https://live.paloaltonetworks.com/t5/custom-signatures/custom-snort-signature-context-operator-not-found/m-p/354727#M364 <P>creating a custom snort signature on Palo alto Firewall but didn’t found the concern context operator for match pattern.</P><P>Shall we create a context operator or how it can add the pattern if the context operator is not available?</P><P>&nbsp;</P><P>For example:</P><P>alert tcp $HOME_NET any -&gt; $EXTERNAL_NET 443 (msg:"[CIS] Emotet C2 Traffic Using Form Data to Send Passwords"; content:"POST"; <FONT color="#FF0000">http_method</FONT>; content:"<FONT color="#333399">Content-Type|3a 20|multipart/form-data|3b 20|boundary=</FONT>"; http_header; fast_pattern; content:"Content-Disposition|3a 20|form-data|3b 20|name=|22|"; http_client_body; content:!"------WebKitFormBoundary"; <FONT color="#FF0000">http_client_body</FONT>; <FONT color="#333399">content:!"Cookie|3a|"; pcre:"/:?(chrome|firefox|safari|opera|ie|edge) passwords/i</FONT>"; reference:url,cofense.com/flash-bulletin-emotet-epoch-1-changes-c2-communication/; sid:1; rev:2;)</P><P>&nbsp;</P><P>Not available</P><P><FONT color="#FF0000">http_method</FONT></P><P><FONT color="#FF0000">http_client_body</FONT></P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Snort.jpg" style="width: 498px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/28123i31F3B68F04518D9C/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="Snort.jpg" alt="Snort.jpg" /></span></P><P>&nbsp;</P><DIV class="mceNonEditable lia-copypaste-placeholder">&nbsp;</DIV><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Wed, 07 Oct 2020 07:16:15 GMT Mohammed_Yasin 2020-10-07T07:16:15Z https://live.paloaltonetworks.com/t5/custom-signatures/custom-snort-signature-context-operator-not-found/m-p/354727#M364 <P>creating a custom snort signature on Palo alto Firewall but didn’t found the concern context operator for match pattern.</P><P>Shall we create a context operator or how it can add the pattern if the context operator is not available?</P><P>&nbsp;</P><P>For example:</P><P>alert tcp $HOME_NET any -&gt; $EXTERNAL_NET 443 (msg:"[CIS] Emotet C2 Traffic Using Form Data to Send Passwords"; content:"POST"; <FONT color="#FF0000">http_method</FONT>; content:"<FONT color="#333399">Content-Type|3a 20|multipart/form-data|3b 20|boundary=</FONT>"; http_header; fast_pattern; content:"Content-Disposition|3a 20|form-data|3b 20|name=|22|"; http_client_body; content:!"------WebKitFormBoundary"; <FONT color="#FF0000">http_client_body</FONT>; <FONT color="#333399">content:!"Cookie|3a|"; pcre:"/:?(chrome|firefox|safari|opera|ie|edge) passwords/i</FONT>"; reference:url,cofense.com/flash-bulletin-emotet-epoch-1-changes-c2-communication/; sid:1; rev:2;)</P><P>&nbsp;</P><P>Not available</P><P><FONT color="#FF0000">http_method</FONT></P><P><FONT color="#FF0000">http_client_body</FONT></P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Snort.jpg" style="width: 498px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/28123i31F3B68F04518D9C/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="Snort.jpg" alt="Snort.jpg" /></span></P><P>&nbsp;</P><DIV class="mceNonEditable lia-copypaste-placeholder">&nbsp;</DIV><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Wed, 07 Oct 2020 07:16:15 GMT https://live.paloaltonetworks.com/t5/custom-signatures/custom-snort-signature-context-operator-not-found/m-p/354727#M364 Mohammed_Yasin 2020-10-07T07:16:15Z https://live.paloaltonetworks.com/t5/custom-signatures/custom-snort-signature-context-operator-not-found/m-p/386593#M378 <P>Hi&nbsp;<A href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/131110" target="_blank">@Mohammed_Yasin</A>,</P><P>&nbsp;</P><P><SPAN>http_method in the Custom Vulnerability Object is the&nbsp;http-method&nbsp;Qualifier and the&nbsp;http_client_body is the&nbsp;http-req-message-body&nbsp;Context, i.e.,:<BR /></SPAN></P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="CCACieszkowski_0-1613655319790.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/29988i15960FA64207445A/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="CCACieszkowski_0-1613655319790.png" alt="CCACieszkowski_0-1613655319790.png" /></span></P><P>&nbsp;</P><P>Albert</P> Thu, 18 Feb 2021 13:35:31 GMT https://live.paloaltonetworks.com/t5/custom-signatures/custom-snort-signature-context-operator-not-found/m-p/386593#M378 CCACieszkowski 2021-02-18T13:35:31Z