Singature for Jabber tcp/2748
cancel
Showing results for 
Search instead for 
Did you mean: 

Singature for Jabber tcp/2748

L1 Bithead

Hi, I try to create a custom signature for Jabber CTI (http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucm/port/9_0_1/CUCM_BK_T98E8963_00_tcp-port-usag... running on port 2748.

 

The packet dump give me this result for the client request:

 

5e 00 00 00 00 00 00 00 dd dd ff ff 00 00 0f 00 ^....... ........
36 01 00 00 20 00 00 00 24 00 00 00 22 00 00 00 6... ... $..."...
01 00 00 00 44 00 00 00 0b 00 00 00 4f 00 00 00 ....D... ....O...
04 00 00 00 53 00 00 00 07 00 00 00 5a 00 00 00 ....S... ....Z...
0c 00 00 00 55 43 50 72 6f 76 69 64 65 72 00 31 ....UCPr ovider.1
2e 30 00 53 68 69 62 75 69 00 43 69 73 63 6f 20 .0.Shibu i.Cisco
4a 54 41 50 49 00 JTAPI.

and I want to intercept the string "UCProvider 1.0"

 

I tried with a signatures with:

parent App: jabber

port: tcp/2748

Signature: Pattern Match

Scope: Session (also I tried with Transaction )

Context: unknown-req-tcp-payload (also I tried with unknown-rsp-tcp-payload )

Pattern: follow all the patterns that I've tried, one for a time...

UCProvider 1.0

\x 55 43 50 72 6f 76 69 64 65 72 20 31 2e 30 \x

 

BUT NOT WORK everytime unknown-tcp or insufficent-data result on traffic monitor

 

How can resolve this problem without write a policies with any in application and a custom service (tcp/2748) ???

 

thank you

 

 

 

 

11 REPLIES 11

Good morning!

 

It appears that this may be a limitation of the current custom signature engine. I've confirmed with some peers that unknown-xxx applications require a specific amount of traffic in order to begin matching against custom signatures.

 

This knowledge base article will assist:

https://live.paloaltonetworks.com/t5/Management-Articles/Not-Applicable-Incomplete-Insufficient-Data...

 

The issue here appears to be that there is not enough data occurring in the session for the custom signature engine to begin matching against unknown-tcp.

View solution in original post

Ok we hope will a version with a fix.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!