Singature for Jabber tcp/2748

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Singature for Jabber tcp/2748

L1 Bithead

Hi, I try to create a custom signature for Jabber CTI (http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucm/port/9_0_1/CUCM_BK_T98E8963_00_tcp-port-usag... running on port 2748.

 

The packet dump give me this result for the client request:

 

5e 00 00 00 00 00 00 00 dd dd ff ff 00 00 0f 00 ^....... ........
36 01 00 00 20 00 00 00 24 00 00 00 22 00 00 00 6... ... $..."...
01 00 00 00 44 00 00 00 0b 00 00 00 4f 00 00 00 ....D... ....O...
04 00 00 00 53 00 00 00 07 00 00 00 5a 00 00 00 ....S... ....Z...
0c 00 00 00 55 43 50 72 6f 76 69 64 65 72 00 31 ....UCPr ovider.1
2e 30 00 53 68 69 62 75 69 00 43 69 73 63 6f 20 .0.Shibu i.Cisco
4a 54 41 50 49 00 JTAPI.

and I want to intercept the string "UCProvider 1.0"

 

I tried with a signatures with:

parent App: jabber

port: tcp/2748

Signature: Pattern Match

Scope: Session (also I tried with Transaction )

Context: unknown-req-tcp-payload (also I tried with unknown-rsp-tcp-payload )

Pattern: follow all the patterns that I've tried, one for a time...

UCProvider 1.0

\x 55 43 50 72 6f 76 69 64 65 72 20 31 2e 30 \x

 

BUT NOT WORK everytime unknown-tcp or insufficent-data result on traffic monitor

 

How can resolve this problem without write a policies with any in application and a custom service (tcp/2748) ???

 

thank you

 

 

 

 

1 accepted solution

Accepted Solutions

Good morning!

 

It appears that this may be a limitation of the current custom signature engine. I've confirmed with some peers that unknown-xxx applications require a specific amount of traffic in order to begin matching against custom signatures.

 

This knowledge base article will assist:

https://live.paloaltonetworks.com/t5/Management-Articles/Not-Applicable-Incomplete-Insufficient-Data...

 

The issue here appears to be that there is not enough data occurring in the session for the custom signature engine to begin matching against unknown-tcp.

View solution in original post

11 REPLIES 11

L4 Transporter

Good morning.

 

My skillset is more around writing threat signatures (vulnerability and anti-spyware) rather than application signatures. However, if you provide a packet capture of some sample traffic you'd like to identify, this would likely be helpful, as many folks with varying skillsets frequent this forum. In order to test any of our ideas, having a packet capture of some sample traffic to replay in our lab environments would help to lead towards resolution.

 

Is this possible?

Yes it's possible, but I cannot attach the pcap file on my post.
Perhaps a account limitation ?

 

 

download.jpg

Ok bypass the limitation

-Download this file.

-Rename it to download.rar

-Exctract two file (a unusefull jpg, and the dump file)

 

The dump it's take from my Desktop (192.168.3.117) when jabber login to remote server (192.168.32.40)

I send only the first transaction packet because inside the other packet I have in cleartext some reserved information.

 

Regards

Max

 

Thank you. That was a creative work around.

 

One thing I've noticed is that the data pattern you are matching on is not present in the packet capture (or the excerpt from your initial post).

 

Your pattern is:

 

\x 55 43 50 72 6f 76 69 64 65 72 20 31 2e 30 \x

 

 

However, the pattern in the packet capture and your excerpt is as follows:

 

\x 55 43 50 72 6f 76 69 64 65 72 00 31 2e 30 \x

 

 

Note that the 11th byte in your pattern is 20 (a space). The actual byte is a null byte (00).

 

This may be a good place to start troubleshooting, if I have not overlooked anything.

 

Respectfully,

- rcole

Ok RCole, I went in deep.

 

After change the signature Palo Alto recognize logoff process as Cisco Jabber (cti_cisco) application, but for the login process the result is "insufficent-data".

 

Summary of example transaction:

CISCO Jabber logoff => tcp.src 51084 tcp.dst 2748

CISCO Jabber login => tcp.src 51351 tcp.dst 2748

 

thake a look of this picture:

 

capture03.JPGcapture03-logoff.JPG

capture03-login.JPG

 

And you know something even stranger?

Take a look on the logoff/login process from the following tcpdump:

download.jpg

On the logoff process we dont have any byte like our singature, and this is RECOGNISED as cti_cisco, instead on the login process we have some byte equal the singature, and this is NOT recognized, it's insufficend-data.

 

?????????

Crazy! I get hold of the wrong end of the stick ?

 

 

 

 

L4 Transporter

Good morning! 🙂

 

Would it be possible for you to export and attach the signature you've created so far so I can inspect it?

 

download.jpg

 

I try combination of:

-both CONDITION in OR or in AND

-SCOPE as Transaction or Session

-Context Unknown-req-tcp-payload or telnet-req-client-data

-Ordered Condition Match flagged or not flagged.

Thank you for the complete packet capture! However, what I'm hoping for is the actual signature you've written. Can you export it from the firewall and upload it here? Additionally, .RAR and .PCAP formats should no longer require you to obfuscate them to upload.

Sorry I had atteched a worg file, this is the current signatures xml.

Good morning!

 

It appears that this may be a limitation of the current custom signature engine. I've confirmed with some peers that unknown-xxx applications require a specific amount of traffic in order to begin matching against custom signatures.

 

This knowledge base article will assist:

https://live.paloaltonetworks.com/t5/Management-Articles/Not-Applicable-Incomplete-Insufficient-Data...

 

The issue here appears to be that there is not enough data occurring in the session for the custom signature engine to begin matching against unknown-tcp.

Ok we hope will a version with a fix.

  • 1 accepted solution
  • 12018 Views
  • 11 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!