https://live.paloaltonetworks.com/t5/general-topics/how-to-create-custom-vulnerability-signature-for-sip-packets/m-p/27603#M20124 <HTML><HEAD></HEAD><BODY><P>You'll need to contact TAC and ask for them to open up SIP contexts in custom vulnerability signatures.&nbsp; The SIP contexts are not open to the public today, but could be made available through a content update.&nbsp; The "unknown" contexts you refer to are only applicable to "unknown-tcp" and "unknown-udp" App-IDs.&nbsp; Since your traffic is identified as SIP, your existing custom signature will not match.&nbsp; </P></BODY></HTML> Thu, 01 Aug 2013 16:48:54 GMT jvalentine 2013-08-01T16:48:54Z https://live.paloaltonetworks.com/t5/general-topics/how-to-create-custom-vulnerability-signature-for-sip-packets/m-p/27600#M20121 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P>we are trying to create&nbsp; custom vulnerability signature for triggering on the specific string in the udp packet payload with&nbsp; destination port 5060. Unfortunately there is no context for SIP. We used "Pattern Match" and chose "unknown -req-udp-payload" as a context. We applied a Vulnerability protection profile to the security policy (a rule allowing everything) but for some reason this didn't work as we expected. I mean we didn't receive any alert in the Threat log.</P><P></P><P>Is it possible to use "unknown -req-udp-payload" context for such purpose or it is intended only for the "unknown-udp" applications? Any other idea for creating such signature?</P><P></P><P>Thanks.</P><P>Leonid</P></BODY></HTML> Thu, 01 Aug 2013 10:02:19 GMT https://live.paloaltonetworks.com/t5/general-topics/how-to-create-custom-vulnerability-signature-for-sip-packets/m-p/27600#M20121 lzolotonos 2013-08-01T10:02:19Z https://live.paloaltonetworks.com/t5/general-topics/how-to-create-custom-vulnerability-signature-for-sip-packets/m-p/27601#M20122 <HTML><HEAD></HEAD><BODY><P>Following Tech note explains usage a each context for creating a Custom Threat Signature</P><P><A href="https://live.paloaltonetworks.com/docs/DOC-5534">Creating Custom Threat Signatures</A></P></BODY></HTML> Thu, 01 Aug 2013 12:46:12 GMT https://live.paloaltonetworks.com/t5/general-topics/how-to-create-custom-vulnerability-signature-for-sip-packets/m-p/27601#M20122 UhMayYeah 2013-08-01T12:46:12Z https://live.paloaltonetworks.com/t5/general-topics/how-to-create-custom-vulnerability-signature-for-sip-packets/m-p/27602#M20123 <HTML><HEAD></HEAD><BODY><P>Good Morning,</P><P><SPAN>We have a couple of avenues that you can check for assistance with custom signatures. You can post on the DevCenter (found on our support portal under communities - </SPAN><A class="jive-link-community-small" data-containerid="1" data-containertype="14" data-objectid="2010" data-objecttype="14" href="https://live.paloaltonetworks.com/community/devcenter">https://live.paloaltonetworks.com/community/devcenter</A><SPAN>) or you can request that an official signature be made through Applipedia (</SPAN><A class="jive-link-external-small" href="http://researchcenter.paloaltonetworks.com/submit-an-application/">http://researchcenter.paloaltonetworks.com/submit-an-application/</A><SPAN>)</SPAN></P><P></P><P>Best regards,</P><P>Karthik </P></BODY></HTML> Thu, 01 Aug 2013 12:51:11 GMT https://live.paloaltonetworks.com/t5/general-topics/how-to-create-custom-vulnerability-signature-for-sip-packets/m-p/27602#M20123 kprakash 2013-08-01T12:51:11Z https://live.paloaltonetworks.com/t5/general-topics/how-to-create-custom-vulnerability-signature-for-sip-packets/m-p/27603#M20124 <HTML><HEAD></HEAD><BODY><P>You'll need to contact TAC and ask for them to open up SIP contexts in custom vulnerability signatures.&nbsp; The SIP contexts are not open to the public today, but could be made available through a content update.&nbsp; The "unknown" contexts you refer to are only applicable to "unknown-tcp" and "unknown-udp" App-IDs.&nbsp; Since your traffic is identified as SIP, your existing custom signature will not match.&nbsp; </P></BODY></HTML> Thu, 01 Aug 2013 16:48:54 GMT https://live.paloaltonetworks.com/t5/general-topics/how-to-create-custom-vulnerability-signature-for-sip-packets/m-p/27603#M20124 jvalentine 2013-08-01T16:48:54Z https://live.paloaltonetworks.com/t5/general-topics/how-to-create-custom-vulnerability-signature-for-sip-packets/m-p/27604#M20125 <HTML><HEAD></HEAD><BODY><P>By the way, how come that for example the SIP context is closed by default?</P><P></P><P>Seems like an neverending stream of feature requests to the SE's <span class="lia-unicode-emoji" title=":grinning_face_with_big_eyes:">😃</span></P></BODY></HTML> Thu, 01 Aug 2013 19:52:21 GMT https://live.paloaltonetworks.com/t5/general-topics/how-to-create-custom-vulnerability-signature-for-sip-packets/m-p/27604#M20125 mikand 2013-08-01T19:52:21Z https://live.paloaltonetworks.com/t5/general-topics/how-to-create-custom-vulnerability-signature-for-sip-packets/m-p/27605#M20126 <HTML><HEAD></HEAD><BODY><P>These aren't the same as Feature Requests that have to be rolled-up to your SE and then coded into the next version of PAN-OS.&nbsp; The contexts already exist and just need to be a.) QA'd for public consumption, and then b.) opened to the public via the weekly content update.&nbsp; I hear you, though.&nbsp; I'd love to see all of the contexts opened up.&nbsp; Then again, in my day-to-day I've been able to create all of the custom App-ID and Vulnerability signatures with the contexts that have already been published.&nbsp;&nbsp;&nbsp;&nbsp; </P></BODY></HTML> Thu, 01 Aug 2013 20:16:51 GMT https://live.paloaltonetworks.com/t5/general-topics/how-to-create-custom-vulnerability-signature-for-sip-packets/m-p/27605#M20126 jvalentine 2013-08-01T20:16:51Z