https://live.paloaltonetworks.com/t5/custom-signatures/custom-signature-for-catch-specific-query/m-p/452166#M412 <P>Hello all</P><P>&nbsp;</P><P>I'm trying to catch suspicious ldap queries (recon activity).<BR />For the example I want catch this kind of querie : (primaryGroupID=512)</P><P>I tried to make a custom rule. However for ldap, there are only 2 possibilities:<BR />- ldap-req-searchrequest-baseobject<BR />- ldap-rsp-searchresentry-objectname<BR />both of them don't fit my needs cause they don't match the filter field.<BR /><BR /></P><P>I tried with unknown-req-tcp-payload but it did not work. Reading the forum I understood that I can't use this context since ldap is seen as a known application.<BR /><A href="https://live.paloaltonetworks.com/t5/custom-signatures/custom-threat-signature-search-full-tcp-payload-of-any-appid/td-p/349450" target="_blank">https://live.paloaltonetworks.com/t5/custom-signatures/custom-threat-signature-search-full-tcp-payload-of-any-appid/td-p/349450</A><BR /><BR /></P><P>So I'm running out of ideas to catch this kind of request.</P><P>If somebody have a tips&nbsp;<BR /><BR />Thank's</P> Wed, 08 Dec 2021 18:45:51 GMT jsv93 2021-12-08T18:45:51Z https://live.paloaltonetworks.com/t5/custom-signatures/custom-signature-for-catch-specific-query/m-p/452166#M412 <P>Hello all</P><P>&nbsp;</P><P>I'm trying to catch suspicious ldap queries (recon activity).<BR />For the example I want catch this kind of querie : (primaryGroupID=512)</P><P>I tried to make a custom rule. However for ldap, there are only 2 possibilities:<BR />- ldap-req-searchrequest-baseobject<BR />- ldap-rsp-searchresentry-objectname<BR />both of them don't fit my needs cause they don't match the filter field.<BR /><BR /></P><P>I tried with unknown-req-tcp-payload but it did not work. Reading the forum I understood that I can't use this context since ldap is seen as a known application.<BR /><A href="https://live.paloaltonetworks.com/t5/custom-signatures/custom-threat-signature-search-full-tcp-payload-of-any-appid/td-p/349450" target="_blank">https://live.paloaltonetworks.com/t5/custom-signatures/custom-threat-signature-search-full-tcp-payload-of-any-appid/td-p/349450</A><BR /><BR /></P><P>So I'm running out of ideas to catch this kind of request.</P><P>If somebody have a tips&nbsp;<BR /><BR />Thank's</P> Wed, 08 Dec 2021 18:45:51 GMT https://live.paloaltonetworks.com/t5/custom-signatures/custom-signature-for-catch-specific-query/m-p/452166#M412 jsv93 2021-12-08T18:45:51Z https://live.paloaltonetworks.com/t5/custom-signatures/custom-signature-for-catch-specific-query/m-p/458525#M416 <P>Please see if this helps as this is new feature in 10.0 with the enhanced signature match:</P> <P>&nbsp;</P> <P>&nbsp;</P> <P><A href="https://live.paloaltonetworks.com/t5/custom-signatures/custom-threat-signature-search-full-tcp-payload-of-any-appid/td-p/349450" target="_blank" rel="noopener">Solved: LIVEcommunity - Custom threat signature- search full TCP payload of any AppId - LIVEcommunity - 349450 (paloaltonetworks.com)</A></P> <P>&nbsp;</P> <P>&nbsp;</P> <P><A href="https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-new-features/content-inspection-features/enhanced-pattern-matching-engine.html#iddc51c078-bc5c-4c95-bba4-dd5763f2b549" target="_blank" rel="noopener">Enhanced Pattern-Matching Engine (paloaltonetworks.com)</A></P> Thu, 13 Jan 2022 09:00:31 GMT https://live.paloaltonetworks.com/t5/custom-signatures/custom-signature-for-catch-specific-query/m-p/458525#M416 nikoolayy1 2022-01-13T09:00:31Z