Custom signature for unknown tcp

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Custom signature for unknown tcp

L0 Member

20180305_161025.jpgthis is a capture from a tcp traffic.

i want to make a custom app id because in my log it say my application is an unknown-TCP application 

how can i get the signature from the digits (image) ?

can someone thell me or give me tips how i should make a custom app id from a packet capture

thanks!

3 REPLIES 3

L7 Applicator

Coulds you share PCAPs of this application, preferrably from a few different sessions?  That would make it much easier to create a custom signature.  

 

Another option is to create an "empty" AppID (essentially an AppID without a Layer-7 signature).  Then you can create an App-Override policy that maps traffic to your custom application server (using both IP Address & TCP Port #) to your newly-created AppID.  

 

Cyber Elite
Cyber Elite

@oguzhan-sanatci,

As @jvalentine pointed out you'll need to provide PCAPs of the traffic to help build the signature or you can create a custom application. WIthin the application you would simply give it any Properties that you actually want it to have, set the default ports if desired, and then leave the actual 'Signature' section empty. 

You can then build an application override policy that lets you specify a wide range of information. If you know that an internal source reaching out to a specific destination server over tcp 41794-41795 is going to be your custom application you can build a policy for that and it will simply map that traffic to the custom application ID that you created. 

L0 Member

@BPry @jvalentine
Thank you both for the fast reply this morning i 've solved the problem by picking the right hexa digits

  • 2585 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!