05-19-2011 10:06 AM
I'm trying to tag a particular application protocol that used TLS/SSL as a security wrapper.
The most accurate way I can ID this application protocol is to match against the FQDN subjectName returned by the server during the certificate handshake.
I've setup a custom App-ID configured as:-
Parent App: ssl
Port: tcp/443
Pattern Match: Context: ssl-rsp-certificate, Pattern: server\.domain\.com
but this isn't matching. I've also tried using the Context type: ssl-rsp-server-hello and this too fails.
I have confirmed with a tcpdump that this string is present in the server response.
Any clues greatfully received!
06-06-2011 08:27 PM
show session all filter source x.x.x.x destination y.y.y.y
What does the application get identified as?
Maybe try:
Pattern Match: Context: ssl-rsp-certificate, pattern server.domain\.com
08-19-2011 08:51 AM
Hi,
I have to solve the same problem : identifing an internal application using ssl certificate CN, but defining a custom application, overriding ssl app and matching ssl-rsp-certificate don't work.
Any other idea to use certificate CN to identify a web-based ssl application ?
Regards,
--
Sébastien B.
Soft ver. 3.1.4 and up-to-date app-thread pack.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
