https://live.paloaltonetworks.com/t5/general-topics/custom-signature-for-wordpress/m-p/2619#M1951 <HTML><HEAD></HEAD><BODY><P>I am fairly new to custom signature in Palo Alto, just so you are warned. I am trying to create a vulnerability signature for detecting wordpress. </P><P></P><P>The Get request will contain /? followed by 5 digits or more. User agent will be wordpress/ followed by version number.&nbsp; </P><P></P><P>My plan was to create one signature with one condition for User-agent&nbsp; ( http-req-headers&nbsp; with pattern match 'wordpres/' ) and one for the Get request ( http-req-uri-path with pattern match&nbsp; 'GET /?amp' ) . </P><P></P><P></P><P>The problem I have is that the get request contains too few fixed charters. Any suggestions on how to get around this ?</P></BODY></HTML> Sat, 12 Jul 2014 10:50:57 GMT LarsOlav 2014-07-12T10:50:57Z https://live.paloaltonetworks.com/t5/general-topics/custom-signature-for-wordpress/m-p/2619#M1951 <HTML><HEAD></HEAD><BODY><P>I am fairly new to custom signature in Palo Alto, just so you are warned. I am trying to create a vulnerability signature for detecting wordpress. </P><P></P><P>The Get request will contain /? followed by 5 digits or more. User agent will be wordpress/ followed by version number.&nbsp; </P><P></P><P>My plan was to create one signature with one condition for User-agent&nbsp; ( http-req-headers&nbsp; with pattern match 'wordpres/' ) and one for the Get request ( http-req-uri-path with pattern match&nbsp; 'GET /?amp' ) . </P><P></P><P></P><P>The problem I have is that the get request contains too few fixed charters. Any suggestions on how to get around this ?</P></BODY></HTML> Sat, 12 Jul 2014 10:50:57 GMT https://live.paloaltonetworks.com/t5/general-topics/custom-signature-for-wordpress/m-p/2619#M1951 LarsOlav 2014-07-12T10:50:57Z https://live.paloaltonetworks.com/t5/general-topics/custom-signature-for-wordpress/m-p/2620#M1952 <HTML><HEAD></HEAD><BODY><P>There really is no way around the limit.&nbsp; You need to either forgo that test or find a longer string.</P><P></P><P>Generally this limit is there to prevent false positives that come with very short tests.</P></BODY></HTML> Sat, 12 Jul 2014 13:29:00 GMT https://live.paloaltonetworks.com/t5/general-topics/custom-signature-for-wordpress/m-p/2620#M1952 pulukas 2014-07-12T13:29:00Z https://live.paloaltonetworks.com/t5/general-topics/custom-signature-for-wordpress/m-p/2621#M1953 <HTML><HEAD></HEAD><BODY><P>Hi Steven,</P><P></P><P>Thank you for your support.</P><P></P><P>Would it be possible to combine GET request and User-agent in one condition? I have tried but are getting DFA error.</P><P></P><P>/Lars Olav </P></BODY></HTML> Sun, 13 Jul 2014 05:13:29 GMT https://live.paloaltonetworks.com/t5/general-topics/custom-signature-for-wordpress/m-p/2621#M1953 LarsOlav 2014-07-13T05:13:29Z https://live.paloaltonetworks.com/t5/general-topics/custom-signature-for-wordpress/m-p/2622#M1954 <HTML><HEAD></HEAD><BODY><P>I don't think you can combine these two.&nbsp; If I understand what you are detecting correctly, the agent will be a request header and the other is a parameter header so they are check in different sections.</P><P></P><P>I assume you have seen this documentation on creating regex by section, if not, it may be helpful.</P><P></P><P><A href="https://live.paloaltonetworks.com/docs/DOC-5534">Creating Custom Threat Signatures</A></P></BODY></HTML> Sun, 13 Jul 2014 13:54:42 GMT https://live.paloaltonetworks.com/t5/general-topics/custom-signature-for-wordpress/m-p/2622#M1954 pulukas 2014-07-13T13:54:42Z https://live.paloaltonetworks.com/t5/general-topics/custom-signature-for-wordpress/m-p/2623#M1955 <HTML><HEAD></HEAD><BODY><P>Thank you for your reply. Yes I am familiar with the document. I was hoping that I had overlooked a solution here, but I understand that I have to find a different solution.</P></BODY></HTML> Sun, 13 Jul 2014 14:00:56 GMT https://live.paloaltonetworks.com/t5/general-topics/custom-signature-for-wordpress/m-p/2623#M1955 LarsOlav 2014-07-13T14:00:56Z