https://live.paloaltonetworks.com/t5/custom-signatures/custom-threat-signature-search-full-tcp-payload-of-any-appid/m-p/349466#M361 <P>Replying to myself here...</P><P>Per this thread, it looks like my initial assumption was correct: <A href="https://live.paloaltonetworks.com/t5/custom-signatures/need-help-with-creating-signature-for-pop3/m-p/74176#M4" target="_blank">https://live.paloaltonetworks.com/t5/custom-signatures/need-help-with-creating-signature-for-pop3/m-p/74176</A></P><P>&nbsp;</P><P>...So is there any way to search the payload of a TCP datagram of a known application - but an application lacking a pre-built Context?&nbsp; I think we need a Context called "raw-req-tcp-payload".&nbsp; I find it hard to believe that PAN would assume that someone who goes to the trouble of creating a custom vulnerability signature would only do so for traffic that is not classified as a known application.&nbsp; In fact, these are the type of people who will also go to the trouble of creating a custom application signature to eliminate unknown-tcp from their environment.</P> Tue, 15 Sep 2020 18:44:22 GMT John.Petrucci 2020-09-15T18:44:22Z https://live.paloaltonetworks.com/t5/custom-signatures/custom-threat-signature-search-full-tcp-payload-of-any-appid/m-p/349450#M360 <P>I'm trying to write a custom threat signature.&nbsp; The pattern matches just fine if I send it using netcat, but it does not match the actual application traffic.&nbsp; I believe that this is because the actual traffic is processed and detected as a known application, whereas the signature Context is "unknown-req-tcp-payload".</P><P>&nbsp;</P><P>Is this context only for traffic that is application = unknown-tcp?&nbsp; If a known application is detected, does "unknown-req-tcp-payload" not apply?</P><P>&nbsp;</P> Tue, 15 Sep 2020 18:30:57 GMT https://live.paloaltonetworks.com/t5/custom-signatures/custom-threat-signature-search-full-tcp-payload-of-any-appid/m-p/349450#M360 John.Petrucci 2020-09-15T18:30:57Z https://live.paloaltonetworks.com/t5/custom-signatures/custom-threat-signature-search-full-tcp-payload-of-any-appid/m-p/349466#M361 <P>Replying to myself here...</P><P>Per this thread, it looks like my initial assumption was correct: <A href="https://live.paloaltonetworks.com/t5/custom-signatures/need-help-with-creating-signature-for-pop3/m-p/74176#M4" target="_blank">https://live.paloaltonetworks.com/t5/custom-signatures/need-help-with-creating-signature-for-pop3/m-p/74176</A></P><P>&nbsp;</P><P>...So is there any way to search the payload of a TCP datagram of a known application - but an application lacking a pre-built Context?&nbsp; I think we need a Context called "raw-req-tcp-payload".&nbsp; I find it hard to believe that PAN would assume that someone who goes to the trouble of creating a custom vulnerability signature would only do so for traffic that is not classified as a known application.&nbsp; In fact, these are the type of people who will also go to the trouble of creating a custom application signature to eliminate unknown-tcp from their environment.</P> Tue, 15 Sep 2020 18:44:22 GMT https://live.paloaltonetworks.com/t5/custom-signatures/custom-threat-signature-search-full-tcp-payload-of-any-appid/m-p/349466#M361 John.Petrucci 2020-09-15T18:44:22Z https://live.paloaltonetworks.com/t5/custom-signatures/custom-threat-signature-search-full-tcp-payload-of-any-appid/m-p/349467#M362 <P>Hi John,</P><P>&nbsp;</P><P>You are correct in that versions prior to 10.0 you can not write a custom signature against a known application unless the decoder for that protocol/context is "exposed" in the user interface.</P><P>&nbsp;</P><P>In 10.0, there is more flexibility, including a "context-less" signature that may meet your requirements.&nbsp; Be advised that there can be performance penalties when using these expanded capabilities.&nbsp; More info here:</P><P>&nbsp;</P><P><A href="https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-new-features/content-inspection-features/enhanced-pattern-matching-engine.html#iddc51c078-bc5c-4c95-bba4-dd5763f2b549" target="_blank">https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-new-features/content-inspection-features/enhanced-pattern-matching-engine.html#iddc51c078-bc5c-4c95-bba4-dd5763f2b549</A></P><P>&nbsp;</P><P>&nbsp;</P> Tue, 15 Sep 2020 18:57:54 GMT https://live.paloaltonetworks.com/t5/custom-signatures/custom-threat-signature-search-full-tcp-payload-of-any-appid/m-p/349467#M362 claudec 2020-09-15T18:57:54Z