https://live.paloaltonetworks.com/t5/advanced-threat-prevention/custom-snort-signature-add-the-pattern-if-the-context-operator/m-p/386589#M1076 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/131110">@Mohammed_Yasin</a>,</P><P>&nbsp;</P><P><SPAN>http_method in the Custom Vulnerability Object is the&nbsp;http-method&nbsp;Qualifier and the&nbsp;http_client_body is the&nbsp;http-req-message-body&nbsp;Context, i.e.,:<BR /></SPAN></P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="CCACieszkowski_0-1613654715614.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/29986i6339FFA5491F1095/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="CCACieszkowski_0-1613654715614.png" alt="CCACieszkowski_0-1613654715614.png" /></span></P><P>&nbsp;</P><P>Albert</P> Thu, 18 Feb 2021 13:25:53 GMT CCACieszkowski 2021-02-18T13:25:53Z https://live.paloaltonetworks.com/t5/advanced-threat-prevention/custom-snort-signature-add-the-pattern-if-the-context-operator/m-p/354737#M962 <P>creating a custom snort signature on Palo alto Firewall but didn’t found the concern context operator for match pattern.</P><P>Shall we create a context operator or how it can add the pattern if the context operator is not available?</P><P>&nbsp;</P><P>For example:</P><P>alert tcp $HOME_NET any -&gt; $EXTERNAL_NET 443 (msg:"[CIS] Emotet C2 Traffic Using Form Data to Send Passwords"; content:"POST";<SPAN>&nbsp;</SPAN><FONT color="#FF0000">http_method</FONT>; content:"<FONT color="#333399">Content-Type|3a 20|multipart/form-data|3b 20|boundary=</FONT>"; http_header; fast_pattern; content:"Content-Disposition|3a 20|form-data|3b 20|name=|22|"; http_client_body; content:!"------WebKitFormBoundary";<SPAN>&nbsp;</SPAN><FONT color="#FF0000">http_client_body</FONT>;<SPAN>&nbsp;</SPAN><FONT color="#333399">content:!"Cookie|3a|"; pcre:"/:?(chrome|firefox|safari|opera|ie|edge) passwords/i</FONT>"; reference:url,cofense.com/flash-bulletin-emotet-epoch-1-changes-c2-communication/; sid:1; rev:2;)</P><P>&nbsp;</P><P>Not available</P><P><FONT color="#FF0000">http_method</FONT></P><P><FONT color="#FF0000">http_client_body</FONT></P><P>&nbsp;</P><P><FONT color="#FF0000"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Snort.jpg" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/28124i30D6D4D2680C3C38/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="Snort.jpg" alt="Snort.jpg" /></span></FONT></P> Wed, 07 Oct 2020 07:17:15 GMT https://live.paloaltonetworks.com/t5/advanced-threat-prevention/custom-snort-signature-add-the-pattern-if-the-context-operator/m-p/354737#M962 Mohammed_Yasin 2020-10-07T07:17:15Z https://live.paloaltonetworks.com/t5/advanced-threat-prevention/custom-snort-signature-add-the-pattern-if-the-context-operator/m-p/354986#M963 <P>Hello,</P> <P>Writing custom signatures is something I always leave to the vendors, its their job :). If you setup your PAN with the everything turned on, anti-virus, spyware, url filtering, dns sinkhole, using secure dns (even if it snot PAN's), SSL Decrypt, wildfire, tight policies, I think you will find not much if anything can get through. Also enable the telemetry to be sent to PAN, it helps hem write signatures for everyone :), a small way to give back.</P> <P>&nbsp;</P> <P>Also use best practices on the rest of the network as well as endpoints (AV etc).&nbsp;</P> <P>&nbsp;</P> <P>You can always use their threat db to search and see if they already have something. If they dont put in a TAC request and they'll work on one.</P> <P><A href="https://threatvault.paloaltonetworks.com/" target="_blank">https://threatvault.paloaltonetworks.com/</A></P> <P>&nbsp;</P> <P>Regards,</P> Wed, 07 Oct 2020 21:42:06 GMT https://live.paloaltonetworks.com/t5/advanced-threat-prevention/custom-snort-signature-add-the-pattern-if-the-context-operator/m-p/354986#M963 OtakarKlier 2020-10-07T21:42:06Z https://live.paloaltonetworks.com/t5/advanced-threat-prevention/custom-snort-signature-add-the-pattern-if-the-context-operator/m-p/358020#M969 <BLOCKQUOTE><HR /><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/27580">@OtakarKlier</a>&nbsp;wrote:<BR /><P>Hello,&nbsp;<A href="https://8ball-pool.io" target="_self"><FONT size="1 2 3 4 5 6 7" color="#FFFFFF">8 ball pool</FONT></A></P><P>Writing custom signatures is something I always leave to the vendors, its their job :). If you setup your PAN with the everything turned on, anti-virus, spyware, url filtering, dns sinkhole, using secure dns (even if it snot PAN's), SSL Decrypt, wildfire, tight policies, I think you will find not much if anything can get through. Also enable the telemetry to be sent to PAN, it helps hem write signatures for everyone :), a small way to give back.</P><P>&nbsp;</P><P>Also use best practices on the rest of the network as well as endpoints (AV etc).&nbsp;</P><P>&nbsp;</P><P>You can always use their threat db to search and see if they already have something. If they dont put in a TAC request and they'll work on one.</P><P><A href="https://threatvault.paloaltonetworks.com/" target="_blank" rel="noopener">https://threatvault.paloaltonetworks.com/</A></P><P>&nbsp;</P><P>Regards,</P><HR /></BLOCKQUOTE><P>Thank you very much!! Very useful advice</P> Mon, 26 Oct 2020 08:25:38 GMT https://live.paloaltonetworks.com/t5/advanced-threat-prevention/custom-snort-signature-add-the-pattern-if-the-context-operator/m-p/358020#M969 leonblum 2020-10-26T08:25:38Z https://live.paloaltonetworks.com/t5/advanced-threat-prevention/custom-snort-signature-add-the-pattern-if-the-context-operator/m-p/386589#M1076 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/131110">@Mohammed_Yasin</a>,</P><P>&nbsp;</P><P><SPAN>http_method in the Custom Vulnerability Object is the&nbsp;http-method&nbsp;Qualifier and the&nbsp;http_client_body is the&nbsp;http-req-message-body&nbsp;Context, i.e.,:<BR /></SPAN></P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="CCACieszkowski_0-1613654715614.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/29986i6339FFA5491F1095/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="CCACieszkowski_0-1613654715614.png" alt="CCACieszkowski_0-1613654715614.png" /></span></P><P>&nbsp;</P><P>Albert</P> Thu, 18 Feb 2021 13:25:53 GMT https://live.paloaltonetworks.com/t5/advanced-threat-prevention/custom-snort-signature-add-the-pattern-if-the-context-operator/m-p/386589#M1076 CCACieszkowski 2021-02-18T13:25:53Z