topic How would I create a custom threat signature that looks for a server's &quot;invalid username&quot; response to a failed login attempt? in Automation/API Discussions https://live.paloaltonetworks.com/t5/automation-api-discussions/how-would-i-create-a-custom-threat-signature-that-looks-for-a/m-p/10949#M300 <HTML><HEAD></HEAD><BODY><P class="p1">Hi,</P><P class="p1"></P><P class="p1">I'm new to Palo Alto and custom threat signatures. I'm trying to detect invalid login attempts to a web site and apply a time rate. When the user enters an invalid username in the login, the site returns the text "invalid username". Which context would I use to search for this pattern match? I read the "Creating Custom Signatures" document, but it created more questions and I can't seem to find any deeper documentation. By using that document, I was able to use the wordpress brute force combination signature they included (monitoring http POST to wp-login.php), but I have some users that trip those thresholds often because they log into many blogs simultaneously on one server. I'm looking for something a little more granular (not just login attempts (good or bad), but bad attempts based on the site returning the text "bad password", or "invalid username". Is this possible? I don't mind reading more documentation regarding custom signatures if it's available, I've just not seen any other documents yet that give an example like this.</P><P class="p2"></P><P class="p1">I did take a pcap of the exchange between client and server. I see the text in the pcap, but still not sure which context to use to search for the string. The client sends an http POST to wp-login.php, and then the server issues an http 200 response and then the "Invalid username" text comes a few packets later. Below is the TCP stream from the pcap that contains the "Invalid username" text. I've tried the http_rsp_headers and file_html_body contexts, but still unable to match the text in the exchange.</P><P class="p2"></P><P class="p1">Thanks! </P><P class="p1"></P><P class="p1">POST /login/ HTTP/1.1</P><P class="p1">Host: www.mysite.com</P><P class="p1">Connection: keep-alive</P><P class="p1">Content-Length: 164</P><P class="p1">Cache-Control: max-age=0</P><P class="p1">Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8</P><P class="p3"><SPAN class="s1">Origin: <A href="http://www.mysite.com/"><SPAN class="s2">http://www.mysite.com</SPAN></A></SPAN></P><P class="p1">User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1750.146 Safari/537.36</P><P class="p1">Content-Type: application/x-www-form-urlencoded</P><P class="p3"><SPAN class="s1">Referer: <A href="http://www.mysite.com/login/"><SPAN class="s2">http://www.mysite.com/login/</SPAN></A></SPAN></P><P class="p1">Accept-Encoding: gzip,deflate,sdch</P><P class="p1">Accept-Language: en-US,en;q=0.8</P><P class="p1">Cookie: wlp_post_protection=1; PHPSESSID=gh0pdah82shb6les906pc5n4u7; __utma=74238163.586482511.1393824836.1393824836.1393824836.1; __utmc=74238163; __utmz=74238163.1393824836.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=217530694.1368975606.1393822044.1393822044.1393886113.2; __utmc=217530694; __utmz=217530694.1393822044.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); wfvt_345498598=531583af83045; wordpress_test_cookie=WP+Cookie+check</P><P class="p1"></P><P class="p1"></P><P class="p1">log=ed&amp;pwd=ed&amp;cptch_result=87Q%3D&amp;cptch_time=1393918888&amp;cptch_number=6&amp;wp-submit=Log+In&amp;redirect_to=http%3A%2F%2Fwww.mysite.com%2Fwp-admin%2F&amp;testcookie=1HTTP/1.1 200 OK</P><P class="p1">Date: Tue, 04 Mar 2014 07:44:02 GMT</P><P class="p1">Server: Apache/2.2.15 (CentOS)</P><P class="p1">X-Powered-By: PHP/5.3.3</P><P class="p1">Set-Cookie: wfvt_345498598=5315844284ba8; expires=Tue, 04-Mar-2014 08:14:02 GMT; path=/</P><P class="p1">Expires: Thu, 19 Nov 1981 08:52:00 GMT</P><P class="p1">Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0</P><P class="p1">Pragma: no-cache</P><P class="p1">Set-Cookie: wordpress_test_cookie=WP+Cookie+check; path=/</P><P class="p1">X-Frame-Options: SAMEORIGIN</P><P class="p1">Content-Length: 4373</P><P class="p1">Connection: close</P><P class="p1">Content-Type: text/html; charset=UTF-8</P><P class="p1"></P><P class="p1"></P><P class="p1">&lt;!DOCTYPE html&gt;</P><P class="p1">&nbsp; &lt;!--[if IE 8]&gt;</P><P class="p1">&nbsp; &lt;html xmlns="<A href="http://www.w3.org/1999/xhtml">http://www.w3.org/1999/xhtml</A>" class="ie8" lang="en-US"&gt;</P><P class="p1">&nbsp; &lt;![endif]--&gt;</P><P class="p1">&nbsp; &lt;!--[if !(IE <span class="lia-unicode-emoji" title=":smiling_face_with_sunglasses:">😎</span> ]&gt;&lt;!--&gt;</P><P class="p1">&nbsp; &lt;html xmlns="<A href="http://www.w3.org/1999/xhtml">http://www.w3.org/1999/xhtml</A>" lang="en-US"&gt;</P><P class="p1">&nbsp; &lt;!--&lt;![endif]--&gt;</P><P class="p1">&nbsp; &lt;head&gt;</P><P class="p1">&nbsp; &lt;meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /&gt;</P><P class="p1">&nbsp; &lt;title&gt;mysite www &amp;rsaquo; Log In&lt;/title&gt;</P><P class="p1">&nbsp; &lt;link rel='stylesheet' id='open-sans-css'&nbsp; href='//fonts.googleapis.com/css?family=Open+Sans%3A300italic%2C400italic%2C600italic%2C300%2C400%2C600&amp;#038;subset=latin%2Clatin-ext&amp;#038;ver=3.8.1' type='text/css' media='all' /&gt;</P><P class="p1">&lt;link rel='stylesheet' id='dashicons-css'&nbsp; href='<A href="http://www.mysite.com/wp-includes/css/dashicons.min.css?ver=3.8.1">http://www.mysite.com/wp-includes/css/dashicons.min.css?ver=3.8.1</A>' type='text/css' media='all' /&gt;</P><P class="p1">&lt;link rel='stylesheet' id='wp-admin-css'&nbsp; href='<A href="http://www.mysite.com/wp-admin/css/wp-admin.min.css?ver=3.8.1">http://www.mysite.com/wp-admin/css/wp-admin.min.css?ver=3.8.1</A>' type='text/css' media='all' /&gt;</P><P class="p1">&lt;link rel='stylesheet' id='buttons-css'&nbsp; href='<A href="http://www.mysite.com/wp-includes/css/buttons.min.css?ver=3.8.1">http://www.mysite.com/wp-includes/css/buttons.min.css?ver=3.8.1</A>' type='text/css' media='all' /&gt;</P><P class="p1">&lt;link rel='stylesheet' id='colors-fresh-css'&nbsp; href='<A href="http://www.mysite.com/wp-admin/css/colors.min.css?ver=3.8.1">http://www.mysite.com/wp-admin/css/colors.min.css?ver=3.8.1</A>' type='text/css' media='all' /&gt;</P><P class="p1">&lt;!--[if lte IE 7]&gt;</P><P class="p1">&lt;link rel='stylesheet' id='ie-css'&nbsp; href='<A href="http://www.mysite.com/wp-admin/css/ie.min.css?ver=3.8.1">http://www.mysite.com/wp-admin/css/ie.min.css?ver=3.8.1</A>' type='text/css' media='all' /&gt;</P><P class="p1">&lt;![endif]--&gt;</P><P class="p1">&lt;meta name='robots' content='noindex,follow' /&gt;</P><P class="p1">&lt;script type="text/javascript"&gt;</P><P class="p1">addLoadEvent = function(func){if(typeof jQuery!="undefined")jQuery(document).ready(func);else if(typeof wpOnload!='function'){wpOnload=func;}else{var oldonload=wpOnload;wpOnload=function(){oldonload();func();}}};</P><P class="p1">function s(id,pos){g(id).left=pos+'px';}</P><P class="p1">function g(id){return document.getElementById(id).style;}</P><P class="p1">function shake(id,a,d){c=a.shift();s(id,c);if(a.length&gt;0){setTimeout(function(){shake(id,a,d);},d);}else{try{g(id).position='static';wp_attempt_focus();}catch(e){}}}</P><P class="p1">addLoadEvent(function(){ var p=new Array(15,30,15,0,-15,-30,-15,0);p=p.concat(p.concat(p));var i=document.forms[0].id;g(i).position='relative';shake(i,p,20);});</P><P class="p1">&lt;/script&gt;</P><P class="p1">&nbsp; &lt;/head&gt;</P><P class="p1">&nbsp; &lt;body class="login login-action-login wp-core-ui"&gt;</P><P class="p1">&nbsp; &lt;div id="login"&gt;</P><P class="p1">&nbsp; &lt;h1&gt;&lt;a href="<A href="http://wordpress.org/">http://wordpress.org/</A>" title="Powered by WordPress"&gt;mysite www&lt;/a&gt;&lt;/h1&gt;</P><P class="p1">&nbsp; &lt;div id="login_error"&gt; &lt;strong&gt;ERROR&lt;/strong&gt;: Invalid username. &lt;a href="<A href="http://www.mysite.com/login/?action=lostpassword">http://www.mysite.com/login/?action=lostpassword</A>" title="Password Lost and Found"&gt;Lost your password&lt;/a&gt;?&lt;br /&gt;</P><P class="p1">&lt;/div&gt;</P><P class="p1"></P><P class="p1"></P><P class="p1">&lt;form name="loginform" id="loginform" action="<A href="http://www.mysite.com/login/">http://www.mysite.com/login/</A>" method="post"&gt;</P><P class="p1">&nbsp; &lt;p&gt;</P><P class="p1">&nbsp; &lt;label for="user_login"&gt;Username&lt;br /&gt;</P><P class="p1">&nbsp; &lt;input type="text" name="log" id="user_login" class="input" value="" size="20" /&gt;&lt;/label&gt;</P><P class="p1">&nbsp; &lt;/p&gt;</P><P class="p1">&nbsp; &lt;p&gt;</P><P class="p1">&nbsp; &lt;label for="user_pass"&gt;Password&lt;br /&gt;</P><P class="p1">&nbsp; &lt;input type="password" name="pwd" id="user_pass" class="input" value="" size="20" /&gt;&lt;/label&gt;</P><P class="p1">&nbsp; &lt;/p&gt;</P><P class="p1">&nbsp; &lt;p class="cptch_block"&gt;&lt;br /&gt; &lt;input type="hidden" name="cptch_result" value="hIE=" /&gt;</P><P class="p1">&nbsp; &lt;input type="hidden" name="cptch_time" value="1393919042" /&gt;</P><P class="p1">&nbsp; &lt;input type="hidden" value="Version: 2.4" /&gt;</P><P class="p1">&nbsp; 1 &amp;#43; on&amp;#101; =&nbsp; &lt;input id="cptch_input" type="text" autocomplete="off" name="cptch_number" value="" maxlength="2" size="2" aria-required="true" required="required" style="margin-bottom:0;display:inline;font-size: 12px;width: 40px;" /&gt; &lt;/p&gt;</P><P class="p1">&nbsp; &lt;br /&gt; &lt;p class="forgetmenot"&gt;&lt;label for="rememberme"&gt;&lt;input name="rememberme" type="checkbox" id="rememberme" value="forever"&nbsp; /&gt; Remember Me&lt;/label&gt;&lt;/p&gt;</P><P class="p1">&nbsp; &lt;p class="submit"&gt;</P><P class="p1">&nbsp; &lt;input type="submit" name="wp-submit" id="wp-submit" class="button button-primary button-large" value="Log In" /&gt;</P><P class="p1">&nbsp; &lt;input type="hidden" name="redirect_to" value="<A href="http://www.mysite.com/wp-admin/">http://www.mysite.com/wp-admin/</A>" /&gt;</P><P class="p1">&nbsp; &lt;input type="hidden" name="testcookie" value="1" /&gt;</P><P class="p1">&nbsp; &lt;/p&gt;</P><P class="p1">&lt;/form&gt;</P><P class="p1"></P><P class="p1"></P><P class="p1">&lt;p id="nav"&gt;</P><P class="p1">&nbsp; &lt;a href="<A href="http://www.mysite.com/login/?action=lostpassword">http://www.mysite.com/login/?action=lostpassword</A>" title="Password Lost and Found"&gt;Lost your password?&lt;/a&gt;</P><P class="p1">&lt;/p&gt;</P><P class="p1"></P><P class="p1"></P><P class="p1">&lt;script type="text/javascript"&gt;</P><P class="p1">function wp_attempt_focus(){</P><P class="p1">setTimeout( function(){ try{</P><P class="p1">d = document.getElementById('user_login');</P><P class="p1">if( d.value != '' )</P><P class="p1">d.value = '';</P><P class="p1">d.focus();</P><P class="p1">d.select();</P><P class="p1">} catch(e){}</P><P class="p1">}, 200);</P><P class="p1">}</P><P class="p1"></P><P class="p1"></P><P class="p1">if(typeof wpOnload=='function')wpOnload();</P><P class="p1">&lt;/script&gt;</P><P class="p1"></P><P class="p1"></P><P class="p1">&nbsp; &lt;p id="backtoblog"&gt;&lt;a href="<A href="http://www.mysite.com/">http://www.mysite.com/</A>" title="Are you lost?"&gt;&amp;larr; Back to mysite www&lt;/a&gt;&lt;/p&gt;</P><P class="p1"></P><P class="p1">&nbsp; &lt;/div&gt;</P><P class="p1"></P><P class="p1"></P><P class="p1"></P><P class="p1">&nbsp; &lt;div class="clear"&gt;&lt;/div&gt;</P><P class="p1">&nbsp; &lt;/body&gt;</P><P class="p1">&nbsp; &lt;/html&gt;</P></BODY></HTML> Tue, 04 Mar 2014 19:47:35 GMT itmgr 2014-03-04T19:47:35Z How would I create a custom threat signature that looks for a server's "invalid username" response to a failed login attempt? https://live.paloaltonetworks.com/t5/automation-api-discussions/how-would-i-create-a-custom-threat-signature-that-looks-for-a/m-p/10949#M300 <HTML><HEAD></HEAD><BODY><P class="p1">Hi,</P><P class="p1"></P><P class="p1">I'm new to Palo Alto and custom threat signatures. I'm trying to detect invalid login attempts to a web site and apply a time rate. When the user enters an invalid username in the login, the site returns the text "invalid username". Which context would I use to search for this pattern match? I read the "Creating Custom Signatures" document, but it created more questions and I can't seem to find any deeper documentation. By using that document, I was able to use the wordpress brute force combination signature they included (monitoring http POST to wp-login.php), but I have some users that trip those thresholds often because they log into many blogs simultaneously on one server. I'm looking for something a little more granular (not just login attempts (good or bad), but bad attempts based on the site returning the text "bad password", or "invalid username". Is this possible? I don't mind reading more documentation regarding custom signatures if it's available, I've just not seen any other documents yet that give an example like this.</P><P class="p2"></P><P class="p1">I did take a pcap of the exchange between client and server. I see the text in the pcap, but still not sure which context to use to search for the string. The client sends an http POST to wp-login.php, and then the server issues an http 200 response and then the "Invalid username" text comes a few packets later. Below is the TCP stream from the pcap that contains the "Invalid username" text. I've tried the http_rsp_headers and file_html_body contexts, but still unable to match the text in the exchange.</P><P class="p2"></P><P class="p1">Thanks! </P><P class="p1"></P><P class="p1">POST /login/ HTTP/1.1</P><P class="p1">Host: www.mysite.com</P><P class="p1">Connection: keep-alive</P><P class="p1">Content-Length: 164</P><P class="p1">Cache-Control: max-age=0</P><P class="p1">Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8</P><P class="p3"><SPAN class="s1">Origin: <A href="http://www.mysite.com/"><SPAN class="s2">http://www.mysite.com</SPAN></A></SPAN></P><P class="p1">User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1750.146 Safari/537.36</P><P class="p1">Content-Type: application/x-www-form-urlencoded</P><P class="p3"><SPAN class="s1">Referer: <A href="http://www.mysite.com/login/"><SPAN class="s2">http://www.mysite.com/login/</SPAN></A></SPAN></P><P class="p1">Accept-Encoding: gzip,deflate,sdch</P><P class="p1">Accept-Language: en-US,en;q=0.8</P><P class="p1">Cookie: wlp_post_protection=1; PHPSESSID=gh0pdah82shb6les906pc5n4u7; __utma=74238163.586482511.1393824836.1393824836.1393824836.1; __utmc=74238163; __utmz=74238163.1393824836.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=217530694.1368975606.1393822044.1393822044.1393886113.2; __utmc=217530694; __utmz=217530694.1393822044.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); wfvt_345498598=531583af83045; wordpress_test_cookie=WP+Cookie+check</P><P class="p1"></P><P class="p1"></P><P class="p1">log=ed&amp;pwd=ed&amp;cptch_result=87Q%3D&amp;cptch_time=1393918888&amp;cptch_number=6&amp;wp-submit=Log+In&amp;redirect_to=http%3A%2F%2Fwww.mysite.com%2Fwp-admin%2F&amp;testcookie=1HTTP/1.1 200 OK</P><P class="p1">Date: Tue, 04 Mar 2014 07:44:02 GMT</P><P class="p1">Server: Apache/2.2.15 (CentOS)</P><P class="p1">X-Powered-By: PHP/5.3.3</P><P class="p1">Set-Cookie: wfvt_345498598=5315844284ba8; expires=Tue, 04-Mar-2014 08:14:02 GMT; path=/</P><P class="p1">Expires: Thu, 19 Nov 1981 08:52:00 GMT</P><P class="p1">Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0</P><P class="p1">Pragma: no-cache</P><P class="p1">Set-Cookie: wordpress_test_cookie=WP+Cookie+check; path=/</P><P class="p1">X-Frame-Options: SAMEORIGIN</P><P class="p1">Content-Length: 4373</P><P class="p1">Connection: close</P><P class="p1">Content-Type: text/html; charset=UTF-8</P><P class="p1"></P><P class="p1"></P><P class="p1">&lt;!DOCTYPE html&gt;</P><P class="p1">&nbsp; &lt;!--[if IE 8]&gt;</P><P class="p1">&nbsp; &lt;html xmlns="<A href="http://www.w3.org/1999/xhtml">http://www.w3.org/1999/xhtml</A>" class="ie8" lang="en-US"&gt;</P><P class="p1">&nbsp; &lt;![endif]--&gt;</P><P class="p1">&nbsp; &lt;!--[if !(IE <span class="lia-unicode-emoji" title=":smiling_face_with_sunglasses:">😎</span> ]&gt;&lt;!--&gt;</P><P class="p1">&nbsp; &lt;html xmlns="<A href="http://www.w3.org/1999/xhtml">http://www.w3.org/1999/xhtml</A>" lang="en-US"&gt;</P><P class="p1">&nbsp; &lt;!--&lt;![endif]--&gt;</P><P class="p1">&nbsp; &lt;head&gt;</P><P class="p1">&nbsp; &lt;meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /&gt;</P><P class="p1">&nbsp; &lt;title&gt;mysite www &amp;rsaquo; Log In&lt;/title&gt;</P><P class="p1">&nbsp; &lt;link rel='stylesheet' id='open-sans-css'&nbsp; href='//fonts.googleapis.com/css?family=Open+Sans%3A300italic%2C400italic%2C600italic%2C300%2C400%2C600&amp;#038;subset=latin%2Clatin-ext&amp;#038;ver=3.8.1' type='text/css' media='all' /&gt;</P><P class="p1">&lt;link rel='stylesheet' id='dashicons-css'&nbsp; href='<A href="http://www.mysite.com/wp-includes/css/dashicons.min.css?ver=3.8.1">http://www.mysite.com/wp-includes/css/dashicons.min.css?ver=3.8.1</A>' type='text/css' media='all' /&gt;</P><P class="p1">&lt;link rel='stylesheet' id='wp-admin-css'&nbsp; href='<A href="http://www.mysite.com/wp-admin/css/wp-admin.min.css?ver=3.8.1">http://www.mysite.com/wp-admin/css/wp-admin.min.css?ver=3.8.1</A>' type='text/css' media='all' /&gt;</P><P class="p1">&lt;link rel='stylesheet' id='buttons-css'&nbsp; href='<A href="http://www.mysite.com/wp-includes/css/buttons.min.css?ver=3.8.1">http://www.mysite.com/wp-includes/css/buttons.min.css?ver=3.8.1</A>' type='text/css' media='all' /&gt;</P><P class="p1">&lt;link rel='stylesheet' id='colors-fresh-css'&nbsp; href='<A href="http://www.mysite.com/wp-admin/css/colors.min.css?ver=3.8.1">http://www.mysite.com/wp-admin/css/colors.min.css?ver=3.8.1</A>' type='text/css' media='all' /&gt;</P><P class="p1">&lt;!--[if lte IE 7]&gt;</P><P class="p1">&lt;link rel='stylesheet' id='ie-css'&nbsp; href='<A href="http://www.mysite.com/wp-admin/css/ie.min.css?ver=3.8.1">http://www.mysite.com/wp-admin/css/ie.min.css?ver=3.8.1</A>' type='text/css' media='all' /&gt;</P><P class="p1">&lt;![endif]--&gt;</P><P class="p1">&lt;meta name='robots' content='noindex,follow' /&gt;</P><P class="p1">&lt;script type="text/javascript"&gt;</P><P class="p1">addLoadEvent = function(func){if(typeof jQuery!="undefined")jQuery(document).ready(func);else if(typeof wpOnload!='function'){wpOnload=func;}else{var oldonload=wpOnload;wpOnload=function(){oldonload();func();}}};</P><P class="p1">function s(id,pos){g(id).left=pos+'px';}</P><P class="p1">function g(id){return document.getElementById(id).style;}</P><P class="p1">function shake(id,a,d){c=a.shift();s(id,c);if(a.length&gt;0){setTimeout(function(){shake(id,a,d);},d);}else{try{g(id).position='static';wp_attempt_focus();}catch(e){}}}</P><P class="p1">addLoadEvent(function(){ var p=new Array(15,30,15,0,-15,-30,-15,0);p=p.concat(p.concat(p));var i=document.forms[0].id;g(i).position='relative';shake(i,p,20);});</P><P class="p1">&lt;/script&gt;</P><P class="p1">&nbsp; &lt;/head&gt;</P><P class="p1">&nbsp; &lt;body class="login login-action-login wp-core-ui"&gt;</P><P class="p1">&nbsp; &lt;div id="login"&gt;</P><P class="p1">&nbsp; &lt;h1&gt;&lt;a href="<A href="http://wordpress.org/">http://wordpress.org/</A>" title="Powered by WordPress"&gt;mysite www&lt;/a&gt;&lt;/h1&gt;</P><P class="p1">&nbsp; &lt;div id="login_error"&gt; &lt;strong&gt;ERROR&lt;/strong&gt;: Invalid username. &lt;a href="<A href="http://www.mysite.com/login/?action=lostpassword">http://www.mysite.com/login/?action=lostpassword</A>" title="Password Lost and Found"&gt;Lost your password&lt;/a&gt;?&lt;br /&gt;</P><P class="p1">&lt;/div&gt;</P><P class="p1"></P><P class="p1"></P><P class="p1">&lt;form name="loginform" id="loginform" action="<A href="http://www.mysite.com/login/">http://www.mysite.com/login/</A>" method="post"&gt;</P><P class="p1">&nbsp; &lt;p&gt;</P><P class="p1">&nbsp; &lt;label for="user_login"&gt;Username&lt;br /&gt;</P><P class="p1">&nbsp; &lt;input type="text" name="log" id="user_login" class="input" value="" size="20" /&gt;&lt;/label&gt;</P><P class="p1">&nbsp; &lt;/p&gt;</P><P class="p1">&nbsp; &lt;p&gt;</P><P class="p1">&nbsp; &lt;label for="user_pass"&gt;Password&lt;br /&gt;</P><P class="p1">&nbsp; &lt;input type="password" name="pwd" id="user_pass" class="input" value="" size="20" /&gt;&lt;/label&gt;</P><P class="p1">&nbsp; &lt;/p&gt;</P><P class="p1">&nbsp; &lt;p class="cptch_block"&gt;&lt;br /&gt; &lt;input type="hidden" name="cptch_result" value="hIE=" /&gt;</P><P class="p1">&nbsp; &lt;input type="hidden" name="cptch_time" value="1393919042" /&gt;</P><P class="p1">&nbsp; &lt;input type="hidden" value="Version: 2.4" /&gt;</P><P class="p1">&nbsp; 1 &amp;#43; on&amp;#101; =&nbsp; &lt;input id="cptch_input" type="text" autocomplete="off" name="cptch_number" value="" maxlength="2" size="2" aria-required="true" required="required" style="margin-bottom:0;display:inline;font-size: 12px;width: 40px;" /&gt; &lt;/p&gt;</P><P class="p1">&nbsp; &lt;br /&gt; &lt;p class="forgetmenot"&gt;&lt;label for="rememberme"&gt;&lt;input name="rememberme" type="checkbox" id="rememberme" value="forever"&nbsp; /&gt; Remember Me&lt;/label&gt;&lt;/p&gt;</P><P class="p1">&nbsp; &lt;p class="submit"&gt;</P><P class="p1">&nbsp; &lt;input type="submit" name="wp-submit" id="wp-submit" class="button button-primary button-large" value="Log In" /&gt;</P><P class="p1">&nbsp; &lt;input type="hidden" name="redirect_to" value="<A href="http://www.mysite.com/wp-admin/">http://www.mysite.com/wp-admin/</A>" /&gt;</P><P class="p1">&nbsp; &lt;input type="hidden" name="testcookie" value="1" /&gt;</P><P class="p1">&nbsp; &lt;/p&gt;</P><P class="p1">&lt;/form&gt;</P><P class="p1"></P><P class="p1"></P><P class="p1">&lt;p id="nav"&gt;</P><P class="p1">&nbsp; &lt;a href="<A href="http://www.mysite.com/login/?action=lostpassword">http://www.mysite.com/login/?action=lostpassword</A>" title="Password Lost and Found"&gt;Lost your password?&lt;/a&gt;</P><P class="p1">&lt;/p&gt;</P><P class="p1"></P><P class="p1"></P><P class="p1">&lt;script type="text/javascript"&gt;</P><P class="p1">function wp_attempt_focus(){</P><P class="p1">setTimeout( function(){ try{</P><P class="p1">d = document.getElementById('user_login');</P><P class="p1">if( d.value != '' )</P><P class="p1">d.value = '';</P><P class="p1">d.focus();</P><P class="p1">d.select();</P><P class="p1">} catch(e){}</P><P class="p1">}, 200);</P><P class="p1">}</P><P class="p1"></P><P class="p1"></P><P class="p1">if(typeof wpOnload=='function')wpOnload();</P><P class="p1">&lt;/script&gt;</P><P class="p1"></P><P class="p1"></P><P class="p1">&nbsp; &lt;p id="backtoblog"&gt;&lt;a href="<A href="http://www.mysite.com/">http://www.mysite.com/</A>" title="Are you lost?"&gt;&amp;larr; Back to mysite www&lt;/a&gt;&lt;/p&gt;</P><P class="p1"></P><P class="p1">&nbsp; &lt;/div&gt;</P><P class="p1"></P><P class="p1"></P><P class="p1"></P><P class="p1">&nbsp; &lt;div class="clear"&gt;&lt;/div&gt;</P><P class="p1">&nbsp; &lt;/body&gt;</P><P class="p1">&nbsp; &lt;/html&gt;</P></BODY></HTML> Tue, 04 Mar 2014 19:47:35 GMT https://live.paloaltonetworks.com/t5/automation-api-discussions/how-would-i-create-a-custom-threat-signature-that-looks-for-a/m-p/10949#M300 itmgr 2014-03-04T19:47:35Z