- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
07-31-2017 08:43 PM
Anyone know where I might find an in depth tutorial on creating a more advanced custom application? The tutorials I've found have all been HTTP related, which is great, but I was hoping to find something that did something a little more complex like something that used TCP and/or UDP signatures.
Thanks!
08-01-2017 02:04 AM
Hi @jsalmans
The tutorials are examples for what you can do with the app-ID engine and custom applications. In my opinion it also makes more sense to write tutorials which could be reproduced by everyone - so probably the best is http. A tutorial for one specific application that almost nobody uses is nice to read, but the learning effect will be much smaller without the practice tests.
But if you understood these tutorials it will not be more complex to write your own sigatures for your own applications.
It all starts with a packet capture and finding patterns in the traffic that you can use in the signature. There you can use what you have learned in the tutorials 😉
08-01-2017 05:35 AM
as @Remo mentions, all the tutorials are written with the largest usability and best readability in mind as most basic applications will be for http
once you want to expand into more complex apps, having a good understanding of how a http custom app works will provide a good basis for any other app as all the principles are the same
the 'context' provides you with a set of precreated protocols and types (dhcp, dns, imap,...) and also unknown-req|rsp-udp|tcp-payload for anything not in the list
after that it boils down to what you are looking for (hex, binary, size, count, ...)
if you have something specific and can share an example i'm sure we can help you with creating an app and if it turns out something really interesting i could make it into a tutorial too 😉
08-01-2017 08:23 AM - edited 08-01-2017 08:25 AM
I've got several I've looked at tackling:
08-02-2017 06:00 AM
Custom apps are great, but if you're seeing legitimate (commonly used on the internet) applications we don't have an app for yet, you can always submit your findings so an app can be created for this : Submit an Application
for autodesk: if all that is changed is the default ports, you could try creating a custom app with autodesk as parent and then set the 'other-than-normal' ports in the port config
in regards to Blackboard transact: we don't need to 'tear appart' their packets, at best we decrypt the ssl encapsulation and look inside but we don't do destructive stuff to their flow 🙂 (unless they have client and server certificates in which case you can't simply decrypt)
gaming apps, I admit, are tricky as most online multiplayer games rely on UPNP which is very firewall-unfriendly and many game developers seem to have their own take on internet protocols, the feature request should help resolve that issue
if you can identify the game servers it's easy to create app overrides for traffic headed there to force a specific timeout, or you can submit pcaps to the submit-an-app if we dont have a signature for the gaming service yet which might help too
08-03-2017 06:44 AM
@reaper when using that method is it necessary to add signatures or will it inherit from the parent app?
Thanks!
08-03-2017 08:05 AM
any signatures you can add will improve the hit-rate but you can try without
08-03-2017 11:05 AM
Will do.
This is a good example of what I was thinking earlier... it would be really informative if there was another tab on the Application Object GUI that allowed you to see the signatures that it is working off of even if they were not-editable (most of the stuff in the pre-built applications isn't anyways). If I could see how some of the existing applications are identified with the signatures they've been set up with it might make learning to make custom ones a bit easier.
I don't know if that is proprietary information or anything. Of course I also really appreciate the app request process... if I can get some good packet captures for some of this stuff I may go ahead and take advantage of that.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!