topic Example to detect SMTP 550 (destination email address does not exist) in Custom Signatures https://live.paloaltonetworks.com/t5/custom-signatures/example-to-detect-smtp-550-destination-email-address-does-not/m-p/67525#M6 <P>Here is an example to alert when a server responds with SMTP 550 (mailbox does not exist). The context used is 'smtp-rsp-content' and the pattern to be matched is '550\ 5\.1\.1'.<BR />&lt;pattern&gt;550\ 5\.1\.1&lt;/pattern&gt;<BR />&lt;context&gt;smtp-rsp-content&lt;/context&gt;</P> <P>&nbsp;</P> <P>Full example signature(7.0) attached 'sample_smtp_vulnerability_41002.xml'</P> <P>&nbsp;</P> <P>Next, assume we would like to detect 10 triggers for this in a 60 second interval, we can create a combination brute force signature that looks for the signature created earlier:<BR />&lt;combination&gt;<BR />&lt;time-attribute&gt;<BR />&lt;interval&gt;60&lt;/interval&gt;<BR />&lt;threshold&gt;10&lt;/threshold&gt;<BR />&lt;/time-attribute&gt;<BR />&lt;and-condition&gt;<BR />&lt;entry name="And Condition 1"&gt;<BR />&lt;or-condition&gt;<BR />&lt;entry name="Or Condition 1"&gt;<BR />&lt;threat-id&gt;41002&lt;/threat-id&gt;</P> <P>&nbsp;</P> <P>Full signature attached as 'sample_brute_vulnerability_41003.xml'.</P> <P>&nbsp;</P> <P>For further information on custom signatures, please refer to the document at: <BR /><A href="https://live.paloaltonetworks.com/t5/Documentation-Articles/Creating-Custom-Threat-Signatures/ta-p/58569" target="_blank">https://live.paloaltonetworks.com/t5/Documentation-Articles/Creating-Custom-Threat-Signatures/ta-p/58569</A></P> Fri, 30 Oct 2015 23:20:15 GMT goku123 2015-10-30T23:20:15Z Example to detect SMTP 550 (destination email address does not exist) https://live.paloaltonetworks.com/t5/custom-signatures/example-to-detect-smtp-550-destination-email-address-does-not/m-p/67525#M6 <P>Here is an example to alert when a server responds with SMTP 550 (mailbox does not exist). The context used is 'smtp-rsp-content' and the pattern to be matched is '550\ 5\.1\.1'.<BR />&lt;pattern&gt;550\ 5\.1\.1&lt;/pattern&gt;<BR />&lt;context&gt;smtp-rsp-content&lt;/context&gt;</P> <P>&nbsp;</P> <P>Full example signature(7.0) attached 'sample_smtp_vulnerability_41002.xml'</P> <P>&nbsp;</P> <P>Next, assume we would like to detect 10 triggers for this in a 60 second interval, we can create a combination brute force signature that looks for the signature created earlier:<BR />&lt;combination&gt;<BR />&lt;time-attribute&gt;<BR />&lt;interval&gt;60&lt;/interval&gt;<BR />&lt;threshold&gt;10&lt;/threshold&gt;<BR />&lt;/time-attribute&gt;<BR />&lt;and-condition&gt;<BR />&lt;entry name="And Condition 1"&gt;<BR />&lt;or-condition&gt;<BR />&lt;entry name="Or Condition 1"&gt;<BR />&lt;threat-id&gt;41002&lt;/threat-id&gt;</P> <P>&nbsp;</P> <P>Full signature attached as 'sample_brute_vulnerability_41003.xml'.</P> <P>&nbsp;</P> <P>For further information on custom signatures, please refer to the document at: <BR /><A href="https://live.paloaltonetworks.com/t5/Documentation-Articles/Creating-Custom-Threat-Signatures/ta-p/58569" target="_blank">https://live.paloaltonetworks.com/t5/Documentation-Articles/Creating-Custom-Threat-Signatures/ta-p/58569</A></P> Fri, 30 Oct 2015 23:20:15 GMT https://live.paloaltonetworks.com/t5/custom-signatures/example-to-detect-smtp-550-destination-email-address-does-not/m-p/67525#M6 goku123 2015-10-30T23:20:15Z