We're trying to create filter on the condition of a app_id prefix, and it does not seem to work, while when using FWP_MATCH_EQUAL it does.
when using
filterCondition.fieldKey = FWPM_CONDITION_ALE_APP_ID;
filterCondition.matchType = FWP_MATCH_EQUAL;
filterCondition.conditionValue.type = FWP_BYTE_BLOB_TYPE;
here are some WFP captures of that mismatch:
the filter:
<filterCondition numItems="1">
<item>
<fieldKey>FWPM_CONDITION_ALE_APP_ID</fieldKey>
<matchType>FWP_MATCH_PREFIX</matchType>
<conditionValue>
<type>FWP_BYTE_BLOB_TYPE</type>
<byteBlob>
<data>5c006400650076006900630065005c0068006100720064006400690073006b0076006f006c0075006d00650034005c00750073006500720073005c00</data>
<asString>\.d.e.v.i.c.e.\.h.a.r.d.d.i.s.k.v.o.l.u.m.e.4.\.u.s.e.r.s.\.</asString>
</byteBlob>
</conditionValue>
</item>
</filterCondition>
the actual traffic:
<item>
<endpointId>29176</endpointId>
<ipVersion>FWP_IP_VERSION_V4</ipVersion>
<localV4Address>192.168.68.105</localV4Address>
<remoteV4Address>18.197.249.189</remoteV4Address>
<ipProtocol>6</ipProtocol>
<localPort>63310</localPort>
<remotePort>443</remotePort>
<localTokenModifiedId>606442</localTokenModifiedId>
<mmSaId>0</mmSaId>
<qmSaId>0</qmSaId>
<ipsecStatus>0 (ERROR_SUCCESS)</ipsecStatus>
<flags/>
<appId>
<data>5c006400650076006900630065005c0068006100720064006400690073006b0076006f006c0075006d00650034005c00750073006500720073005c0064006f0072006c005c0061007000700064006100740061005c006c006f00630061006c005c0073006c00610063006b005c006100700070002d0034002e00320032002e0030005c0073006c00610063006b002e006500780065000000</data>
<asString>\.d.e.v.i.c.e.\.h.a.r.d.d.i.s.k.v.o.l.u.m.e.4.\.u.s.e.r.s.\.d.o.r.l.\.a.p.p.d.a.t.a.\.l.o.c.a.l.\.s.l.a.c.k.\.a.p.p.-.4...2.2...0.\.s.l.a.c.k...e.x.e...</asString>
</appId>
</item>
we've attempted with and without a nullterminator on the prefix. what are we doing wrong ?