Skip to main content
dsan
dsan
Visitor III
October 1, 2024
Solved

Help with custom application signature

  • October 1, 2024
  • 3 replies
  • 7819 views

Hello,

 

I'm blocking app control Proxy category but I need to whitelist access to proxy-safebrowsing.googleapis.com. It falls under Proxy.HTTP application and gets blocked. I would like to do it via custom signature. But I can't seem to match the traffic using my custom signature.  I've read the signature creating guide and followed it but no luck. It still recognized as Proxy.HTTP.  

 

config application custom
 edit "Google.Safebrowsing.Proxy"
 set signature "F-SBID( --attack_id 9876; --name \"Google.Safebrowsing.Proxy\"; --service HTTP; --protocol tcp; --  app_cat 6; --pattern \"safebrowsing.googleapis.com\"; --weight 40;)"
 set category 6
next

end

 

config application list
 edit "AppControl"
 set extended-log enable
 set other-application-log enable
 set unknown-application-log enable
 set deep-app-inspection disable
 unset options
 config entries
 edit 4
     set application 9876
     set action pass
 next
 edit 5
     set category 2 6 7 8
 next
end
next
end

 

Sample log of traffic:

 

date=2024-10-01 time=17:26:51 id=7420921850693158485 itime=2024-10-01 17:26:51 euid=3 epid=326934 dsteuid=3 dstepid=101 type=utm subtype=app-ctrl level=warning action=block sessionid=186458912 policyid=89 srcip=10.123.111.111 dstip=123.123.123.123 srcport=54654 dstport=80 proto=6 logid=1059028705 service=HTTP eventtime=1727818011353619038 incidentserialno=82324068 crscore=10 craction=1048576 crlevel=medium direction=outgoing apprisk=critical appid=107347980 srcintfrole=lan dstintfrole=undefined applist=AppControl appcat=Proxy app=Proxy.HTTP hostname=proxy-safebrowsing.googleapis.com url=/ eventtype=signature srcintf=WIFI dstintf=port16 rawdata=Response-Content-Type=text/html rawdataid=1/1 msg=Proxy: Proxy.HTTP tz=-0400 policytype=policy srccountry=Reserved dstcountry=United States poluuid=39cfc8a0-241e-51ef-27e1-221716410659 httpmethod=CONNECT devid=FG4H111111111111 vd=root dtime=2024-10-01 17:26:51 itime_t=1727818011

 

Anyone has any idea how to match it ? Maybe "hostname" is not something that is searched for the "pattern".

Best answer by dsan

It is working now.

 

On Tuesday Oct 8 around 2PM the related traffic started to match my custom signature and stopped matching Proxy.HTTP for all our firewalls.

I have not changed anything in the configuration,  and config captures show no difference in config.

The customer signature was pushed to the firewalls via FMG a week before it started to work.

Not sure how to explain it.

 

Current working signature:

config application custom
edit "Google.Safebrowsing.Proxy"
set comment ''
set signature "F-SBID( --attack_id 9876; --name \"Google.Safebrowsing.Proxy\"; --service HTTP; --protocol tcp; --app_cat 6; --pattern \"safebrowsing.googleapis.com\"; --weight 40;)"
set category 6
next
end

3 replies

johnathan
Staff
johnathan
Staff
October 2, 2024

Counterintuitively, you may be able to add a Web Filter and add a 'static URL filter' entry to exempt that URL from all UTM. This will stop it from even being scanned by the Application Control.
See: https://community.fortinet.com/t5/FortiGate/Technical-Tip-The-difference-between-allow-and-exempt-in-the-web/ta-p/261349

If you need to do this within Application Control, it seems like the signature is correct. I would check and see if the request from the client is HTTPS, and if it is, you may need to enable Deep Inspection so Application Control can see inside that encrypted stream. 

Never trust a computer you can't throw out a window.
dsan
dsanAuthor
Visitor III
October 2, 2024

Thank you for your reply, Johnathan

 

I created "Simple" "Exempt"  URL filter of "proxy-safebrowsing.googleapis.com"  and logs showed that the traffic was "passthrough" and not blocked. But then, on the next step, it got matched by Proxy.HTTP and blocked.

 

The packets are not encrypted and I was able to capture a sample (shown below). Not sure why custom application does not match it.

 

4654654.png

123132.png

 

 

I tried

 F-SBID( --attack_id 9876; --name "Google.Safebrowsing.Proxy"; --service HTTP; --protocol tcp; --app_cat 6; --pattern "CONNECT proxy-safebrowsing.googleapis.com:443"; --weight 40;)

but it still recognized as Proxy.HTTP only

johnathan
Staff
johnathan
Staff
October 2, 2024

Let's try and make it as simple as possible: 
----
F-SBID( --name "block.proxy"; --pattern "proxy-safebrowsing.googleapis.com"; --service HTTP; --protocol tcp; )
----
I will try this also in my lab when I have a moment. Will keep you posted. 

Never trust a computer you can't throw out a window.
    dsan
    dsanAuthorAnswer
    Visitor III
    October 11, 2024

    It is working now.

     

    On Tuesday Oct 8 around 2PM the related traffic started to match my custom signature and stopped matching Proxy.HTTP for all our firewalls.

    I have not changed anything in the configuration,  and config captures show no difference in config.

    The customer signature was pushed to the firewalls via FMG a week before it started to work.

    Not sure how to explain it.

     

    Current working signature:

    config application custom
    edit "Google.Safebrowsing.Proxy"
    set comment ''
    set signature "F-SBID( --attack_id 9876; --name \"Google.Safebrowsing.Proxy\"; --service HTTP; --protocol tcp; --app_cat 6; --pattern \"safebrowsing.googleapis.com\"; --weight 40;)"
    set category 6
    next
    end

      Donald_Cooper
      Donald_Cooper
      New Member
      February 13, 2025
      @dsan wrote:

      Hello,

       

      I'm blocking app control Proxy category but I need to whitelist access to proxy-safebrowsing.googleapis.com. It falls under Proxy.HTTP application and gets blocked. I would like to do it via custom signature. But I can't seem to match the traffic using my custom signature.  I've read the signature creating guide and followed it but no luck. It still recognized as Proxy.HTTP.  

       

      config application custom
       edit "Google.Safebrowsing.Proxy"
       set signature "F-SBID( --attack_id 9876; --name \"Google.Safebrowsing.Proxy\"; --service HTTP; --protocol tcp; --  app_cat 6; --pattern \"safebrowsing.googleapis.com\"; --weight 40;)"
       set category 6
      next

      end

       

      config application list
       edit "AppControl"
       set extended-log enable
       set other-application-log enable
       set unknown-application-log enable
       set deep-app-inspection disable
       unset options
       config entries
       edit 4
           set application 9876
           set action pass
       next
       edit 5
           set category 2 6 7 8
       next
      end
      next
      end

       

      Sample log of traffic:

       

      date=2024-10-01 time=17:26:51 id=7420921850693158485 itime=2024-10-01 17:26:51 euid=3 epid=326934 dsteuid=3 dstepid=101 type=utm subtype=app-ctrl level=warning action=block sessionid=186458912 policyid=89 srcip=10.123.111.111 dstip=123.123.123.123 srcport=54654 dstport=80 proto=6 logid=1059028705 service=HTTP eventtime=1727818011353619038 incidentserialno=82324068 crscore=10 craction=1048576 crlevel=medium direction=outgoing apprisk=critical appid=107347980 srcintfrole=lan dstintfrole=undefined applist=AppControl appcat=Proxy app=Proxy.HTTP hostname=proxy-safebrowsing.googleapis.com url=/ eventtype=signature srcintf=WIFI dstintf=port16 rawdata=Response-Content-Type=text/html rawdataid=1/1 msg=Proxy: Proxy.HTTP tz=-0400 policytype=policy srccountry=Reserved dstcountry=United States poluuid=39cfc8a0-241e-51ef-27e1-221716410659 httpmethod=CONNECT devid=FG4H111111111111 vd=root dtime=2024-10-01 17:26:51 itime_t=1727818011

       

      Anyone has any idea how to match it ? Maybe "hostname" is not something that is searched for the "pattern".

      In today’s digital landscape, having a robust mobile app is no longer a luxury but a necessity for businesses across industries. Mobile apps provide a direct, convenient way to engage with customers, streamline operations, and boost brand loyalty. From e-commerce to fintech, companies are leveraging mobile solutions to stay competitive and meet evolving consumer demands. Developing a high-quality app requires a clear understanding of user needs, seamless UI/UX design, and reliable backend infrastructure. This process can be complex, especially when considering cross-platform compatibility, security, and performance optimization. For businesses looking to build or improve their mobile applications, partnering with experienced developers can make a significant difference. DashDevs https://dashdevs.com/mobile-app-development/ offers tailored mobile app development services that help companies create scalable, user-friendly apps designed to drive growth and enhance customer experience. As mobile usage continues to rise globally, businesses that invest in well-designed apps position themselves for long-term success. The key lies in creating solutions that are not just functional but also intuitive, secure, and aligned with business goals.

      If you're encountering a challenge with creating a custom signature to whitelist proxy-safebrowsing.googleapis.com, as it's still being blocked under the Proxy.HTTP category. One important thing to consider is that the hostname field in the log may not be the right match point for your signature. When crafting custom signatures, the pattern typically matches the data in the payload, and hostname might not be directly searchable in the signature definition.

      Terms & ConditionsAccessibility statement