I have a warehouse management system, and I need to identify the traffic from the WMS client.
Here is a section of the tcp stream from a packet capture:
V103^46^^~0~~0~~-1^=^002050^get encryption information
V104^73^2^^^66^^^~0~~0~~-1^=^002306^list comp versions where base_prog_id = 'Dlx'
I found a pattern unique to the client that is presented at login. So, I created a custom app and set the signature to look for the following pattern: .*(list comp versions where base_prog_id = 'Dlx') , which I applied to the 'Session' scope. This signature successfully matches the client logins. Unfortunately, once logged in, additional new connections initiated from the client are identified as 'unknown tcp', presumably because they do not contain the login pattern.
Unfortunately, there does not appear to be anything consistent that I can create a single pattern for to identify every piece of data sent. I would have thought that finding a match at login and identifying the traffic to the 'session' once would be sufficient. I opened a case with support a week ago, but they are not going to help. Any ideas or suggestions?
Your SE (Sales Engineer) should be able to help you with this.
What did the support say regarding not helping you with creating this custom app?
Otherwise there is an url to send in new app requests.
Edit: http://www.paloaltonetworks.com/researchcenter/tools/ and click on "Submit an App".
These are direct quotes from the case that is currently open with support (though in the 'Pending Close' status, since they have technically suggested a resolution of getting the app added through an SE)
Unfortunately us on the support side aren't able to help very much with app creation and pattern matching. It seems like you have a good understanding of how to create the app and do basic pattern matching.
You do have a couple of options:
1. You can contact your Sales Engineer and have him submit a request for the application.
2. You can also submit the application for creation"
"I'm sorry there isn't more I can do from the support side. Due to liability issues we are unable to help in the pattern matching and creation of the app. Besides the two alternative options I sent earlier, speaking with SE, or submitting the app on our site, you can also goto the following link:
This is a forum where you can post your problem and questions. Many Palo Alto project managers monitor this forum, so this could be another way for you to get help in the app's creation and pattern matching. "
>>> I would have thought that finding a match at login and identifying the traffic to the 'session' once would be sufficient.
This is true if all the traffic that follows happens on that initial session, not if it happens on a new session. Each new session is processed independently, so you will require a pattern to search on it.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!