So trying to further classify RPC data as the correct type of RPC data based on program number (300029 in this case). Not trying to re-invent the wheel though on how PA already correctly classifies it as RPC data, curious if there is a way in a custom App-ID to say something like "If known_existing_app AND XYZ then new_custom_app_ID", i.e. "If RPC and magic_bytes=300029 then Custom_App, not RPC". The existing RPC detection does a better job than I can ever hope to manually recreate off the top of my head, woud like to reutilize it. [and if not a way to reference it, there a way to look at the actual signature so I could copy it]
... View more