https://live.paloaltonetworks.com/t5/custom-signatures/basic-rule-to-detect-alert-on-ovenvas-scanners/m-p/132936#M147 <P>Please refer to the thread on this forum:</P> <P><A href="https://live.paloaltonetworks.com/t5/Custom-Signatures/Welcome-to-the-Palo-Alto-Networks-Custom-Signature-discussion/m-p/101020#U101020" target="_blank">https://live.paloaltonetworks.com/t5/Custom-Signatures/Welcome-to-the-Palo-Alto-Networks-Custom-Signature-discussion/m-p/101020#U101020</A></P> <P>This has an example on how to detect Nikto Scanner traffic by sigging off the user-agent:</P> <P>Example 2<STRONG>:</STRONG> Detecting Nikto Scans through User Agent (Nikto User Agent.xml)</P> <P>&nbsp;</P> <P>The same thing can be achieved for OpenVAS by simply modifying the value in the user-agent field in the signature to "OpenVAS".</P> <P>&nbsp;</P> <P>The signature can then be used in policy to alert/block etc.</P> Thu, 15 Dec 2016 01:33:35 GMT goku123 2016-12-15T01:33:35Z https://live.paloaltonetworks.com/t5/custom-signatures/basic-rule-to-detect-alert-on-ovenvas-scanners/m-p/132930#M146 <P>So I'm surprised that the Palo Alto doesn't have a signature to detect OpenVAS scanners. I would like to create a simple rule that detects "User-Agent: OpenVAS" (Ultimately I would like to just block these entirely.</P><P>&nbsp;</P><P>Is something that can be easily built?</P> Thu, 15 Dec 2016 01:23:05 GMT https://live.paloaltonetworks.com/t5/custom-signatures/basic-rule-to-detect-alert-on-ovenvas-scanners/m-p/132930#M146 r_gine 2016-12-15T01:23:05Z https://live.paloaltonetworks.com/t5/custom-signatures/basic-rule-to-detect-alert-on-ovenvas-scanners/m-p/132936#M147 <P>Please refer to the thread on this forum:</P> <P><A href="https://live.paloaltonetworks.com/t5/Custom-Signatures/Welcome-to-the-Palo-Alto-Networks-Custom-Signature-discussion/m-p/101020#U101020" target="_blank">https://live.paloaltonetworks.com/t5/Custom-Signatures/Welcome-to-the-Palo-Alto-Networks-Custom-Signature-discussion/m-p/101020#U101020</A></P> <P>This has an example on how to detect Nikto Scanner traffic by sigging off the user-agent:</P> <P>Example 2<STRONG>:</STRONG> Detecting Nikto Scans through User Agent (Nikto User Agent.xml)</P> <P>&nbsp;</P> <P>The same thing can be achieved for OpenVAS by simply modifying the value in the user-agent field in the signature to "OpenVAS".</P> <P>&nbsp;</P> <P>The signature can then be used in policy to alert/block etc.</P> Thu, 15 Dec 2016 01:33:35 GMT https://live.paloaltonetworks.com/t5/custom-signatures/basic-rule-to-detect-alert-on-ovenvas-scanners/m-p/132936#M147 goku123 2016-12-15T01:33:35Z https://live.paloaltonetworks.com/t5/custom-signatures/basic-rule-to-detect-alert-on-ovenvas-scanners/m-p/202876#M235 <P>I could not get the OpenVAS signature to work by just switching Nikto for OpenVAS. I had to do a more basic string &lt;pattern&gt;OpenVAS&lt;/pattern&gt; . I actually did &lt;pattern&gt;OpenVAS 8&lt;/pattern&gt; at first to see if that would work, it did. (OpenVAS 8.0.9 was the user agent.&nbsp;</P><P>&nbsp;</P><P>Make sure you edit the entry name if you use my .xml file. You might already have that number in use. Also created one for Baiduspider since my IDS picked it up in a scan and I saw the user agent string for it.&nbsp;</P><P>&nbsp;</P><P>There's a few useful links that will show user agent strings for popular scanners/crawlers.&nbsp;</P><P>&nbsp;</P><P><A href="https://developers.whatismybrowser.com/useragents/explore/software_type_specific/crawler/9" target="_blank">https://developers.whatismybrowser.com/useragents/explore/software_type_specific/crawler/9</A><BR /><A href="http://www.useragentstring.com/pages/useragentstring.php?typ=Crawler" target="_blank">http://www.useragentstring.com/pages/useragentstring.php?typ=Crawler</A></P><P>&nbsp;</P><P>Hope that helps, thanks -Rags</P> Wed, 28 Feb 2018 19:44:54 GMT https://live.paloaltonetworks.com/t5/custom-signatures/basic-rule-to-detect-alert-on-ovenvas-scanners/m-p/202876#M235 Rags 2018-02-28T19:44:54Z