How to match custom SSL based applications

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

How to match custom SSL based applications

L4 Transporter

I'm trying to tag a particular application protocol that used TLS/SSL as a security wrapper.

The most accurate way I can ID this application protocol is to match against the FQDN subjectName returned by the server during the certificate handshake.

I've setup a custom App-ID configured as:-

Parent App: ssl

Port: tcp/443

Pattern Match: Context: ssl-rsp-certificate, Pattern: server\.domain\.com

but this isn't matching.  I've also tried using the Context type: ssl-rsp-server-hello and this too fails.

I have confirmed with a tcpdump that this string is present in the server response.

Any clues greatfully received!

2 REPLIES 2

L2 Linker

show session all filter source x.x.x.x destination y.y.y.y

What does the application get identified as?

Maybe try:

Pattern Match: Context: ssl-rsp-certificate, pattern server.domain\.com

Hi,

I have to solve the same problem : identifing an internal application using ssl certificate CN, but defining a custom application, overriding ssl app and matching ssl-rsp-certificate don't work.

Any other idea to use certificate CN to identify a web-based ssl application ?

Regards,

--

Sébastien B.

Soft ver. 3.1.4 and up-to-date app-thread pack.

  • 2162 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!