Create a Custom Application Signature

Research the application using packet capture and/or analyzer tools.
You should understand how you’d like to control the application before all else. Do you want to limit application functionality? Create a usage report? You’ll want to examine the contents of packet captures to gather context and identify unique characteristics of the application.
Consider using a tool such as Wireshark or perform a packet capture on the firewall itself Take a Packet Capture for Unknown Applications.
Perform multiple packet captures between the client system and web server.

Generate traffic for various application scenarios once you have launched the capture tool. For example, if you wanted to create a signature for ‘uploading’ on uploading.com, you would upload a file on that site.

Multiple sessions might be created for the different actions performed in the application. You will need to locate and inspect each type of session in the resulting packet captures.

Inspect packet captures for values or patterns that uniquely identify the application or application function.

For example, after you uploaded a file to uploading.com, you would look for HTTP POST request packets in the sessions captured by your packet analyzer tool. Then, you would examine the packet contents for patterns.


Create the custom application.
Select

Objects

Applications

and click

Add

.

Under

Configuration

, enter a name and optional description for the application. Specify the application’s Properties and Characteristics.

If your custom application has no Parent App that can be identified by regular App-ID or is used in an application override, the application cannot be scanned for threats.
If the custom application has scanning options unchecked, the threat engine will stop inspecting the traffic as soon as the custom application is identified.



Under

Advanced

, define settings that will allow the firewall to identify the application protocol:

Specify the default ports or protocol that the application uses. To specify signatures independent of protocol, select None.
Specify the session timeout values. If you don’t specify timeout values, the default timeout values will be used.
Indicate any type of additional scanning you plan to perform on the application traffic.


Define your signature.
Multiple signatures may be necessary to account for all traffic specific to the application.
Under
Signatures
, click
Add
and enter a
Signature Name
and optional description.
Specify the
Scope
—Select between
Transaction
(e.g. HTTP request and response) or
Session
(e.g. a single POST request).
Specify the matching conditions by clicking
Add And Condition
or
Add Or Condition
.
Select an
Operator
to define the conditions that must be true for a signature to match traffic.
If you select
Pattern Match
, select a
Context
and then use a regular expression to specify the
Pattern
. Optionally,
Add
a qualifier/value pair.
Qualifiers are context-dependent and limit the match condition for the given context. For example, you might use the http-method qualifier to specify that a http-req-uri-path only matters if it is found inside an HTTP GET method.

If you select
Equal To
,
Less Than
, or
Greater Than
, select an integer
Context
, and enter a
Value
.
Repeat sub-steps 3 and 4 for each matching condition.
If you leave
Ordered Condition Match
selected, make sure the condition or group of conditions is in the desired order. The most specific conditions should come first. To order the conditions: Select a condition or a group and click
Move Up
or
Move Down
.
You cannot move conditions from one group to another.
Save the custom signature.
Click
OK
to save your signature definition.
Commit
your signature.
Test your custom signature.