Custom vulnerability signature for identifying Windows XP clients

by rhagen on ‎04-18-2014 07:48 AM (12,532 Views)

Effective April 8, 2014, Microsoft formally dropped support for the Windows XP operating system.  This support moratorium means Microsoft will no longer provide software updates for Windows XP.  These software updates frequently fix security vulnerabilities that could lead to a system compromise if left unaddressed.  While most enterprises have standardized on newer versions of Windows, there often remains a sizable installed base of Windows XP.   Many enterprises may not be aware of how many remnant Windows XP devices are in their network environment.

This custom signature may be used to identify Windows XP hosts based on their web application activity.  It looks in HTTP request headers for a User-Agent field that contains the Windows platform identifier string.  The default action of this signature is to alert.  However, this can easily be overridden to using the "drop" or "reset-client" action in order to block Windows XP hosts from using web applications through the Palo Alto Networks security platform.


Step 1:  Create a custom vulnerability object in Objects > Custom Objects > Vulnerability

2014-04-18_10-12-09.png


Step 2:  Add a Standard signature type

2014-04-18_10-16-11.png


Step 3:  Choose the Transaction scope and add an And Condition

2014-04-18_10-18-19.png


Step 4:  Select the Pattern Match operator, the http-req-headers context, and define the following match pattern:

String

User-Agent:.+Windows NT 5\.[12]|User-Agent:.+Windows XP


2014-05-13_21-25-09.png

Step 5:  Done!

This signature can then be included in a Vulnerability Protection profile and applied to rule in your security policy.  If Windows XP hosts initiate any web applications through the firewall, informational alerts will be displayed in the Threat logs.  A custom report can then be created that will summarize the unique source addresses that have triggered this vulnerability signature.

2014-04-18_10-29-23.png

2014-04-18_13-33-15.png

Note:  Microsoft utilizes the "Windows NT 5.2" platform identifier in the User-Agent header for both Windows XP x64 Edition and Windows Server 2003.  There is no way to differentiate between these two platforms using this method of identification.  If you wish to exempt both platforms from identification, change the pattern match string to the following:

String
User-Agent:.+Windows NT 5\.1|User-Agent:.+Windows XP


References:

Credit:  Special thanks to Arthur Chilipweli of Solutionary for devising this method of identification and sharing his regex pattern.

Comments
by bspilde
on ‎04-23-2014 09:49 AM

My custom report doesn't display any of the custom vulnerabilities I create but will show the stock vulnerabilities. Anyone know what versions of code these reports will work on? rhagen

by rhagen
on ‎04-23-2014 10:01 AM

I've tested this on 6.0.1.  However, that really shouldn't matter.  In the custom report screenshot example I queried specifically on the custom threat ID used.  If you have positive hits in the threat logs, you should be able to report on it when querying for that custom threat ID.

Are you seeing hits in the threat logs for your custom signature?

by bspilde
on ‎04-23-2014 01:19 PM

Yes, I have positive confirmed hits. If I set the report to threatid neq '' then all the results come up except for the custom ID 41000. I'll open a support ticket to find out if it was a known bug in my version. I have seen a couple similar comments in the knowledge base but no resolution. rhagen

by BrutalDismount
on ‎04-30-2014 02:18 PM

I am running on 5.09 and cannot get the string to hit on any traffic. Anyone else have success running on 5.X?

by bspilde
on ‎04-30-2014 02:40 PM

Aside from the reports, yes. I am only on 5.0.7 on the firewall with XP clients. I see all the traffic in the Threat Logs.

by Jebutler
on ‎05-12-2014 01:31 PM

I'm on 5.0.12 and I don't see any traffic either.  I have an open support case to investigate.  If anyone figures this out please post to the solution, I could really use this data to eliminate XP usage.

by rhagen
on ‎05-14-2014 07:15 AM

I've updated the signature pattern in this article by removing the succeeding and trailing '/' characters.  This seems to work better for some environments.  Try updating your signature and see if you have better results.

by HITSSEC
on ‎05-16-2014 08:23 AM

We are seeing the traffic and are running 5.0.10

by ktm530russ
on ‎02-05-2016 10:07 AM

We have been running this signature for a while, it works great, but I DO note some OVERBLOCKING issues.

We have had a couple of Windows 7 machines that reportedly got blocked under the XP signature to a url (usually "dat'js"), but other internet is allowed as usual.

I just wanted to comment that this signature may not be 100% reliable for identifying XP systems...

by george.v.bowles
on ‎01-12-2017 12:57 PM

So, I did this. It works! ...except on one interface. People coming in from outside or people using my wireless networks (outside and guest zones) but my inside zone, nothing.

 

Help!

 

I've looked at everthing and attempted to determine why. I cannot. There seems to be no place I have to specify this to apply to a zone. The vulnerability profiles are basically the same. I'm lost.

 

Please help.

Ignite 2018, Amsterdam, Netherlands
Ask Questions Get Answers Join the Live Community