Kind of at my wits end. I could sure use some assistance.
I have created some custom app-ids with signatures with success that recognize 100% of the traffic and other app-ids with signatures that fall short.
The ones that fall short only recognize 50% of the traffic with other half labeled as "Insufficient data."
The description that I am giving is more about the process of how I am trying to accomplish this. Hopefully you can point some basic thing that I am fundamentally not doing right.
I have created packet captures from the Palo Alto firewall of all the custom tcp port traffic that I need to make custom app-ids with pattern signatures for.
After analyzing the tcp sessions in the .pcap files in Wireshark, I found about 16 repeating patterns in the client data payload requests to the server for a particular custom tcp port traffic.
For the custom app-id, I made 1 Session based signature that consisted of 16 patterns. The patterns are all: 'or condition' (not ordered), "pattern match", "unknown-rec-tcp-payload", and 7 byte in length.
When I commit the changes and monitor the traffic, the traffic I created the custom app-id for recognizes about 50% of the traffic with my custom app-id label correctly applied with other half of the same port traffic labeled as "Insufficient data."
I have created additional packet captures and analyzed all the tcp port client request payloads of all the tcp sessions labled as "Insufficient data."
Originally I thought I missed some repeating client traffic request patterns but the thing is, they all have payloads with the patterns that I have entered into my custom app-id signature already.
Did I miss something?
Your help and input is greatly appropriated.