How to match custom SSL based applications

L4 Transporter

How to match custom SSL based applications

I'm trying to tag a particular application protocol that used TLS/SSL as a security wrapper.

The most accurate way I can ID this application protocol is to match against the FQDN subjectName returned by the server during the certificate handshake.

I've setup a custom App-ID configured as:-

Parent App: ssl

Port: tcp/443

Pattern Match: Context: ssl-rsp-certificate, Pattern: server\.domain\.com

but this isn't matching.  I've also tried using the Context type: ssl-rsp-server-hello and this too fails.

I have confirmed with a tcpdump that this string is present in the server response.

Any clues greatfully received!

L2 Linker

Re: How to match custom SSL based applications

show session all filter source x.x.x.x destination y.y.y.y

What does the application get identified as?

Maybe try:

Pattern Match: Context: ssl-rsp-certificate, pattern server.domain\.com

L1 Bithead

Re: How to match custom SSL based applications


I have to solve the same problem : identifing an internal application using ssl certificate CN, but defining a custom application, overriding ssl app and matching ssl-rsp-certificate don't work.

Any other idea to use certificate CN to identify a web-based ssl application ?



Sébastien B.

Soft ver. 3.1.4 and up-to-date app-thread pack.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!