Singature for Jabber tcp/2748

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Singature for Jabber tcp/2748

L1 Bithead

Hi, I try to create a custom signature for Jabber CTI (http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucm/port/9_0_1/CUCM_BK_T98E8963_00_tcp-port-usag... running on port 2748.

 

The packet dump give me this result for the client request:

 

5e 00 00 00 00 00 00 00 dd dd ff ff 00 00 0f 00 ^....... ........
36 01 00 00 20 00 00 00 24 00 00 00 22 00 00 00 6... ... $..."...
01 00 00 00 44 00 00 00 0b 00 00 00 4f 00 00 00 ....D... ....O...
04 00 00 00 53 00 00 00 07 00 00 00 5a 00 00 00 ....S... ....Z...
0c 00 00 00 55 43 50 72 6f 76 69 64 65 72 00 31 ....UCPr ovider.1
2e 30 00 53 68 69 62 75 69 00 43 69 73 63 6f 20 .0.Shibu i.Cisco
4a 54 41 50 49 00 JTAPI.

and I want to intercept the string "UCProvider 1.0"

 

I tried with a signatures with:

parent App: jabber

port: tcp/2748

Signature: Pattern Match

Scope: Session (also I tried with Transaction )

Context: unknown-req-tcp-payload (also I tried with unknown-rsp-tcp-payload )

Pattern: follow all the patterns that I've tried, one for a time...

UCProvider 1.0

\x 55 43 50 72 6f 76 69 64 65 72 20 31 2e 30 \x

 

BUT NOT WORK everytime unknown-tcp or insufficent-data result on traffic monitor

 

How can resolve this problem without write a policies with any in application and a custom service (tcp/2748) ???

 

thank you

 

 

 

 

1 ACCEPTED SOLUTION

Accepted Solutions

Good morning!

 

It appears that this may be a limitation of the current custom signature engine. I've confirmed with some peers that unknown-xxx applications require a specific amount of traffic in order to begin matching against custom signatures.

 

This knowledge base article will assist:

https://live.paloaltonetworks.com/t5/Management-Articles/Not-Applicable-Incomplete-Insufficient-Data...

 

The issue here appears to be that there is not enough data occurring in the session for the custom signature engine to begin matching against unknown-tcp.

View solution in original post

11 REPLIES 11

L4 Transporter

Good morning.

 

My skillset is more around writing threat signatures (vulnerability and anti-spyware) rather than application signatures. However, if you provide a packet capture of some sample traffic you'd like to identify, this would likely be helpful, as many folks with varying skillsets frequent this forum. In order to test any of our ideas, having a packet capture of some sample traffic to replay in our lab environments would help to lead towards resolution.

 

Is this possible?

Yes it's possible, but I cannot attach the pcap file on my post.
Perhaps a account limitation ?

 

 

download.jpg

Ok bypass the limitation

-Download this file.

-Rename it to download.rar

-Exctract two file (a unusefull jpg, and the dump file)

 

The dump it's take from my Desktop (192.168.3.117) when jabber login to remote server (192.168.32.40)

I send only the first transaction packet because inside the other packet I have in cleartext some reserved information.

 

Regards

Max

 

Thank you. That was a creative work around.

 

One thing I've noticed is that the data pattern you are matching on is not present in the packet capture (or the excerpt from your initial post).

 

Your pattern is:

 

\x 55 43 50 72 6f 76 69 64 65 72 20 31 2e 30 \x

 

 

However, the pattern in the packet capture and your excerpt is as follows:

 

\x 55 43 50 72 6f 76 69 64 65 72 00 31 2e 30 \x

 

 

Note that the 11th byte in your pattern is 20 (a space). The actual byte is a null byte (00).

 

This may be a good place to start troubleshooting, if I have not overlooked anything.

 

Respectfully,

- rcole

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!