https://live.paloaltonetworks.com/t5/general-topics/custom-vulnerability-signature-is-this-limitation-correct-or-is/m-p/66657#M39279 <P>The signature can have multiple sets of patterns.&nbsp; Each set of patterns (max 16) can be "or" conditions.&nbsp; The pattern string can be for specific&nbsp;purposes such as misuse of access to PHP related resources.</P> <P>&nbsp;</P> <P>Does this&nbsp;add any clarity or am I missing something.</P> <P>&nbsp;</P> <P>Phil&nbsp;</P> Thu, 15 Oct 2015 14:48:02 GMT HITSSEC 2015-10-15T14:48:02Z https://live.paloaltonetworks.com/t5/general-topics/custom-vulnerability-signature-is-this-limitation-correct-or-is/m-p/64993#M38870 <P><SPAN>Hello </SPAN></P><P>I've been trying to create a custom vulnerability and I have encountered this limitation:</P><P><IMG src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/444i57581BB8DCAFB6B2/image-size/original?v=mpbl-1&amp;px=-1" border="0" alt="vulnerability 41003.jpg" title="vulnerability 41003.jpg" /></P><P><SPAN>Currently in Threat Database Vault 529 version there are 50 signatures for PHP.</SPAN></P><P>&nbsp;I'm trying to add all PHP signatures and this message appears when it exceeds 17 signatures.&nbsp;</P><P>&nbsp;</P><P><span class="lia-unicode-emoji" title=":disappointed_face:">😞</span></P><P><SPAN>Is this limitation correct or is a fail?&nbsp;</SPAN></P><P><SPAN><span class="lia-unicode-emoji" title=":disappointed_face:">😞</span></SPAN></P><P>&nbsp;</P><P><SPAN>A few days ago we suffer multiple PHP vulnerability scanning in our web servers:</SPAN></P><P>&nbsp;</P><P><SPAN><IMG src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/445iEE6A1C4F56EC54B3/image-size/original?v=mpbl-1&amp;px=-1" border="0" alt="SIEM scan vulnerability.jpg" title="SIEM scan vulnerability.jpg" /></SPAN></P><P><SPAN>The source IP 188.78.195.67&nbsp;is in many blacklists.</SPAN></P><P>&nbsp;&nbsp;</P><P>I would like to create a custom signature for IP auto-block attacker for 1 hour, if 10 times in 10 seconds any PHP Scan Vulnerability.</P><P>&nbsp;</P><P>&nbsp;</P><P><SPAN>Thanks and regards,</SPAN></P><P><SPAN>dicu</SPAN></P> Wed, 23 Sep 2015 09:21:43 GMT https://live.paloaltonetworks.com/t5/general-topics/custom-vulnerability-signature-is-this-limitation-correct-or-is/m-p/64993#M38870 SOC_CSG 2015-09-23T09:21:43Z https://live.paloaltonetworks.com/t5/general-topics/custom-vulnerability-signature-is-this-limitation-correct-or-is/m-p/65004#M38879 <P>Hello,</P><P>I'm not sure on the custom Vulnerabilities issue, perhaps a support case is in order? However if the IP is on many lists, have you considered Dynamic Block Lists?</P><P>&nbsp;</P><P><A href="https://isc.sans.edu/forums/diary/Subscribing+to+the+DShield+Top+20+on+a+Palo+Alto+Networks+Firewall/19365/" target="_blank">https://isc.sans.edu/forums/diary/Subscribing+to+the+DShield+Top+20+on+a+Palo+Alto+Networks+Firewall/19365/</A></P><P>&nbsp;</P><P><A href="https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Configure-Dynamic-Block-List-DBL-or-External-Block-List/ta-p/53414" target="_blank">https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Configure-Dynamic-Block-List-DBL-or-External-Block-List/ta-p/53414</A></P><P>&nbsp;</P><P>Just a thought.</P><P>&nbsp;</P> Wed, 23 Sep 2015 14:36:40 GMT https://live.paloaltonetworks.com/t5/general-topics/custom-vulnerability-signature-is-this-limitation-correct-or-is/m-p/65004#M38879 OtakarKlier 2015-09-23T14:36:40Z https://live.paloaltonetworks.com/t5/general-topics/custom-vulnerability-signature-is-this-limitation-correct-or-is/m-p/66399#M39183 <P>Hello</P><P>&nbsp;</P><P>To address the limit of 16 patterns you just need to add another signature as shown below:</P><P>&nbsp;</P><P>&nbsp;<IMG title="Capture-Signature-Details.PNG" alt="Capture-Signature-Details.PNG" src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/613iB644D05D70DB0702/image-size/original?v=mpbl-1&amp;px=-1" border="0" /></P><P>&nbsp;</P><P>Each signature can have 16 "or" &nbsp;values.&nbsp;&nbsp; I have signatures that have +50 string patterns</P><P>Hope this helps.</P><P>&nbsp;</P><P>Phil</P> Mon, 12 Oct 2015 01:34:13 GMT https://live.paloaltonetworks.com/t5/general-topics/custom-vulnerability-signature-is-this-limitation-correct-or-is/m-p/66399#M39183 HITSSEC 2015-10-12T01:34:13Z https://live.paloaltonetworks.com/t5/general-topics/custom-vulnerability-signature-is-this-limitation-correct-or-is/m-p/66467#M39213 <P>Hello</P> <P>&nbsp;</P> <P>First of all thanks for your answer Otakar.Klier.</P> <P><SPAN style="line-height: 20px;">About </SPAN><SPAN style="line-height: 20px;">"Dynamic Block List" I already knew&nbsp;and I already had put to work this in any of our clients.</SPAN></P> <P><SPAN style="line-height: 20px;">I think it is a correct answer.</SPAN></P> <P><SPAN style="line-height: 20px;">But first I would like to try every option that gives the IPS Palo Alto and&nbsp;one of these are the "Custom Vulnerability Signature".</SPAN></P> <P><SPAN style="line-height: 20px;">It is a way to demonstrate the potential of Palo Alto firewalls.</SPAN></P> <P>&nbsp;</P> <P><SPAN style="line-height: 20px;">Regards,</SPAN></P> <P>&nbsp;</P> <P><SPAN style="line-height: 20px;">dicu</SPAN></P> <P>&nbsp;</P> <P>&nbsp;</P> Tue, 13 Oct 2015 07:49:54 GMT https://live.paloaltonetworks.com/t5/general-topics/custom-vulnerability-signature-is-this-limitation-correct-or-is/m-p/66467#M39213 SOC_CSG 2015-10-13T07:49:54Z https://live.paloaltonetworks.com/t5/general-topics/custom-vulnerability-signature-is-this-limitation-correct-or-is/m-p/66471#M39214 <P>Hello&nbsp;HITSSEC</P> <P>&nbsp;</P> <P>I don't understand.&nbsp;</P> <P>I think you mean to use patterns instead of signatures.</P> <P>I think it might work but what are the patterns of each firm?&nbsp;or where can I find them?</P> <P>&nbsp;</P> <P><A href="https://threatvault.paloaltonetworks.com/" target="_blank">https://threatvault.paloaltonetworks.com/</A></P> <P><SPAN>Note that currently in Threat Database Vault 529 version there are 50 signatures for PHP.</SPAN></P> <P>&nbsp;</P> <P><SPAN>Thanks and regards,</SPAN></P> <P>&nbsp;</P> <P><SPAN>dicu</SPAN></P> Tue, 13 Oct 2015 08:17:47 GMT https://live.paloaltonetworks.com/t5/general-topics/custom-vulnerability-signature-is-this-limitation-correct-or-is/m-p/66471#M39214 SOC_CSG 2015-10-13T08:17:47Z https://live.paloaltonetworks.com/t5/general-topics/custom-vulnerability-signature-is-this-limitation-correct-or-is/m-p/66657#M39279 <P>The signature can have multiple sets of patterns.&nbsp; Each set of patterns (max 16) can be "or" conditions.&nbsp; The pattern string can be for specific&nbsp;purposes such as misuse of access to PHP related resources.</P> <P>&nbsp;</P> <P>Does this&nbsp;add any clarity or am I missing something.</P> <P>&nbsp;</P> <P>Phil&nbsp;</P> Thu, 15 Oct 2015 14:48:02 GMT https://live.paloaltonetworks.com/t5/general-topics/custom-vulnerability-signature-is-this-limitation-correct-or-is/m-p/66657#M39279 HITSSEC 2015-10-15T14:48:02Z