05-01-2014 06:00 PM
I have deployed a new application on our network and found that this application has some communications that take place on TCP-2000. Noramlly this port is used by cisco-sccp. The data that is being passed is not a normal "cisco-sccp" protocal traffic, and thus my PA-400 is not permitting the traffic to pass through it. I have started writting a custom APP-ID for this traffic. I have defined on the Configuration tab a Name, Category, Subcatigory, Technology, Sub-App, and Risk. On the Advance Tab I have defined that this traffic is on port TCP-200. I have comitted this to the router, but it is still not correctly identifying this traffic. So I have gone in and tried to write a custom signature for this traffic. Reading though your documentation the only signature that I can use is "unknown-rsp-tcp-payload". The problem is the payload is only one byte in size. According to my pcap, the 1 byte payload is e4. I have written a regex of [a-f]|[A-F][0-9]. the problem is that when I go to save this, the PA-software errors out as my signature does not meet the 7 bytes minume.
How can i write a rule that is 7 bytes in length, when the payload I am trying to match is only 1 byte in length. The host that is sending me this traffic I can fully trust, so if there is a way to tell the PA permit all traffic from this host, tat would be great, but from my reading this is not possible as the PA is application firewall not port based.
I need to allow this traffic to pass. I have a pcap that I can post your your review showing this payload and headers.
