Create a Custom Application Signature

Follow these steps to build a custom application.
To create a custom application signature, you must do the following:
  • Research the application using packet capture and analyzer tools
  • Identify patterns in the packet captures
  • Build your signature
  • Validate your signature
Custom application signatures require you to specify the
Scope
—how your signature is applied to the traffic,
Context
—the portion of the file or protocol where you expect to find your pattern, the
Pattern
, and the
Operator
(
Pattern Match
for string contexts and
Greater Than
,
Less Than
, or
Equal To
for integer-based contexts).
  1. Research the application using packet capture and/or analyzer tools.
    • You should understand how you’d like to control the application before all else. Do you want to limit application functionality? Create a usage report? You’ll want to examine the contents of packet captures to gather context and identify unique characteristics of the application.
      Consider using a tool such as Wireshark or perform a packet capture on the firewall itself Take a Packet Capture for Unknown Applications.
    1. Perform multiple packet captures between the client system and web server.
      Generate traffic for various application scenarios once you have launched the capture tool. For example, if you wanted to create a signature for ‘uploading’ on uploading.com, you would upload a file on that site.
      Multiple sessions might be created for the different actions performed in the application. You will need to locate and inspect each type of session in the resulting packet captures.
    2. Inspect packet captures for values or patterns that uniquely identify the application or application function.
      For example, after you uploaded a file to uploading.com, you would look for HTTP POST request packets in the sessions captured by your packet analyzer tool. Then, you would examine the packet contents for patterns.
  2. Create the custom application.
    1. Select
      Objects
      Applications
      and click
      Add
      .
    2. Under
      Configuration
      , enter a name and optional description for the application. Specify the application’s Properties and Characteristics.
      • If your custom application has no Parent App that can be identified by regular App-ID or is used in an application override, the application cannot be scanned for threats.
      • If the custom application has scanning options unchecked, the threat engine will stop inspecting the traffic as soon as the custom application is identified.
    3. Under
      Advanced
      , define settings that will allow the firewall to identify the application protocol:
      • Specify the default ports or protocol that the application uses. To specify signatures independent of protocol, select None.
      • Specify the session timeout values. If you don’t specify timeout values, the default timeout values will be used.
      • Indicate any type of additional scanning you plan to perform on the application traffic.
  3. Define your signature.
    Multiple signatures may be necessary to account for all traffic specific to the application.
    1. Under
      Signatures
      , click
      Add
      and enter a
      Signature Name
      and optional description.
    2. Specify the
      Scope
      —Select between
      Transaction
      (e.g. HTTP request and response) or
      Session
      (e.g. a single POST request).
    3. Specify the matching conditions by clicking
      Add And Condition
      or
      Add Or Condition
      .
    4. Select an
      Operator
      to define the conditions that must be true for a signature to match traffic.
      • If you select
        Pattern Match
        , select a
        Context
        and then use a regular expression to specify the
        Pattern
        . Optionally,
        Add
        a qualifier/value pair.
      • Qualifiers are context-dependent and limit the match condition for the given context. For example, you might use the http-method qualifier to specify that a http-req-uri-path only matters if it is found inside an HTTP GET method.
      • If you select
        Equal To
        ,
        Less Than
        , or
        Greater Than
        , select an integer
        Context
        , and enter a
        Value
        .
    5. Repeat sub-steps 3 and 4 for each matching condition.
      If you leave
      Ordered Condition Match
      selected, make sure the condition or group of conditions is in the desired order. The most specific conditions should come first. To order the conditions: Select a condition or a group and click
      Move Up
      or
      Move Down
      .
      You cannot move conditions from one group to another.
  4. Save the custom signature.
    1. Click
      OK
      to save your signature definition.
    2. Commit
      your signature.

Recommended For You