Add Protocol Signature Service with airSlate SignNow

Add protocol signature service

hi everyone and thanks for joining this video on how to create a custom app ID today we're going to cover a couple of things but it should be a brief but interesting and we're going to cover how to create a custom app ID of course but the the first item on the agenda is what is a custom app ID will define what that is and then second after that we'll look at a couple of quick tools we'll use to do that how we create that and then we'll do a live demonstration of how that actually works okay so let's just go ahead and get started so what is a custom app ID a custom app ID allows us really to do two things first is to create pattern based signatures for traffic that doesn't match any of our existing application signatures so this might include things like internet applications or custom homegrown applications things like that so it's often useful to be able to control these things or sometimes it could be internet-based applications that we just don't have an app ID for and you want to create something specific just for that okay so that's one the other is that oftentimes we want to create an app ID for use in an app ID override rule so an app override rule is where we could identify traffic that might otherwise be unknown so we can identify things like unknown tcp or unknown UDP we can get that application a name the other is again when we're doing doing Internet traffic or or homegrown applications that might be identified as something else might be just plainly identifies it as web browsing yet it's our intranet server or something like that so so those are those are the primary reasons that we would use an app ID and and and what the custom app ID is for the next question that comes up of course is how do we create these custom app ID signatures well there's three easy steps to this the first is that we have to look at the packets the second is really identifying traffic patterns within those packets and then finally building the signature so in the first step looking at the packets we need to use a packet capture tool or an HTTP analyzer things like Wireshark or I'll show you a tool that I'm going to use called HTTP Fox there's another tool called HTTP watch from here we need to identify traffic patterns using things like port and protocol is you know is a TCP port 80 or 4/4 of some other port the decoder context so is it using HTTP FTP some other protocol we need to identify that and then finally we need to identify a pattern and one thing to notice the patterns need to be seven bytes or longer okay shorter patterns won't work you need identify a full seven bytes all right usually pretty simple identifying shorter patterns really just contributes to false positives so from here once we have those things then you just build your signature in the objects tab into the application section you just click Add to add and we'll go through that as well I'm another thing that we won't demonstrate here but you do also have the capability to create custom vulnerability signatures this is very similar to the app ID engine so I won't I won't go through it but the same tools are available ok all right so let's go ahead and build one okay and we'll get started on that now so a couple quick things I am using a very simple policy base at the moment I'm logged into this firewall that just really has these three rules allow outbound the first rule allows me to manage the device and then my last rule which is a catch-all okay I'm allowing everything out then what I'm gonna do is we're gonna go to an application called a rapid Gator dotnet here a rapid Gator is a web-based file sharing utility we're gonna build a custom app ID for and this one ordinarily would just get identified as web browsing but what this particular website allows you to do is upload files similar to mega upload or a rapid share where the files didn't become publicly available and it has of course connotations to it such as things like illegal file sharing and and loss of intellectual property things like that so again first thing is we have to identify we're to see the packets so we have to look at those there are several tools for doing this I'm going to use a tool called HTTP Fox oops this is a plugin for or an add-on for Firefox so I'll show you what that looks like there's also a similar tool called HTTP watch if you have $395 laying around you can do this tool but I'm gonna use HTTP Fox because it's free to give you a quick demonstration of what HTTP Fox does let me bring it up right here me oops sorry let me bring it up here will clear this if I go to Google let me start the tool so it starts capturing if I go to Google here you will see a summary down here in the window of all the objects that are being loaded so things like this will show us information about the stop the capture about the host that we went to the server responses the cookies and other header information that we might use then to leverage a a pattern match okay so great I'm gonna clear this and let's go to rapid gator okay so I have come here to rapid Gator I can come here freshly if I like I forgot to start my tool here let's do it again okay it's got a rapid Gator there it is we will see information being sent to and from rapid Gator so we'll see this and then what I'm going to do is I'm going to want to upload a file to rapid Gator and I want to capture patterns or look for patterns within that upload to be able to maybe prevent that from happening in the future so we're gonna build two signatures one around rapid Gator in general and then a second around actually uploading to rapid Gator so I've already captured enough data people to be able to write the signature for rapid Gator and then the second one is gonna be me uploading a file so what I'll do is I'll check this box let's say upload a file I need to choose a file we can choose a file in here somewhere how about this one will say open it uploads the file say upload and there it goes and now it finished so you'll see when I hit the upload button you'll see this this post happened I'm gonna stop this right now that's the one I want to look at okay let's close this so great so I see when I go to regular rapid Gator you'll see that it goes to rapid Gator net and a bunch of other objects but when I post my upload file you'll see there's a post and this goes to a some server name dot rapid Gator net there's some other patterns in here I could grab out of the query string or things like that but I'm really for this we're allowed to make it simple and just go just monitor for this hostname so the pattern mansion I'm gonna look for is general rapid Gator net is just going to be this host setter and then if I'm posting then for uploading meaning I'm gonna look for a post to something to a server name dot rapid Gator net okay great so let's go build that okay so let's go back to our PA 200 and I'm gonna come over here let's actually close this I've got a little more space to work with I'll go to the objects tab and I'll go to applications and this will bring me to the applications window I'm going to kick click add to add a new application and I'll end up adding to we're gonna have the first one called rapid Gator and the next one's gonna be rapid Gator upload and the properties I'll select general internet this is file-sharing technology is browser-based I could choose some characteristics but I'll skip that for now in advanced I will click report and I'm going to define the port number that I want in this case TCP port 80 because this was an HTTP based application I could put in TCP port 443 physician if it was an SSL based application I could choose one exotic characteristics to look for but this is good for now I can also enable scanning here if I want to scan with security profiles things like scanning for file types or viruses or spyware stuff like that ok I'm going to skip that for now as well when I come over here to click signatures and this is the fun part this is where we add a signature Gator and we will add oh I'm sorry then you click to add a condition down here at the bottom I'll cancel to show you that again we click to add a condition it could be an and condition or an or condition I'm gonna click the and condition we can leave this scope as transaction and ordered condition match there's only gonna be one condition so I select that I choose a pattern match context that I'm going to look for is this is where I would choose what sort of protocol I'm looking for in this case we're looking for HTTP but you'll see there's a lot of different protocols in here that we're monitoring so I'm gonna look for HTTP request host header ok and then I will put in Rapid Gator dot net so this pattern again needs to be bigger than 7 bytes the little backslash dot that means a literal dot and not a wild-card that's a regex function there okay so there's that one so I'm looking for any pattern that matches rapid Gator net in the host header perfect okay that's for rapid Gator I'll say okay not great now the other one that I want to control is going to be the rapid Gator upload so to do that as you'll see this now appears there I'm going to add one more and I'm gonna make a new signature rapid Gator - upload and category general internet subcategory file-sharing technology browser-based advanced same as before TCP port 80 and then signatures and here the signature is gonna be slightly different I'm I'll do the same as I did before where I select to us a condition I select a pattern match but in this case I'm going to do an HTTP oh I have to do the HTTP request host header again but this one's gonna be a little bit different I'm because I'm looking for that that host name dot rapid Gator net so I'm waiting for that server name dot rapid Gator oops net and I'm going to add something called a qualifier down here at the bottom okay the qualifier allows me to specify what HTTP method I'm looking for and in this particular case we're looking for an HTTP POST so I'm going to come in here I'll say post HTTP method post I'll say okay so now we're saying that it has to have a host header that has dot rapid Gator dotnet in it and it has to be a post okay I'll say okay I'll say okay I'll say okay and now I have my two signatures in there and now let's do a commit okay and we will give this one second to commit and as soon as the commit is completed then we should be able to test our rapid gaiter application again and we should see that appear in the logs now okay so let's give that a shot just one second one other thing I'll mention to about about app ID database changes any database change you make with the custom app ID or custom vulnerability signatures forces a recompile of the entire database so this can take a little bit longer than your usual commit but the next time you come in after that that it doesn't have to recompile so it'll resume to normal okay so our commit is complete and now we're gonna go ahead and close this I'm gonna go over here to the monitor tab and we will look for those applications I'm going to go ahead and create a filter for application rapid Gator and you'll see that at the moment I do not have any rapid Gator in there but I'm gonna go ahead and refresh this and we will go ahead and try to upload our file again so if I do that then oops I forgot I got to do this first upload files choose a file and we'll choose some other random file here okay upload and there goes all right so my upload is complete and now if we go back here we should see rapid Gator and rapid Gator upload now I could have gone ahead and blocked any of these files as well or any of these applications oops there's rapid Gator upload using doing that file transfer so I could have gone ahead and created a policy to block these applications I won't do it just for the sake of time in this video but there you go that's how it works I hope that made good sense there are lots of resources available as well there are a lot of custom application signatures there are custom runner ability signature examples there's tools in the admin guide browser-based analyzers as well so I'll try to link some of these in the notes below anyway I hope you enjoyed this and I will catch up with you next time on our next video you