topic Re: vulnerability signature with payload and negate in Custom Signatures

vulnerability signature with payload and negate

MCervenka — Sun, 14 Feb 2021 23:17:10 GMT

Hello.

I'm trying to write a custom app and vulnerability signature. Signatures are based on UDP-payload.

When I use the custom app signature, vulnerability detection does not work. Can I somehow turn on CTD for the custom app?

The other problem is that what I ideally need to do in the vulnerability is to check for the other than mine UDP-payload. So I was thinking about matching "\xaabbccddee\x" with negating turned on and "\xaabbccdd\x" in the payload in one vulnerability signature. But this does not work either.

Any suggestions?

Thank you.

Re: vulnerability signature with payload and negate

claudec — Mon, 15 Feb 2021 14:43:41 GMT

Hello,

You can enable CTD inspection for the custom app by enabling "scanning" in the advanced tab of the signature.

Regarding the negate condition in custom threat signatures, there are some restrictions. One is that it can not be the only match condition. At least one non-negate condition must be included. Also, if the signature scope is "session" the negate condition can not be the last match condition.

Re: vulnerability signature with payload and negate

MCervenka — Mon, 15 Feb 2021 15:05:38 GMT

Hello,

I did some other tests...

Yes, this we can read in some manual, but on the other hand, we can also read, that this is dependent on the parent application. These packet payloads signatures of course are not. Anyway, I tried at the end everything to turn on and it did not help. And even the property I am matching is unknown-req-udp-payload. Maybe this unknown is important 😞 So I ended with this question.

Yes, you are right again. But after 20 or so packets, this signature does not work anymore. My signature will drop the session if a vulnerability is found in the first 20 packets only. I would like to inspect every packet in the UDP stream.

Re: vulnerability signature with payload and negate

claudec — Mon, 15 Feb 2021 17:15:23 GMT

I don't think it's possible to configure a custom threat signature using the "unknown" protocol decoder that will inspect every packet for the entire duration of the flow.

There are some improvements to the threat inspection process in PAN-OS 10 and so if you can run that version you might try using the "udp context free" decoder for your custom threat signature to see if there is a difference. Note that use of this context will incur a significant performance penalty.

Re: vulnerability signature with payload and negate

MCervenka — Mon, 15 Feb 2021 20:40:46 GMT

Thank you Claudec. I will try. But as I read before, this will gives us an opportunity to search in the headers?

Anyway, I will try it and post the results.

Re: vulnerability signature with payload and negate

MCervenka — Mon, 15 Feb 2021 21:02:12 GMT

Same results, unfortunately.