https://live.paloaltonetworks.com/t5/custom-signatures/signature-based-http-req-message-body/m-p/537446#M466 <P>You may see this post for how to try regex match <A href="https://live.paloaltonetworks.com/t5/custom-signatures/custom-vulnerability-to-block-old-browser-versions/td-p/518666" target="_blank">https://live.paloaltonetworks.com/t5/custom-signatures/custom-vulnerability-to-block-old-browser-versions/td-p/518666</A> as the regex match should be added in ( ).</P> Mon, 03 Apr 2023 14:12:05 GMT nikoolayy1 2023-04-03T14:12:05Z https://live.paloaltonetworks.com/t5/custom-signatures/signature-based-http-req-message-body/m-p/536780#M464 <P>HI all,</P> <P>I'm trying to create a custom signature based on the POST payload the client is sending.</P> <P>This is the POST collected from the server:</P> <P>&nbsp;</P> <LI-CODE lang="markup">POST /pds HTTP/1.1 Accept: application/x-ms-application, image/jpeg, application/xaml+xml, image/gif, image/pjpeg, application/x-ms-xbap, */* Referer: https://aaa.com.cn Accept-Language: zh-CN User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/7.0) Content-Type: application/x-www-form-urlencoded Accept-Encoding: gzip, deflate Host: aaa.com.cn Content-Length: 276 Connection: Keep-Alive Cache-Control: no-cache X-Forwarded-Proto:https Cookie: __Secure-UqZBpD3n3keyY3Yp6VvxpmySSbQF5o9Gf5ec6w__=v1FKp4gw__Zls func=login&amp;calling_system=primo&amp;term1=short&amp;institute=12ABC&amp;selfreg=&amp;bor_id=1&amp;bor_verification=1&amp;url=http%3A%2F%2Faaa.com.cn%2Ftransition%3FtargetUrl%3Dhttp%253A%252F%252Faaa.com.cn%252Fhelp%252Fcontent%253Fid%253DmyLibrary</LI-CODE> <P style="-qt-block-indent: 0; text-indent: 0px; margin: 0px;">&nbsp;</P> <P style="-qt-block-indent: 0; text-indent: 0px; margin: 0px;">I am trying to create a signature that will alert each time the payload contains:</P> <P style="-qt-block-indent: 0; text-indent: 0px; margin: 0px;">"func=login&amp;calling_system=primo&amp;term1=short&amp;institute="</P> <P style="-qt-block-indent: 0; text-indent: 0px; margin: 0px;">&nbsp;</P> <P style="-qt-block-indent: 0; text-indent: 0px; margin: 0px;">Can you guide me through the configuration?</P> <P style="-qt-block-indent: 0; text-indent: 0px; margin: 0px;">&nbsp;</P> <P style="-qt-block-indent: 0; text-indent: 0px; margin: 0px;">Thanks in advanced,</P> <P style="-qt-block-indent: 0; text-indent: 0px; margin: 0px;">Noam.</P> <P style="-qt-block-indent: 0; text-indent: 0px; margin: 0px;"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="body.png" style="width: 959px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/49064i2DDE834BF45B107C/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="body.png" alt="body.png" /></span></P> Tue, 28 Mar 2023 10:37:02 GMT https://live.paloaltonetworks.com/t5/custom-signatures/signature-based-http-req-message-body/m-p/536780#M464 NoamRotter 2023-03-28T10:37:02Z https://live.paloaltonetworks.com/t5/custom-signatures/signature-based-http-req-message-body/m-p/537446#M466 <P>You may see this post for how to try regex match <A href="https://live.paloaltonetworks.com/t5/custom-signatures/custom-vulnerability-to-block-old-browser-versions/td-p/518666" target="_blank">https://live.paloaltonetworks.com/t5/custom-signatures/custom-vulnerability-to-block-old-browser-versions/td-p/518666</A> as the regex match should be added in ( ).</P> Mon, 03 Apr 2023 14:12:05 GMT https://live.paloaltonetworks.com/t5/custom-signatures/signature-based-http-req-message-body/m-p/537446#M466 nikoolayy1 2023-04-03T14:12:05Z