https://live.paloaltonetworks.com/t5/automation-api-discussions/about-custom-vulnerability-signature/m-p/21328#M540 <HTML><HEAD></HEAD><BODY><P>Cheon,</P><P></P><P>Can you get a pcap of the traffic flow including the pattern shown?&nbsp; I am not aware of how this string is used?&nbsp; (inbound to your servers of outbound from internal users) Also is the traffic encrypted? If so you wil need to decrypt it,</P><P></P><P>Phil</P></BODY></HTML> Fri, 01 Aug 2014 02:21:59 GMT HITSSEC 2014-08-01T02:21:59Z https://live.paloaltonetworks.com/t5/automation-api-discussions/about-custom-vulnerability-signature/m-p/21327#M539 <HTML><HEAD></HEAD><BODY><P style="font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; color: #3b3b3b;">Hello,</P><P></P><P style="font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; color: #3b3b3b;">My customer made vulnerability signature in FW. But FW doesn't detect this signature.</P><P></P><P style="font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; color: #3b3b3b;">Customer Vulnerability Signature</P><P style="font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; color: #3b3b3b;">context : http-req-message-body</P><P style="font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; color: #3b3b3b;">pattern : <SPAN style="font-weight: inherit; font-style: inherit; font-size: 10pt; font-family: Arial, Helvetica, sans-serif; color: #333333; background-color: #ecf3ea;">eval\(gzinflate\(str_rot13\(base64_decode</SPAN></P><P></P><P style="font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; color: #3b3b3b;">I am searching this but I don't know.</P><P style="font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; color: #3b3b3b;">So I need your assistance for it.</P><P></P><P style="font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; color: #3b3b3b;">I have read <SPAN style="font-weight: inherit; font-style: inherit; font-size: 11px; font-family: Arial, Helvetica, sans-serif; color: #333333; background-color: #ecf3ea;"><SPAN style="font-weight: inherit; font-style: inherit; font-size: 10pt; font-family: inherit;">Creating_Custom_Signatures-RevA.pdf</SPAN> </SPAN>document&nbsp;&nbsp; </P><P style="font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; color: #3b3b3b;">This document describe as the following message.</P><P></P><P style="font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; color: #3b3b3b;">http-req-message-body</P><P style="font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; color: #3b3b3b;">Description: Body content of a HTTP request when the body content cannot be recognized as URL encoded or MIME type data using the Content-type field.</P><P></P><P style="font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; color: #3b3b3b;">Do you know to relate between not detecting signature and this description??</P><P></P><P style="font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; color: #3b3b3b;">Thanks</P></BODY></HTML> Tue, 17 Jun 2014 16:01:41 GMT https://live.paloaltonetworks.com/t5/automation-api-discussions/about-custom-vulnerability-signature/m-p/21327#M539 KiCheon.Lee 2014-06-17T16:01:41Z https://live.paloaltonetworks.com/t5/automation-api-discussions/about-custom-vulnerability-signature/m-p/21328#M540 <HTML><HEAD></HEAD><BODY><P>Cheon,</P><P></P><P>Can you get a pcap of the traffic flow including the pattern shown?&nbsp; I am not aware of how this string is used?&nbsp; (inbound to your servers of outbound from internal users) Also is the traffic encrypted? If so you wil need to decrypt it,</P><P></P><P>Phil</P></BODY></HTML> Fri, 01 Aug 2014 02:21:59 GMT https://live.paloaltonetworks.com/t5/automation-api-discussions/about-custom-vulnerability-signature/m-p/21328#M540 HITSSEC 2014-08-01T02:21:59Z