Showing results for 
Search instead for 
Did you mean: 

Who Me Too'd this topic

Patterns in custom app signature only recognizing half the tcp port traffic

Not applicable

Hello All,

Kind of at my wits end. I could sure use some assistance.

I have created some custom app-ids with signatures with success that recognize 100% of the traffic and other app-ids with signatures that fall short.

The ones that fall short only recognize 50% of the traffic with other half labeled as "Insufficient data."

The description that I am giving is more about the process of how I am trying to accomplish this. Hopefully you can point some basic thing that I am fundamentally not doing right.

I have created packet captures from the Palo Alto firewall of all the custom tcp port traffic that I need to make custom app-ids with pattern signatures for.

After analyzing the tcp sessions in the .pcap files in Wireshark, I found about 16 repeating patterns in the client data payload requests to the server for a particular custom tcp port traffic.

For the custom app-id, I made 1 Session based signature that consisted of 16 patterns. The patterns are all: 'or condition' (not ordered), "pattern match",  "unknown-rec-tcp-payload",  and 7 byte in length.

When I commit the changes and monitor the traffic, the traffic I created the custom app-id for recognizes about 50% of the traffic with my custom app-id label correctly applied with other half of the same port traffic labeled as "Insufficient data."

I have created additional packet captures and analyzed all the tcp port client request payloads of all the tcp sessions labled as "Insufficient data."

Originally I thought I missed some repeating client traffic request patterns but the thing is, they all have payloads with the patterns that I have entered into my custom app-id signature already.

Did I miss something?

Your help and input is greatly appropriated.

Who Me Too'd this topic