Custom Signature to detect a PDF file

Reply
L4 Transporter

Custom Signature to detect a PDF file

DISCLAIMER:

 

As with all custom signatures on this forum, this signature is being provided by the author as a result of enthusiasm for the product and to share ideas with the Palo Alto Networks security community.

 

 

 

It is:

 

- Not recommended for deployment in a production network of any kind without internal testing.

- Not a solution to any vulnerability.

- Not an official supported Palo Alto Networks signature

 

 This write up is to help the Palo Alto Networks community with detecting a specific PDF file.

 

 The sample signature was created on PAN OS Version 8.1.x :

 

 SHA256: cbdf842fba661b85090e7e31fe9ed6b069a01fd82d5bd563a462185b53ab38e3

 

Go to custom signatures under objects, select custom vulnerability signature. Click add

Fill out the appropriate field under the configuration tab

 

1.png

 

Open the Signature Tab

2.png

Select add at the bottom left

3.png

 

Since we only have one condition it doesn’t matter if we choose the ‘and’/’or’ condition

 

4.png

 

To determine a unique string the *NIX utility xxd was used in this case, however any hex editor will work for this purpose.  The string was then converted to hex and used in a pattern match to detect the file. In this case the author of the file put what we believe to be their name in the file and that was used as a unique identifier.

 

 5220 3120 2038 2030 5d52 432f 6e6f 6574

5.png

Once this custom signature is applied and a web browser is used to attempt to download the file the firewall will either block or alert on detection depending on the action you set.

 

**Warning** any custom signature should be fully tested to see if it works correctly, and for false positives.

L0 Member

Re: Custom Signature to detect a PDF file

dpharis,  on another post it was stated that Palo Alto does not do signatures for specific hashes since the same malware can/will use different hashes.  My question is if my org decides to do custom sigs for specific hashes, will it eventually hamper/degrade FW's performance say, after a couple thousand signatures?

 

Thanks!

 

L4 Transporter

Re: Custom Signature to detect a PDF file

Hello Bart, 

 

Your research is correct. We do not create signatures for specific hash values because it is both inefficient, and easily bypassed with a minimal change to the original file.

 

The performance impact is difficult to determine in a hypothetical situation due to the limitless environmental variables. The short answer though is yes, there will be an impact to utilizing large numbers of custom signatures. If you intend to block a large number of files using customer signatures, instead of using hashes, we suggest you identify a unique character string in the file and utilize if after thorough testing, as this improves your changes of catching multiple variants of the same malware.

L0 Member

Re: Custom Signature to detect a PDF file

Copy that.  Appreciate your quick reply!

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!