https://live.paloaltonetworks.com/t5/custom-signatures/honey-pot-signature/m-p/67284#M3 <P>Good afternoon, Viren!</P> <P>&nbsp;</P> <P>Given the nature of our custom signature engine, I cannot think of a way to design a signature to accomplish what you are looking for.</P> <P>&nbsp;</P> <P>However, what you are asking for may be possible with a Zone Protection profile under Reconnaissance Protection.</P> <P>&nbsp;</P> <P>Please see this article for reference:<BR /><BR /></P> <P><A href="https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Block-an-IP-for-a-Specific-Period-upon-Detecting-Port/ta-p/65523" target="_blank">https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Block-an-IP-for-a-Specific-Period-upon-Detecting-Port/ta-p/65523</A></P> <P>&nbsp;</P> <P>Hope this helps!</P> Mon, 26 Oct 2015 18:00:47 GMT rcole 2015-10-26T18:00:47Z https://live.paloaltonetworks.com/t5/custom-signatures/honey-pot-signature/m-p/67282#M2 <P>Hi,</P> <P>&nbsp;&nbsp;&nbsp; I have certain subnets that are currently not in use in our domain, I wanted to ip-block for 30 minutes all ips that access any of these subnets. Is it possible to creat a threat signature for this?</P> <P>&nbsp;</P> <P>Thanks,</P> <P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; VIREN</P> Mon, 26 Oct 2015 17:19:14 GMT https://live.paloaltonetworks.com/t5/custom-signatures/honey-pot-signature/m-p/67282#M2 viren.parasram 2015-10-26T17:19:14Z https://live.paloaltonetworks.com/t5/custom-signatures/honey-pot-signature/m-p/67284#M3 <P>Good afternoon, Viren!</P> <P>&nbsp;</P> <P>Given the nature of our custom signature engine, I cannot think of a way to design a signature to accomplish what you are looking for.</P> <P>&nbsp;</P> <P>However, what you are asking for may be possible with a Zone Protection profile under Reconnaissance Protection.</P> <P>&nbsp;</P> <P>Please see this article for reference:<BR /><BR /></P> <P><A href="https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Block-an-IP-for-a-Specific-Period-upon-Detecting-Port/ta-p/65523" target="_blank">https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Block-an-IP-for-a-Specific-Period-upon-Detecting-Port/ta-p/65523</A></P> <P>&nbsp;</P> <P>Hope this helps!</P> Mon, 26 Oct 2015 18:00:47 GMT https://live.paloaltonetworks.com/t5/custom-signatures/honey-pot-signature/m-p/67284#M3 rcole 2015-10-26T18:00:47Z https://live.paloaltonetworks.com/t5/custom-signatures/honey-pot-signature/m-p/67301#M4 <P>Hi,</P> <P>&nbsp;&nbsp;&nbsp;&nbsp; Thanks for your suggestion, I will look into that. What I've been trying is to set up strict vulneabilities av virus url profiles with default block and applying them to the policy. I have a request for enhancement to allow for block ip at the group level but in the mean time I've added ip block to some brute force matches to get the desired effect. Waiting to see if this works.</P> <P>&nbsp;</P> <P>THANKS,</P> <P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; VIREN</P> Tue, 27 Oct 2015 13:22:37 GMT https://live.paloaltonetworks.com/t5/custom-signatures/honey-pot-signature/m-p/67301#M4 viren.parasram 2015-10-27T13:22:37Z https://live.paloaltonetworks.com/t5/custom-signatures/honey-pot-signature/m-p/67487#M5 <P>Viren,</P> <P>&nbsp;</P> <P>To use custom signatures you need to tirgger on a defined traffic patten based on the contexts you have available for our use when creating a signature. &nbsp;Since you want a honeypot trigger the challenge you would have is what traffic are you going to trigger on? &nbsp;Might I suggest you create a security rule for you honeynet and use a logging profile that can alert you via txt message or email immediately upon being triggered.</P> <P>&nbsp;</P> <P>Thought I would throw that out for your thoughts.</P> <P>&nbsp;</P> <P>regards,</P> <P>&nbsp;</P> <P>Phil&nbsp;</P> Fri, 30 Oct 2015 00:17:55 GMT https://live.paloaltonetworks.com/t5/custom-signatures/honey-pot-signature/m-p/67487#M5 HITSSEC 2015-10-30T00:17:55Z