https://live.paloaltonetworks.com/t5/globalprotect-discussions/custom-vulnerability-object-trigger/m-p/594432#M5648 <P>Trying to use a custom vulnerability object to raise a threat alert when a user directly enters a request for access to an IPv4 address . eg <A href="http://12.34.56.78" target="_blank">http://12.34.56.78</A>&nbsp; .&nbsp; Ive created a object , with a pattern of&nbsp;(.*((?:\d{1,3}\.){3}\d{1,3})) and applied it to a vulnerability profile that is applied to a bunch of rules .&nbsp; &nbsp;I can see the rules triggered but the vulnerability is not logging as a threat , ive also had the converse where a normal URL eg <A href="http://www.xyz.com" target="_blank">http://www.xyz.com</A>&nbsp;is being flagged as a vulnerability as a false positive .&nbsp; &nbsp; Anyone had success (consistently) with custom vulnerability objects using regex patterns ?&nbsp; &nbsp; the field im using the regex pattern against is http-req-host-headers</P> Fri, 09 Aug 2024 02:18:44 GMT M.Bathgate 2024-08-09T02:18:44Z https://live.paloaltonetworks.com/t5/globalprotect-discussions/custom-vulnerability-object-trigger/m-p/594432#M5648 <P>Trying to use a custom vulnerability object to raise a threat alert when a user directly enters a request for access to an IPv4 address . eg <A href="http://12.34.56.78" target="_blank">http://12.34.56.78</A>&nbsp; .&nbsp; Ive created a object , with a pattern of&nbsp;(.*((?:\d{1,3}\.){3}\d{1,3})) and applied it to a vulnerability profile that is applied to a bunch of rules .&nbsp; &nbsp;I can see the rules triggered but the vulnerability is not logging as a threat , ive also had the converse where a normal URL eg <A href="http://www.xyz.com" target="_blank">http://www.xyz.com</A>&nbsp;is being flagged as a vulnerability as a false positive .&nbsp; &nbsp; Anyone had success (consistently) with custom vulnerability objects using regex patterns ?&nbsp; &nbsp; the field im using the regex pattern against is http-req-host-headers</P> Fri, 09 Aug 2024 02:18:44 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/custom-vulnerability-object-trigger/m-p/594432#M5648 M.Bathgate 2024-08-09T02:18:44Z https://live.paloaltonetworks.com/t5/globalprotect-discussions/custom-vulnerability-object-trigger/m-p/595470#M5697 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/222803057">@M.Bathgate</a> ,</P> <P>As mentioned here - <A href="https://docs.paloaltonetworks.com/pan-os/u-v/custom-app-id-and-threat-signatures/custom-application-and-threat-signatures/custom-signature-contexts/string-contexts/http-req-host-header" target="_blank">http-req-host-header Context (paloaltonetworks.com)</A> you may need to specify start and end anchors&nbsp;<BR /><BR /></P> <LI-CODE lang="markup">To initiate an exact match search, you must add a &lt;space&gt; before the pattern and ‘\r\n’ after the pattern on PAN-OS 9.1 and earlier. Starting with PAN-OS 10.0 you can use the following anchor characters: ^ and $ to specify a string start and end.</LI-CODE> <P>&nbsp;Also are you applying SSL decryption for this traffic? As you try to check the HTTP host header the firewall will need to decrypt the traffic first.</P> <P>&nbsp;</P> <P>If not, you may need to use <A href="https://docs.paloaltonetworks.com/pan-os/u-v/custom-app-id-and-threat-signatures/custom-application-and-threat-signatures/custom-signature-contexts/string-contexts/ssl-req-chello-sni" target="_blank">ssl-req-chello-sni (paloaltonetworks.com)</A> for context</P> Wed, 21 Aug 2024 12:07:07 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/custom-vulnerability-object-trigger/m-p/595470#M5697 aleksandar.astardzhiev 2024-08-21T12:07:07Z https://live.paloaltonetworks.com/t5/globalprotect-discussions/custom-vulnerability-object-trigger/m-p/595513#M5701 <P>Thanks,&nbsp; tried those ^ $&nbsp; wasnt sure if they were working or not at the time, as they seemed to make no difference .&nbsp; Re SSL , yes decrypted . As a test ive tried test sites under http and https , and again mixed results . Wondering if the policy isnt getting consistently applied for some reason</P> Wed, 21 Aug 2024 20:53:31 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/custom-vulnerability-object-trigger/m-p/595513#M5701 M.Bathgate 2024-08-21T20:53:31Z https://live.paloaltonetworks.com/t5/globalprotect-discussions/custom-vulnerability-object-trigger/m-p/595581#M5706 <P>Hey <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/222803057">@M.Bathgate</a> ,</P> <P>&nbsp;</P> <P>Can you share the full custom vulnerability obect that you have created?</P> <P>Are you using any <A href="https://docs.paloaltonetworks.com/pan-os/u-v/custom-app-id-and-threat-signatures/custom-application-and-threat-signatures/custom-signature-contexts/context-qualifiers" target="_blank">Context Qualifiers (paloaltonetworks.com)</A> ?</P> Thu, 22 Aug 2024 06:12:12 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/custom-vulnerability-object-trigger/m-p/595581#M5706 aleksandar.astardzhiev 2024-08-22T06:12:12Z https://live.paloaltonetworks.com/t5/globalprotect-discussions/custom-vulnerability-object-trigger/m-p/595694#M5714 <P>Those context qualifiers look interesting , but i havent used them , all ive done is a basic vulnerability object under custom objects , with a signature pattern specified against the&nbsp;http-req-host-header . Thanks for the headsup regarding context qualifiers , they look useful for some other purposes</P> Thu, 22 Aug 2024 21:48:12 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/custom-vulnerability-object-trigger/m-p/595694#M5714 M.Bathgate 2024-08-22T21:48:12Z