Tips & Tricks: Custom Vulnerability

Community Team Member

Custom Vulnerability.pngTips & Tricks: Custom Vulnerability

 

The Palo Alto Networks next-generation firewall supports custom vulnerability signatures using the firewall's threat engine. You can write custom regular expression patterns to identify vulnerability exploits. The resulting vulnerability patterns become available for use in vulnerability security profiles. The firewall looks for the custom-defined patterns in network traffic and takes the specified action for the vulnerability exploit.

 

Using the Custom Vulnerability Signature Page

You can define signatures for Vulnerability Protection profiles with the following steps.

Add the Custom Vulnerability Object by going to the Objects tab  > select Vulnerability > add Custom Objects as shown below.

Custom Vulnerability Object.pngFirewall web interface view of Objects tab to enter Custom Vulnerability Object

 

In the customer vulnerability signature popup, fill out the required information on the Configuration tab. In this use case, I'll show you how to match on a specific browser version.

 

The mandatory fields are as follows:

Threat ID: A numeric identifier. For vulnerability signatures, the range is 41000-45000.

Name: Specify the threat name.

Severity: Assign a level that indicates the seriousness of the threat.

Direction: Indicate whether the threat is assessed from the client to server, server to client, or both.

 

Next, go to the Signatures tab to add a signature (1), then select the Standard radio button and click Add (2).

Custom Vulnerability Signatures.pngView of Signatures tab for Custom Vulnerability Signatures

 

In the Standard window, complete the following steps:

  1. Standard: Fill in the desired name to identify the signature.
  2. Comment: Here you can add an optional description.
  3. Scope: Here you can select whether to apply this signature only to the current transaction or to the full user session.  In this example, we'll go with Transaction.
  4. Ordered Condition Match:  Select if the order in which the signature conditions are defined is important.
  5. Add Or Condition: Add and specify conditions to define signatures.
 

In the next window ,we'll specify your signature match.

 

Operator: Defines the type of condition that must be true for the custom signature to match to traffic. Choose from Less Than, Equal To, Greater Than, or Pattern Match operators.

 

When choosing a Pattern Match operator, specify for the following to be true for the signature to match to traffic:

  • ContextSelect from the available context
  • Pattern: Specify a regular expression
  • Qualifier and Value: Add qualifier/value pairs (optional)
  • NegateSelect the Negate check box so the custom signature matches to traffic only when the defined Pattern Match condition is not true (this allows you to ensure that the custom signature is not triggered under certain conditions)

In this example, we'll look for the pattern match "Chrome/" in the Context field 'http-req-headers' as shown in the example below.

 

Why match on Chrome/?

If you take a packet capture while browsing with a Google Chrome browser, you will find the following pattern match in the capture.

pcap.pngFollow TCP Stream with PCAP highlighted.

 

Click OK to create your custom vulnerability.

 

Enable your signature

NOTE: The custom signature will not be enabled by default.

 

To enable your custom signature, go to the Vulnerability Protection Security Profile. Edit your profile. On the Exceptions tab, search for the Threat ID and enable it.

Inside the WebUI, start at Objects > select Vulnerability Protection > select the Alert > Exceptions tab > enter Threat ID > check Enable.  (Note:  If your signature does not show up, please select "Show all signatures" in the lower left of the Profile window.)

Enable Custom Signature.pngEnable Custom Signature in Vulnerability Protection Profile view.

 

Don't forget to apply this Security Profile to your Security Policy.

After committing this change, you will get alert messages in your Threat Log when you are browsing with a Google Chrome browser. Of course, you could use this signature to block traffic if you change the Action column to Block.

 

Additional Resources

Here's a video about Custom Vulnerability in our Knowledge Base.

 

Below are some additional links with other use cases and useful information:

Custom Vulnerability Signature to Detect FTP Active Mode

Custom Vulnerability Signature for Identifying Windows XP

List of Different User-Agent Strings

 

 

Thanks for taking time to read the blog.

If you enjoyed this, please hit the Like (thumbs up) button, don't forget to subscribe to the LIVEcommunity Blog.

 

As always, we welcome all comments and feedback in the comments section below.

 

Stay Secure,
Kiwi out!

 

 
381 Views
Ask Questions Get Answers Join the Live Community
Labels
Polls
What do you LOVE about LIVEcommunity?

LOVEcommunity #SecuretheLove