Building a custom signature

cancel
Showing results for 
Search instead for 
Did you mean: 

Building a custom signature

L3 Networker

Hi there,

I have some DVR CCTV cameras on some other sites that I need to be able to view within my network behind the PA box. At the moment I have been able to get them access by doing a security rule allowing access from certain users/IP's to the IP addresses of said DVR's onsite. However, I have not been able to lock these down very much. At the moment they are allowed any application and any service on this rule. I tried to create a application and service based of the port it was using (port 37777), but even though I created this application with that port the traffic is still coming up as Unknown-TCP on my traffic logs when using a browser to view. But when using the remote camera software to view it was showed as Incomplete, even though it works fine.

My question is. A few of those packets were captured by Palo Alto box. How could I create a signature from those packet captures? Or what would the easiest way be to create a application that I could use for this security rule to lock it down a bit more?

1 REPLY 1

L7 Applicator

You could use an Application Override policy to force the 37777 port traffic to/from that range of IPs to your custom application. Creating a custom signature is a fair amount more work, but could also be more accurate. You'll need a good understanding of reading packet captures and how datagrams are formed to make sure you grab the right data. If the signature is created too broadly you may miss out on other, similar traffic. Too narrow and you may miss the traffic if it is not consistent.

I would personally recommend submitting the application to the App-ID team. They may ask you for the packet captures so they can accurately create the signature. You can submit it here:

http://researchcenter.paloaltonetworks.com/submit-an-application/

Regards,

Greg Wesson

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!