual signature you've written. Can you export it from the firewall and upload it here? Additionally, .RAR and .PCAP formats should no longer require you to obfuscate them to upload.

RepartoSistemi · ‎05-20-2016

Sorry I had atteched a worg file, this is the current signatures xml.

rcole · ‎05-23-2016

Good morning!

It appears that this may be a limitation of the current custom signature engine. I've confirmed with some peers that unknown-xxx applications require a specific amount of traffic in order to begin matching against custom signatures.

This knowledge base article will assist:

https://live.paloaltonetworks.com/t5/Management-Articles/Not-Applicable-Incomplete-Insufficient-Data...

The issue here appears to be that there is not enough data occurring in the session for the custom signature engine to begin matching against unknown-tcp.

RepartoSistemi · ‎05-24-2016

Ok we hope will a version with a fix.

Unlock your full community experience!

Singature for Jabber tcp/2748

Singature for Jabber tcp/2748

Show your appreciation!