https://live.paloaltonetworks.com/t5/custom-signatures/possible-to-block-http-1-0-requests/m-p/144761#M153 <P>Thanks! I'll give this a try!</P> Fri, 24 Feb 2017 15:25:07 GMT pwebber 2017-02-24T15:25:07Z https://live.paloaltonetworks.com/t5/custom-signatures/possible-to-block-http-1-0-requests/m-p/144361#M149 <P>Can't seem to find a way to do it. I don't see a built-in signature, and was going to make a custom one, but the&nbsp;patern match context doesn't seem to cover the HTTP version for some odd reason. Maybe I'm missing something?</P> Wed, 22 Feb 2017 16:18:05 GMT https://live.paloaltonetworks.com/t5/custom-signatures/possible-to-block-http-1-0-requests/m-p/144361#M149 pwebber 2017-02-22T16:18:05Z https://live.paloaltonetworks.com/t5/custom-signatures/possible-to-block-http-1-0-requests/m-p/144364#M150 Can you put in a screen shot of the packet capture you want to make it based off of? Wed, 22 Feb 2017 16:34:11 GMT https://live.paloaltonetworks.com/t5/custom-signatures/possible-to-block-http-1-0-requests/m-p/144364#M150 murphyj 2017-02-22T16:34:11Z https://live.paloaltonetworks.com/t5/custom-signatures/possible-to-block-http-1-0-requests/m-p/144664#M152 <P>Although the custom signature document indicates the "http-req-headers" context excludes the ablity to match on the method/path/version/host info, I have found that you can at least match on the method and version info using this context.</P><P>&nbsp;</P><P>I haven't tried to match path/host info, however, as there are specific contexts available for those headers.</P><P>&nbsp;</P><P>The attached vulnerability sig XML looks for v1.1 in a GET method, it would be easy enough to modify it to look for 1.0.</P><P>&nbsp;</P><P>-C</P><PRE>&lt;vulnerability-threat version="7.1.0"&gt; &lt;entry name="41002"&gt; &lt;signature&gt; &lt;standard&gt; &lt;entry name="sig-http-ver"&gt; &lt;and-condition&gt; &lt;entry name="And Condition 1"&gt; &lt;or-condition&gt; &lt;entry name="Or Condition 1"&gt; &lt;operator&gt; &lt;pattern-match&gt; &lt;qualifier&gt; &lt;entry name="http-method"&gt; &lt;value&gt;GET&lt;/value&gt; &lt;/entry&gt; &lt;/qualifier&gt; &lt;pattern&gt;\x48 54 54 50 2f 31 2e 31\x&lt;/pattern&gt; &lt;context&gt;http-req-headers&lt;/context&gt; &lt;negate&gt;no&lt;/negate&gt; &lt;/pattern-match&gt; &lt;/operator&gt; &lt;/entry&gt; &lt;/or-condition&gt; &lt;/entry&gt; &lt;/and-condition&gt; &lt;order-free&gt;no&lt;/order-free&gt; &lt;scope&gt;protocol-data-unit&lt;/scope&gt; &lt;comment&gt;looks for http version 1.1 in header&lt;/comment&gt; &lt;/entry&gt; &lt;/standard&gt; &lt;/signature&gt; &lt;default-action&gt; &lt;alert/&gt; &lt;/default-action&gt; &lt;threatname&gt;http-header-get-v1-1&lt;/threatname&gt; &lt;severity&gt;informational&lt;/severity&gt; &lt;direction&gt;client2server&lt;/direction&gt; &lt;comment&gt;http 1.1&lt;/comment&gt; &lt;affected-host&gt; &lt;client&gt;yes&lt;/client&gt; &lt;/affected-host&gt; &lt;/entry&gt; &lt;/vulnerability-threat&gt;</PRE><P>&nbsp;</P> Fri, 24 Feb 2017 00:25:03 GMT https://live.paloaltonetworks.com/t5/custom-signatures/possible-to-block-http-1-0-requests/m-p/144664#M152 claudec 2017-02-24T00:25:03Z https://live.paloaltonetworks.com/t5/custom-signatures/possible-to-block-http-1-0-requests/m-p/144761#M153 <P>Thanks! I'll give this a try!</P> Fri, 24 Feb 2017 15:25:07 GMT https://live.paloaltonetworks.com/t5/custom-signatures/possible-to-block-http-1-0-requests/m-p/144761#M153 pwebber 2017-02-24T15:25:07Z