Skype-probe rule catching other traffic

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Skype-probe rule catching other traffic

L1 Bithead

I have implemented the suggested Skype-Probe allow rule in order to block Skype.  I have noticed that this rule will also catch traffic that is of the Application type Incomple and Insufficient-data.  Just currious as to why it is ending up in this rule when the only application for the rule is skype-probe.  A lot of times these non-skype-probe log entries that are caught by the skype-probe rule are associated with traffic that is blocked either by Palo Alto threat or by the endpoint protection at the workstation.

I can also see the some incomplete and insufficient-data in our main user rule as well but the majority of these seem to end up in the skype probe rule for some reason (The skype-probe rule is higher than the main user rule but it doesn't catch all of the incomplete/insufficient-data traffic)..

Should i set up a special rule for the application type incomplete and insufficient-data in order to keep them together or just let them fall where they may?  (I still wonder how they end up in skype-probe though as they don't appear related to skype based on ports used).

Thanks.

1 accepted solution

Accepted Solutions

L5 Sessionator

Here is also a brief description why that particular rule is catching incomplete or insufficient traffic.

1. Firewall allows few packets initially through to identify the traffic as an application and that traffic can be leaked matching any rule or most open rule.

2. Once the traffic is leaked we try to identify it as application.

3. Also incomplete or insufficient data is not an application.

4. Since the traffic passed through firewall was either one directional or not sufficient packets were passed through it, firewall could not make determination to match it to a specific rule.

5. Since that determination was not made it showed the traffic matching to rule on which it initially leaked the packet through to make the determination of the application.

6. Moreover unknown-udp or unknown-tcp is shown for the traffic for which we do not have the signature to identify it as an application. But if that determination is never made then applcation shows up as incomplete or insufficient data.

Below is the doc which is intended to provide an overview of how to identify unknown applications on your network and what to do once they have been identified.

https://live.paloaltonetworks.com/docs/DOC-2007

Here is a doc which explains different definitions of application when they are not determined

https://live.paloaltonetworks.com/docs/DOC-1549

Hope this clarifies the situation furthermore and explains the behavior.

Thanks

Numan

View solution in original post

2 REPLIES 2

L5 Sessionator

Incomplete in the application field

Incomplete means that either the three way TCP handshake did NOT complete or the three way TCP handshake did complete but there was no data after the handshake to identify the application. In other words that traffic you are seeing is not really an application.

So to explain a little clearer, if a client sends a server a syn and the Palo Alto device creates a session for that syn, but the server never sends a SYN ACK in response back to the client, then that session would be seen as incomplete.

Insufficient data in the application field

Insufficient data means that there was not enough data to identify the application. So for example, if the 3-way TCP handshake completed and there was one data packet after the handshake but that one data packet was not enough to match any of our signatures, you would see insufficient data in the application field of the traffic log.

So if the service is set to any we will end up catching insufficient/incomplete traffic since  we haven't seen any application traffic to identify the application and port is wide open.So I would suggest restricting the policies by configuring ports.

L5 Sessionator

Here is also a brief description why that particular rule is catching incomplete or insufficient traffic.

1. Firewall allows few packets initially through to identify the traffic as an application and that traffic can be leaked matching any rule or most open rule.

2. Once the traffic is leaked we try to identify it as application.

3. Also incomplete or insufficient data is not an application.

4. Since the traffic passed through firewall was either one directional or not sufficient packets were passed through it, firewall could not make determination to match it to a specific rule.

5. Since that determination was not made it showed the traffic matching to rule on which it initially leaked the packet through to make the determination of the application.

6. Moreover unknown-udp or unknown-tcp is shown for the traffic for which we do not have the signature to identify it as an application. But if that determination is never made then applcation shows up as incomplete or insufficient data.

Below is the doc which is intended to provide an overview of how to identify unknown applications on your network and what to do once they have been identified.

https://live.paloaltonetworks.com/docs/DOC-2007

Here is a doc which explains different definitions of application when they are not determined

https://live.paloaltonetworks.com/docs/DOC-1549

Hope this clarifies the situation furthermore and explains the behavior.

Thanks

Numan

  • 1 accepted solution
  • 4344 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!