This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Custom application tutorials?

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Custom application tutorials?

jsalmans
L4 Transporter

‎07-31-2017 08:43 PM

Anyone know where I might find an in depth tutorial on creating a more advanced custom application?  The tutorials I've found have all been HTTP related, which is great, but I was hoping to find something that did something a little more complex like something that used TCP and/or UDP signatures.

 

Thanks!

0 Likes Likes
7 REPLIES 7

Remo
L7 Applicator

‎08-01-2017 02:04 AM

Hi @jsalmans

 

The tutorials are examples for what you can do with the app-ID engine and custom applications. In my opinion it also makes more sense to write tutorials which could be reproduced by everyone - so probably the best is http. A tutorial for one specific application that almost nobody uses is nice to read, but the learning effect will be much smaller without the practice tests.

But if you understood these tutorials it will not be more complex to write your own sigatures for your own applications. 

It all starts with a packet capture and finding patterns in the traffic that you can use in the signature. There you can use what you have learned in the tutorials 😉

 

0 Likes Likes

reaper
Cyber Elite
Cyber Elite
In response to Remo

‎08-01-2017 05:35 AM

as @Remo mentions, all the tutorials are written with the largest usability and best readability in mind as most basic applications will be for http

once you want to expand into more complex apps, having a good understanding of how a http custom app works will provide a good basis for any other app as all the principles are the same

 

the 'context' provides you with a set of precreated protocols and types (dhcp, dns, imap,...) and also unknown-req|rsp-udp|tcp-payload for anything not in the list

after that it boils down to what you are looking for (hex, binary, size, count, ...)

 

if you have something specific and can share an example i'm sure we can help you with creating an app and if it turns out something really interesting i could make it into a tutorial too 😉

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

jsalmans
L4 Transporter
In response to reaper

‎08-01-2017 08:23 AM - edited ‎08-01-2017 08:25 AM

Hi @Remo and @reaper

 

I've got several I've looked at tackling:

 

  • Autodesk FlexLM:  A lot of this traffic actually uses flexnet-publisher but Autodesk uses their own customized version of this that uses ports outside of the standard flexnet-publisher list.  Currently I'm running into the issue that the client Autodesk software wants to run a port scan against the server to see which ports are available and my Palo Alto is allowing the traffic but then is blocking the IP due to port scan behavoir.  I'm probably going to post something about this shortly to get some feedback on what others have done in this type of situation.

  • Blackboard Transact:  I believe there is already a blackboard application for the online learning software they offer but Transact is another of their products that handles communication for things like their PoS registers, card access door readers, a piece of software that allows administrators to manage the register menus, etc.  I should note on this one that I've contacted their support asking for anything in their network stack that could be used as a unique signature for a next-gen firewall... once I got in contact with someone who understood the request, I was told there isn't anything like that and their software can't handle middle man applications tearing apart and reconstructing the packets.   Instead they advised me to treat their traffic just like I would have on the ASA (i.e. no application identity or security assessment so basically an app override).

  • Gaming traffic:  As I've posted before, we've run into some issues with several types of multiplayer games.  I'm investigating other solutions while our feature request for additional DIPP-style NAT options is considered but I liked the idea of being able to come up with applications for some of these games that might need longer session timeouts without necessarily setting the global for unknown TCP or UDP.
0 Likes Likes

reaper
Cyber Elite
Cyber Elite
In response to jsalmans

‎08-02-2017 06:00 AM

Custom apps are great, but if you're seeing legitimate (commonly used on the internet) applications we don't have an app for yet, you can always submit your findings so an app can be created for this : Submit an Application

 

for autodesk: if all that is changed is the default ports, you could try creating a custom app with autodesk as parent and then set the 'other-than-normal' ports in the port config

 

autodesk.png

 

in regards to Blackboard transact: we don't need to 'tear appart' their packets, at best we decrypt the ssl encapsulation and look inside but we don't do destructive stuff to their flow 🙂 (unless they have client and server certificates in which case you can't simply decrypt)

 

 

gaming apps, I admit, are tricky as most online multiplayer games rely on UPNP which is very firewall-unfriendly and many game developers seem to have their own take on internet protocols, the feature request should help resolve that issue

if you can identify the game servers it's easy to create app overrides for traffic headed there to force a specific timeout, or you can submit pcaps to the submit-an-app if we dont have a signature for the gaming service yet which might help too

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

jsalmans
L4 Transporter
In response to reaper

‎08-03-2017 06:44 AM

@reaper when using that method is it necessary to add signatures or will it inherit from the parent app?

 

Thanks!

0 Likes Likes

reaper
Cyber Elite
Cyber Elite
In response to jsalmans

‎08-03-2017 08:05 AM

any signatures you can add will improve the hit-rate but you can try without

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization
0 Likes Likes

jsalmans
L4 Transporter
In response to reaper

‎08-03-2017 11:05 AM

Will do.

 

This is a good example of what I was thinking earlier... it would be really informative if there was another tab on the Application Object GUI that allowed you to see the signatures that it is working off of even if they were not-editable (most of the stuff in the pre-built applications isn't anyways).  If I could see how some of the existing applications are identified with the signatures they've been set up with it might make learning to make custom ones a bit easier.

 

I don't know if that is proprietary information or anything.  Of course I also really appreciate the app request process... if I can get some good packet captures for some of this stuff I may go ahead and take advantage of that.

0 Likes Likes
  • 3773 Views
  • 7 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks