https://live.paloaltonetworks.com/t5/automation-api-discussions/creating-custom-signatures/m-p/45075#M1034 <HTML><HEAD></HEAD><BODY><P>Lewis and mmarceli,</P><P></P><P>You are partially correct. The pattern match&nbsp; with the context http-req-uri-path should contain only the path after the domain name.&nbsp; In the example above it may be a bit confusing.&nbsp; If you want to block all connections to URLs containing /babykit.html then you probably should have a pattern of&nbsp; /babykit\.html&nbsp;&nbsp; since the "." is a wildcard character the "\" preceding it indicates that we want to match against a period "."&nbsp;&nbsp; The action for the signature would be a reset probably.</P><P></P><P>Hope this helps </P><P></P><P>Phil</P></BODY></HTML> Thu, 13 Nov 2014 19:23:16 GMT HITSSEC 2014-11-13T19:23:16Z https://live.paloaltonetworks.com/t5/automation-api-discussions/creating-custom-signatures/m-p/45073#M1032 <HTML><HEAD></HEAD><BODY><P>Is there a way to create a signature to block or alert as referenced by this website...</P><P><A href="http://www.symantec.com/security_response/attacksignatures/detail.jsp?asid=27208" style="font-size: 10pt; line-height: 1.5em;" title="http://www.symantec.com/security_response/attacksignatures/detail.jsp?asid=27208">http://www.symantec.com/security_response/attacksignatures/detail.jsp?asid=27208</A></P><P></P><P>The sample url comes from the link below</P><P></P><P><A href="http://l.facebook.com/l/8AQEvKJix/christmasoffers.org/babykit.html" title="http://l.facebook.com/l/8AQEvKJix/christmasoffers.org/babykit.html">http://l.facebook.com/l/8AQEvKJix/christmasoffers.org/babykit.html</A></P><P></P><P>If this signature is already in the latest updates, please let us know.</P></BODY></HTML> Wed, 12 Nov 2014 21:23:16 GMT https://live.paloaltonetworks.com/t5/automation-api-discussions/creating-custom-signatures/m-p/45073#M1032 mmarceli 2014-11-12T21:23:16Z https://live.paloaltonetworks.com/t5/automation-api-discussions/creating-custom-signatures/m-p/45074#M1033 <HTML><HEAD></HEAD><BODY><P>You could create a custom vulnerability signature, in this case for <A href="http://l.facebook.com/l/8AQEvKJix/christmasoffers.org/babykit.html" rel="nofollow" style="font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; color: #006595;" title="http://l.facebook.com/l/8AQEvKJix/christmasoffers.org/babykit.html">http://l.facebook.com/l/8AQEvKJix/christmasoffers.org/babykit.html</A> you could accomplish it by creating a http-req-uri-path signature with christmasoffers.org/babykit.html</P><P><IMG alt="test.PNG" class="image-0 jive-image" src="https://live.paloaltonetworks.com/legacyfs/online/16859_test.PNG" style="height: auto;" /></P></BODY></HTML> Thu, 13 Nov 2014 16:08:02 GMT https://live.paloaltonetworks.com/t5/automation-api-discussions/creating-custom-signatures/m-p/45074#M1033 lewis 2014-11-13T16:08:02Z https://live.paloaltonetworks.com/t5/automation-api-discussions/creating-custom-signatures/m-p/45075#M1034 <HTML><HEAD></HEAD><BODY><P>Lewis and mmarceli,</P><P></P><P>You are partially correct. The pattern match&nbsp; with the context http-req-uri-path should contain only the path after the domain name.&nbsp; In the example above it may be a bit confusing.&nbsp; If you want to block all connections to URLs containing /babykit.html then you probably should have a pattern of&nbsp; /babykit\.html&nbsp;&nbsp; since the "." is a wildcard character the "\" preceding it indicates that we want to match against a period "."&nbsp;&nbsp; The action for the signature would be a reset probably.</P><P></P><P>Hope this helps </P><P></P><P>Phil</P></BODY></HTML> Thu, 13 Nov 2014 19:23:16 GMT https://live.paloaltonetworks.com/t5/automation-api-discussions/creating-custom-signatures/m-p/45075#M1034 HITSSEC 2014-11-13T19:23:16Z