https://live.paloaltonetworks.com/t5/automation-api-discussions/how-to-create-custom-vulnerability-signature-for-sip-packets/m-p/48641#M1097 <HTML><HEAD></HEAD><BODY><P style="font-size: 12px; font-family: Arial, Helvetica, sans-serif; color: #000000; background-color: #ffffff;">Hi,</P><P style="font-size: 12px; font-family: Arial, Helvetica, sans-serif; color: #000000; background-color: #ffffff;">we are trying to create&nbsp; custom vulnerability signature for triggering on the specific string in the udp packet payload with&nbsp; destination port 5060. Unfortunately there is no context for SIP. We used "Pattern Match" and chose "unknown -req-udp-payload" as a context. We applied a Vulnerability protection profile to the security policy (a rule allowing everything) but for some reason this didn't work as we expected. I mean we didn't receive any alert in the Threat log.</P><P></P><P style="font-size: 12px; font-family: Arial, Helvetica, sans-serif; color: #000000; background-color: #ffffff;">Is it possible to use "unknown -req-udp-payload" context for such purpose or it is intended only for the "unknown-udp" applications? Any other idea for creating such signature?</P><P></P><P style="font-size: 12px; font-family: Arial, Helvetica, sans-serif; color: #000000; background-color: #ffffff;">Thanks.</P><P style="font-size: 12px; font-family: Arial, Helvetica, sans-serif; color: #000000; background-color: #ffffff;">Leonid</P></BODY></HTML> Thu, 01 Aug 2013 14:04:38 GMT lzolotonos 2013-08-01T14:04:38Z https://live.paloaltonetworks.com/t5/automation-api-discussions/how-to-create-custom-vulnerability-signature-for-sip-packets/m-p/48641#M1097 <HTML><HEAD></HEAD><BODY><P style="font-size: 12px; font-family: Arial, Helvetica, sans-serif; color: #000000; background-color: #ffffff;">Hi,</P><P style="font-size: 12px; font-family: Arial, Helvetica, sans-serif; color: #000000; background-color: #ffffff;">we are trying to create&nbsp; custom vulnerability signature for triggering on the specific string in the udp packet payload with&nbsp; destination port 5060. Unfortunately there is no context for SIP. We used "Pattern Match" and chose "unknown -req-udp-payload" as a context. We applied a Vulnerability protection profile to the security policy (a rule allowing everything) but for some reason this didn't work as we expected. I mean we didn't receive any alert in the Threat log.</P><P></P><P style="font-size: 12px; font-family: Arial, Helvetica, sans-serif; color: #000000; background-color: #ffffff;">Is it possible to use "unknown -req-udp-payload" context for such purpose or it is intended only for the "unknown-udp" applications? Any other idea for creating such signature?</P><P></P><P style="font-size: 12px; font-family: Arial, Helvetica, sans-serif; color: #000000; background-color: #ffffff;">Thanks.</P><P style="font-size: 12px; font-family: Arial, Helvetica, sans-serif; color: #000000; background-color: #ffffff;">Leonid</P></BODY></HTML> Thu, 01 Aug 2013 14:04:38 GMT https://live.paloaltonetworks.com/t5/automation-api-discussions/how-to-create-custom-vulnerability-signature-for-sip-packets/m-p/48641#M1097 lzolotonos 2013-08-01T14:04:38Z https://live.paloaltonetworks.com/t5/automation-api-discussions/how-to-create-custom-vulnerability-signature-for-sip-packets/m-p/48642#M1098 <HTML><HEAD></HEAD><BODY><P>You'll need to contact TAC and ask for them to open up SIP contexts in custom vulnerability signatures.&nbsp; This is something that can be done through a content update.&nbsp; The "unknown" contexts you refer to are only applicable to "unknown-tcp" and "unknown-udp" App-IDs.&nbsp; </P></BODY></HTML> Thu, 01 Aug 2013 15:25:50 GMT https://live.paloaltonetworks.com/t5/automation-api-discussions/how-to-create-custom-vulnerability-signature-for-sip-packets/m-p/48642#M1098 jvalentine 2013-08-01T15:25:50Z