Hello All, Kind of at my wits end. I could sure use some assistance. I have created some custom app-ids with signatures with success that recognize 100% of the traffic and other app-ids with signatures that fall short. The ones that fall short only recognize 50% of the traffic with other half labeled as "Insufficient data." The description that I am giving is more about the process of how I am trying to accomplish this. Hopefully you can point some basic thing that I am fundamentally not doing right. I have created packet captures from the Palo Alto firewall of all the custom tcp port traffic that I need to make custom app-ids with pattern signatures for. After analyzing the tcp sessions in the .pcap files in Wireshark, I found about 16 repeating patterns in the client data payload requests to the server for a particular custom tcp port traffic. For the custom app-id, I made 1 Session based signature that consisted of 16 patterns. The patterns are all: 'or condition' ( not ordered), "pattern match", "unknown-rec-tcp-payload", and 7 byte in length. When I commit the changes and monitor the traffic, the traffic I created the custom app-id for recognizes about 50% of the traffic with my custom app-id label correctly applied with other half of the same port traffic labeled as "Insufficient data." I have created additional packet captures and analyzed all the tcp port client request payloads of all the tcp sessions labled as "Insufficient data." Originally I thought I missed some repeating client traffic request patterns but the thing is, they all have payloads with the patterns that I have entered into my custom app-id signature already. Did I miss something? Your help and input is greatly appropriated.
... View more