https://live.paloaltonetworks.com/t5/custom-signatures/custom-signature-not-working-as-expected/m-p/241141#M283 <P>Hi Guys</P><P>I have the follwoing issue:</P><P>I have a <STRONG>policy rule where I allow&nbsp; smtp flow</STRONG>! On this rule I have a vulnerability protection profile. In this pofile I have 2 rules:</P><P>- one rule which is supposed to <STRONG>allow emails with bb.com in the subject</STRONG></P><P>-the second one is the one which is <STRONG>denying emails from aa.com</STRONG></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="image.png" style="width: 800px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/17682i2386CCDC1076B42D/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="image.png" alt="image.png" /></span></P><P>&nbsp;</P><P>Both rules have custom vulnerability objects:</P><P>test_aa.com</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="image.png" style="width: 604px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/17683i8B0BA1F2410E4DC9/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="image.png" alt="image.png" /></span></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="image.png" style="width: 800px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/17684iC29FB09A565E70DF/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="image.png" alt="image.png" /></span></P><P>&nbsp;</P><P>test_bb.com.com</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="image.png" style="width: 500px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/17685i0156DA5C192B4DAA/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="image.png" alt="image.png" /></span></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="image.png" style="width: 500px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/17686i88EED9C44485B126/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="image.png" alt="image.png" /></span></P><P>&nbsp;</P><P>The idea is to block emails with aa.com in the subject but allow emails wich have aaa.com and bb.com in the subject.</P><P>I'm trying since some time and I think now is the momment to ask for help as I don't uderstand what is happening!</P><P>When I send emails with only aa.com they are dropped correctly but alos when I send with aa.com and bb.com in the subject. As you can see I used the order and the one with allow bb.com is before the one denying the aa.com.</P><P>Is my understanding about the vulnerability profiles not correct or is just a regex issue?</P><P>Thanks for the help!</P><P>Marius</P> Mon, 26 Nov 2018 09:26:38 GMT gheorghe.ms 2018-11-26T09:26:38Z https://live.paloaltonetworks.com/t5/custom-signatures/custom-signature-not-working-as-expected/m-p/241141#M283 <P>Hi Guys</P><P>I have the follwoing issue:</P><P>I have a <STRONG>policy rule where I allow&nbsp; smtp flow</STRONG>! On this rule I have a vulnerability protection profile. In this pofile I have 2 rules:</P><P>- one rule which is supposed to <STRONG>allow emails with bb.com in the subject</STRONG></P><P>-the second one is the one which is <STRONG>denying emails from aa.com</STRONG></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="image.png" style="width: 800px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/17682i2386CCDC1076B42D/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="image.png" alt="image.png" /></span></P><P>&nbsp;</P><P>Both rules have custom vulnerability objects:</P><P>test_aa.com</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="image.png" style="width: 604px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/17683i8B0BA1F2410E4DC9/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="image.png" alt="image.png" /></span></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="image.png" style="width: 800px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/17684iC29FB09A565E70DF/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="image.png" alt="image.png" /></span></P><P>&nbsp;</P><P>test_bb.com.com</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="image.png" style="width: 500px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/17685i0156DA5C192B4DAA/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="image.png" alt="image.png" /></span></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="image.png" style="width: 500px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/17686i88EED9C44485B126/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="image.png" alt="image.png" /></span></P><P>&nbsp;</P><P>The idea is to block emails with aa.com in the subject but allow emails wich have aaa.com and bb.com in the subject.</P><P>I'm trying since some time and I think now is the momment to ask for help as I don't uderstand what is happening!</P><P>When I send emails with only aa.com they are dropped correctly but alos when I send with aa.com and bb.com in the subject. As you can see I used the order and the one with allow bb.com is before the one denying the aa.com.</P><P>Is my understanding about the vulnerability profiles not correct or is just a regex issue?</P><P>Thanks for the help!</P><P>Marius</P> Mon, 26 Nov 2018 09:26:38 GMT https://live.paloaltonetworks.com/t5/custom-signatures/custom-signature-not-working-as-expected/m-p/241141#M283 gheorghe.ms 2018-11-26T09:26:38Z