topic Re: Custom Snort Signature in General Topics

Custom Snort Signature

Mohammed_Yasin — Wed, 07 Oct 2020 07:12:02 GMT

creating a custom snort signature on Palo alto Firewall but didn’t found the concern context operator for match pattern.

Shall we create a context operator or how it can add the pattern if the context operator is not available?

For example:

Not available

HTTP _ method

HTTP _ client_body

Re: Custom Snort Signature

OtakarKlier — Wed, 07 Oct 2020 19:37:52 GMT

Hello,

The problem with custom signatures is that they are not dynamic. I would say configure the PAN with best practices and enable, Anti-Virus, Vulnerability, URL Filtering, DNS SinkHole, wildfire, secure DNS, SSL decryption, etc. Alsong with this enable sending telemetry back to PAN for statistics, this also helps build new signatures etc. This should protect you from most of everything. In your example you have Emotet, and if you look at the threat vault there are already many signatures for it.

https://threatvault.paloaltonetworks.com/

There are also External Dynamic lists and other things you can do as an overarching strategy, static entries are a major pain and hard to keep up with. Perhaps also implement another IDS to supplement you security posture?

Hope that helps.

Re: Custom Snort Signature

BPry — Wed, 07 Oct 2020 21:22:19 GMT

@Mohammed_Yasin,

Just to add on to what @OtakarKlier mentioned, you aren't going to have a one to one match on a snort rule when you attempt to map them via a custom signature. The terminology isn't the same at all, but generally speaking every option you are looking for is going to be present. The real change here is that PAN separates a lot of this information between request and response, so in a lot of situations you'll actually have to know the direction of traffic.

I wouldn't recommend building a custom threat signature unless you actually need to within your environment. So the Snort rule that you pulled from MS-ISAC is an example of what Snort can look at, but PAN is already providing more than 200+ signatures to detect emotet related traffic and threats. If I really wanted to take every single Snort rule that they built out to ensure we were covered from the threat, I would simply install a snort node.

Re: Custom Snort Signature

CCACieszkowski — Thu, 18 Feb 2021 13:33:43 GMT

Hi @Mohammed_Yasin,

To actually respond to your question: http_method in the Custom Vulnerability Object is the http-method Qualifier and the http_client_body is the http-req-message-body Context, i.e.,:

Albert