https://live.paloaltonetworks.com/t5/general-topics/help-with-custom-vulnerability-signature/m-p/51517#M37902 <HTML><HEAD></HEAD><BODY><P>Go here for Custom Signature help <A href="https://live.paloaltonetworks.com/space/2010">DevCenter</A></P><P></P><P>Dominic</P></BODY></HTML> Tue, 09 Sep 2014 21:23:36 GMT dburns 2014-09-09T21:23:36Z https://live.paloaltonetworks.com/t5/general-topics/help-with-custom-vulnerability-signature/m-p/51515#M37900 <HTML><HEAD></HEAD><BODY><P>Can someone provide documentation and insight in regards to creating custom IPS signatures based on the follow scenario?</P><P></P><P>Consider you have an FTP server. The USER command is vulnerable to buffer overflow. How does one create a custom signature to identify and block this activity? </P><P></P><P>The buffer and payload the attack sends could have 1000 variations. </P></BODY></HTML> Tue, 09 Sep 2014 20:53:28 GMT https://live.paloaltonetworks.com/t5/general-topics/help-with-custom-vulnerability-signature/m-p/51515#M37900 SDorsey 2014-09-09T20:53:28Z https://live.paloaltonetworks.com/t5/general-topics/help-with-custom-vulnerability-signature/m-p/51516#M37901 <HTML><HEAD></HEAD><BODY><P>Further info.. if the vulnerability is simple triggered by sending over 20 characters to it... </P><P></P><P>An attacker could send 100 A's. We could easily build a signature that watches for 100 \x41. But if they sent a payload of 100 \x42 and caused the crash, the custom signature would not match.</P></BODY></HTML> Tue, 09 Sep 2014 21:11:04 GMT https://live.paloaltonetworks.com/t5/general-topics/help-with-custom-vulnerability-signature/m-p/51516#M37901 SDorsey 2014-09-09T21:11:04Z https://live.paloaltonetworks.com/t5/general-topics/help-with-custom-vulnerability-signature/m-p/51517#M37902 <HTML><HEAD></HEAD><BODY><P>Go here for Custom Signature help <A href="https://live.paloaltonetworks.com/space/2010">DevCenter</A></P><P></P><P>Dominic</P></BODY></HTML> Tue, 09 Sep 2014 21:23:36 GMT https://live.paloaltonetworks.com/t5/general-topics/help-with-custom-vulnerability-signature/m-p/51517#M37902 dburns 2014-09-09T21:23:36Z https://live.paloaltonetworks.com/t5/general-topics/help-with-custom-vulnerability-signature/m-p/51518#M37903 <HTML><HEAD></HEAD><BODY><P>Hi <A href="https://live.paloaltonetworks.com/u1/12314">SDorsey</A></P><P></P><P>I think such vulnerability should already be covered in the stock signatures in threat database. I searched through threat vault for some of the USER command overflow buffer vulnerabilities and found the following:</P><P><IMG alt="user_buffer_vul.JPG" class="image-0 jive-image" src="https://live.paloaltonetworks.com/legacyfs/online/15393_user_buffer_vul.JPG" style="height: 103px; width: 620px;" /></P><P></P><P>Does the threat database not cover the specific vulnerability you are looking for ? </P><P></P><P>Thanks</P></BODY></HTML> Tue, 09 Sep 2014 21:33:09 GMT https://live.paloaltonetworks.com/t5/general-topics/help-with-custom-vulnerability-signature/m-p/51518#M37903 bat 2014-09-09T21:33:09Z https://live.paloaltonetworks.com/t5/general-topics/help-with-custom-vulnerability-signature/m-p/51519#M37904 <HTML><HEAD></HEAD><BODY><P>As oppose to being on a specific vulnerability, this is more a general inquire to try to understand how the IDS signatures work. In preparation for the need to create custom ones. And I know for sure that FTP USER overflow list is missing a few. <img id="smileywink" class="emoticon emoticon-smileywink" src="https://live.paloaltonetworks.com/i/smilies/16x16_smiley-wink.png" alt="Smiley Wink" title="Smiley Wink" /> </P><P></P><P>I created a new thread in DevCenter</P><P><A href="https://live.paloaltonetworks.com/message/44134">General help with custom vulnerability signature</A></P></BODY></HTML> Tue, 09 Sep 2014 22:51:35 GMT https://live.paloaltonetworks.com/t5/general-topics/help-with-custom-vulnerability-signature/m-p/51519#M37904 SDorsey 2014-09-09T22:51:35Z