https://live.paloaltonetworks.com/t5/custom-signatures/detect-any-elf-executable/m-p/101267#M117 <P>I would like to block any ELF executable, but this is not support in file blocking. I have tried to achieve this using two methods:</P><P>&nbsp;</P><P>Create a custom data pattern. This didn't really work out, as the minimum string length is 7 bytes, but the file identifier is only four, plus it needs to be in the start of the file rather than anywhere in the file.</P><P>&nbsp;</P><P>Create a custom vulnerability. This is ok, but not ideal. I created a pattern-match condition, with a context of <STRONG>file-elf-body</STRONG>. Unfortunately, I then need to add a 7 byte value to match against. I have put <STRONG>\x00000000000000\x</STRONG>, which catches any file I can find, but it is concievable that there are files with no such string.</P><P>&nbsp;</P><P>Can anyone else suggest a better solution to this? You may have guessed, I'm a complete novice at this.</P><P>&nbsp;</P> Fri, 05 Aug 2016 01:18:38 GMT stephengun 2016-08-05T01:18:38Z https://live.paloaltonetworks.com/t5/custom-signatures/detect-any-elf-executable/m-p/101267#M117 <P>I would like to block any ELF executable, but this is not support in file blocking. I have tried to achieve this using two methods:</P><P>&nbsp;</P><P>Create a custom data pattern. This didn't really work out, as the minimum string length is 7 bytes, but the file identifier is only four, plus it needs to be in the start of the file rather than anywhere in the file.</P><P>&nbsp;</P><P>Create a custom vulnerability. This is ok, but not ideal. I created a pattern-match condition, with a context of <STRONG>file-elf-body</STRONG>. Unfortunately, I then need to add a 7 byte value to match against. I have put <STRONG>\x00000000000000\x</STRONG>, which catches any file I can find, but it is concievable that there are files with no such string.</P><P>&nbsp;</P><P>Can anyone else suggest a better solution to this? You may have guessed, I'm a complete novice at this.</P><P>&nbsp;</P> Fri, 05 Aug 2016 01:18:38 GMT https://live.paloaltonetworks.com/t5/custom-signatures/detect-any-elf-executable/m-p/101267#M117 stephengun 2016-08-05T01:18:38Z https://live.paloaltonetworks.com/t5/custom-signatures/detect-any-elf-executable/m-p/101327#M118 <P>Hi,</P><P>&nbsp;</P><P>You could try to do a pattern match on the context "file-unknown-body", with 4 7-byte patterns representing the different classes (32-bit or 64-bit) and endianness (little endian or big endian):</P><P>&nbsp;</P><P>\x7f454c46010101\x</P><P><SPAN>\x7f454c46010201\x</SPAN></P><P><SPAN>\x7f454c46020101\x</SPAN></P><P><SPAN>\x7f454c46020201\x</SPAN></P><P>&nbsp;</P><P><SPAN>I haven't tried it myself, but I don't see why it wouldn't work.</SPAN></P><P><SPAN>&nbsp;</SPAN></P><P><SPAN>Regards,</SPAN></P><P>&nbsp;</P><P><SPAN>Benjamin</SPAN></P> Fri, 05 Aug 2016 18:28:23 GMT https://live.paloaltonetworks.com/t5/custom-signatures/detect-any-elf-executable/m-p/101327#M118 BenjAudy.MTL 2016-08-05T18:28:23Z https://live.paloaltonetworks.com/t5/custom-signatures/detect-any-elf-executable/m-p/145833#M155 <P>It looks like content update 667 added a&nbsp;new file type to detect ELF files (ID #52175).</P><P>&nbsp;</P><P>Benjamin</P> Thu, 02 Mar 2017 15:50:36 GMT https://live.paloaltonetworks.com/t5/custom-signatures/detect-any-elf-executable/m-p/145833#M155 BenjAudy.MTL 2017-03-02T15:50:36Z