This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Building a custom signature

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Building a custom signature

JRussell
L3 Networker

‎12-03-2012 03:16 AM

Hi there,

I have some DVR CCTV cameras on some other sites that I need to be able to view within my network behind the PA box. At the moment I have been able to get them access by doing a security rule allowing access from certain users/IP's to the IP addresses of said DVR's onsite. However, I have not been able to lock these down very much. At the moment they are allowed any application and any service on this rule. I tried to create a application and service based of the port it was using (port 37777), but even though I created this application with that port the traffic is still coming up as Unknown-TCP on my traffic logs when using a browser to view. But when using the remote camera software to view it was showed as Incomplete, even though it works fine.

My question is. A few of those packets were captured by Palo Alto box. How could I create a signature from those packet captures? Or what would the easiest way be to create a application that I could use for this security rule to lock it down a bit more?

0 Likes Likes
1 REPLY 1

gwesson
L7 Applicator

‎12-04-2012 09:27 AM

You could use an Application Override policy to force the 37777 port traffic to/from that range of IPs to your custom application. Creating a custom signature is a fair amount more work, but could also be more accurate. You'll need a good understanding of reading packet captures and how datagrams are formed to make sure you grab the right data. If the signature is created too broadly you may miss out on other, similar traffic. Too narrow and you may miss the traffic if it is not consistent.

I would personally recommend submitting the application to the App-ID team. They may ask you for the packet captures so they can accurately create the signature. You can submit it here:

http://researchcenter.paloaltonetworks.com/submit-an-application/

Regards,

Greg Wesson

  • 1852 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks