App-ID RPC Syntax

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

App-ID RPC Syntax

L2 Linker

So trying to further classify RPC data as the correct type of RPC data based on program number (300029 in this case).  Not trying to re-invent the wheel though on how PA already correctly classifies it as RPC data, curious if there is a way in a custom App-ID to say something like "If known_existing_app AND XYZ then new_custom_app_ID", i.e. "If RPC and magic_bytes=300029 then Custom_App, not RPC".  The existing RPC detection does a better job than I can ever hope to manually recreate off the top of my head, woud like to reutilize it. [and if not a way to reference it, there a way to look at the actual signature so I could copy it]

2 REPLIES 2

Cyber Elite
Cyber Elite

When creating the custom app you can try setting the parent app to RPC, then look for the magic byte in the session/transaction.

That should allow most of the session to follow regular app-id into RPC and then only trigger the custom app once the magic byte shows up

 

 

regards

Tom

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

I was wondering if nesting worked like that, couldn't find any documentation on it.  Will give it a shot and get back to you.

  • 4086 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!