https://live.paloaltonetworks.com/t5/general-topics/signature-review-modification/m-p/2356#M1741 <HTML><HEAD></HEAD><BODY><P>I tried searching through the discussions but didn't see anything regarding this. Is it possible to see what the actual threats are matching on? Essentially what their signature is so I can make a more accurate analysis of the validity. For example, Scripts/Win32.Rsrc.o is classified as a Medium severity virus threat. The description is simply "This signature detected Scripts/Win32.Rsrc.o" which doesn't allow me to make any sort of knowledgeable decission regarding next-steps for investigation. I haven't dropped down to the CLI yet to see if it's possible to peer into the signatures and figure out what exactly is being keyed off in the packet, but I would hope this feature exists within the web UI.</P><P></P><P>In addition to the above, is it possible to modify the signatures and define what networks (src/dst) would be required to trigger it? Our company has a lot of home grown apps which trigger on things that are not malicious; however, I don't want my only available course of action to be excluded it entirely from triggering.</P></BODY></HTML> Wed, 21 Sep 2011 17:08:16 GMT jeff_white1 2011-09-21T17:08:16Z https://live.paloaltonetworks.com/t5/general-topics/signature-review-modification/m-p/2356#M1741 <HTML><HEAD></HEAD><BODY><P>I tried searching through the discussions but didn't see anything regarding this. Is it possible to see what the actual threats are matching on? Essentially what their signature is so I can make a more accurate analysis of the validity. For example, Scripts/Win32.Rsrc.o is classified as a Medium severity virus threat. The description is simply "This signature detected Scripts/Win32.Rsrc.o" which doesn't allow me to make any sort of knowledgeable decission regarding next-steps for investigation. I haven't dropped down to the CLI yet to see if it's possible to peer into the signatures and figure out what exactly is being keyed off in the packet, but I would hope this feature exists within the web UI.</P><P></P><P>In addition to the above, is it possible to modify the signatures and define what networks (src/dst) would be required to trigger it? Our company has a lot of home grown apps which trigger on things that are not malicious; however, I don't want my only available course of action to be excluded it entirely from triggering.</P></BODY></HTML> Wed, 21 Sep 2011 17:08:16 GMT https://live.paloaltonetworks.com/t5/general-topics/signature-review-modification/m-p/2356#M1741 jeff_white1 2011-09-21T17:08:16Z https://live.paloaltonetworks.com/t5/general-topics/signature-review-modification/m-p/2357#M1742 <HTML><HEAD></HEAD><BODY><P>Looked in the CLI and the patterns are all encrypted (proprietary issue I assume). I also can't seem to find a way to edit the predefined signatures for the second part of my original post, just editing shared signatures you create yourself.</P></BODY></HTML> Wed, 21 Sep 2011 18:29:58 GMT https://live.paloaltonetworks.com/t5/general-topics/signature-review-modification/m-p/2357#M1742 jeff_white1 2011-09-21T18:29:58Z https://live.paloaltonetworks.com/t5/general-topics/signature-review-modification/m-p/2358#M1743 <HTML><HEAD></HEAD><BODY><P>@jeff.white:</P><P></P><P>the signatures are not viewable by the end-user and this is by design. As a general rule we are not going to expose the details behind our threat detection methodology and signatures to end-users. If you want to have a detailed discussion on this topic I encourage you to talk to your sales team.</P><P></P><P>With regard to your second question: Yes this is possible if you create multiple threat (vulnerability/spyware/AV) profiles and apply them to security policies that are crafted to apply to specific source/destination FQDNs or IP addresses. Each threat profile can be tailored to specific environments/servers by using exclusions on specific threats that are not relevant for the traffic to/from the host/network.</P><P></P><P>-Benjamin</P></BODY></HTML> Wed, 21 Sep 2011 19:21:29 GMT https://live.paloaltonetworks.com/t5/general-topics/signature-review-modification/m-p/2358#M1743 bpappas 2011-09-21T19:21:29Z