FWP_MATCH_PREFIX for FWPM_CONDITION_ALE_APP_ID not working

Dor Levin 1 Reputation point
2021-12-13T16:58:55.017+00:00

We're trying to create filter on the condition of a app_id prefix, and it does not seem to work, while when using FWP_MATCH_EQUAL it does.

when using
filterCondition.fieldKey = FWPM_CONDITION_ALE_APP_ID;
filterCondition.matchType = FWP_MATCH_EQUAL;
filterCondition.conditionValue.type = FWP_BYTE_BLOB_TYPE;

here are some WFP captures of that mismatch:

the filter:

                  <filterCondition numItems="1">
                      <item>
                          <fieldKey>FWPM_CONDITION_ALE_APP_ID</fieldKey>
                          <matchType>FWP_MATCH_PREFIX</matchType>
                          <conditionValue>
                              <type>FWP_BYTE_BLOB_TYPE</type>
                              <byteBlob>
                                  <data>5c006400650076006900630065005c0068006100720064006400690073006b0076006f006c0075006d00650034005c00750073006500720073005c00</data>
                                  <asString>\.d.e.v.i.c.e.\.h.a.r.d.d.i.s.k.v.o.l.u.m.e.4.\.u.s.e.r.s.\.</asString>
                              </byteBlob>
                          </conditionValue>
                      </item>
                  </filterCondition>

the actual traffic:

      <item>
          <endpointId>29176</endpointId>
          <ipVersion>FWP_IP_VERSION_V4</ipVersion>
          <localV4Address>192.168.68.105</localV4Address>
          <remoteV4Address>18.197.249.189</remoteV4Address>
          <ipProtocol>6</ipProtocol>
          <localPort>63310</localPort>
          <remotePort>443</remotePort>
          <localTokenModifiedId>606442</localTokenModifiedId>
          <mmSaId>0</mmSaId>
          <qmSaId>0</qmSaId>
          <ipsecStatus>0 (ERROR_SUCCESS)</ipsecStatus>
          <flags/>
          <appId>
              <data>5c006400650076006900630065005c0068006100720064006400690073006b0076006f006c0075006d00650034005c00750073006500720073005c0064006f0072006c005c0061007000700064006100740061005c006c006f00630061006c005c0073006c00610063006b005c006100700070002d0034002e00320032002e0030005c0073006c00610063006b002e006500780065000000</data>
              <asString>\.d.e.v.i.c.e.\.h.a.r.d.d.i.s.k.v.o.l.u.m.e.4.\.u.s.e.r.s.\.d.o.r.l.\.a.p.p.d.a.t.a.\.l.o.c.a.l.\.s.l.a.c.k.\.a.p.p.-.4...2.2...0.\.s.l.a.c.k...e.x.e...</asString>
          </appId>
      </item>

we've attempted with and without a nullterminator on the prefix. what are we doing wrong ?

Windows API - Win32
Windows API - Win32
A core set of Windows application programming interfaces (APIs) for desktop and server applications. Previously known as Win32 API.
2,422 questions
Windows Network
Windows Network
Windows: A family of Microsoft operating systems that run across personal computers, tablets, laptops, phones, internet of things devices, self-contained mixed reality headsets, large collaboration screens, and other devices.Network: A group of devices that communicate either wirelessly or via a physical connection.
648 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Limitless Technology 39,351 Reputation points
    2021-12-20T14:13:35.02+00:00

    Hi @Dor Levin

    Only sortable data types support FWP_MATCH_GREATER. Sortable data types consist of all integer types, FWP_BYTE_ARRAY16_TYPE, FWP_BYTE_BLOB_TYPE, and FWP_UNICODE_STRING_TYPE.

    In general, the value data type and the filter condition data type must be the same. The Base Filtering Engine (BFE) does not perform any data conversion. For example, an FWP_UINT32 value cannot be compared with an FWP_UINT16 value.

    You can get more info from here https://learn.microsoft.com/en-us/windows/win32/api/fwptypes/ne-fwptypes-fwp_match_type

    Hope this resolves your Query!!

    -----------

    --If the reply is helpful, please Upvote and Accept it as an answer--