Custom Signatures
The Custom Signatures discussion is a resource for security professionals to discuss the creation process of custom signatures in their PAN-OS appliance.
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.
Custom Signatures
The Custom Signatures discussion is a resource for security professionals to discuss the creation process of custom signatures in their PAN-OS appliance.
About Custom Signatures

Welcome to the Custom Signatures discussion forum. This forum exists as a resource for security professionals to discuss the creation process of custom signatures in their PAN-OS appliance. Please feel free to engage with other community members and Palo Alto Networks staff. Ideas, questions, research, and observations regarding the process of custom signature creation are all actively encouraged.

For an introduction to the forum, please see the sticky!

Disclaimer:
This forum is provided for Live Community members to discuss and share information pertaining to custom signatures. Please use the information from this forum at your own risk and make sure to test and verify any signature and code presented here. For information on contacting Palo Alto Networks support, click here.

Discussions

Block Platform by Country of Ownership

Hello everyone. I work at a public community college. Our state legislature has proposed legislation that would require us to block any video platform if the platform is owned by a company headquartered outside of the United States. I currently have

...

Vulnerabilities

Seeking help creating Policies to report, log, or restrict outdated Browsers from accessing Internet Content.  Seems like this would be integrated into the policies.  Thanks

 

Examples:

Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (K

...

SMTP Brute Force - different source IPs

The scenario I am seeing is SMTP brute force attempts against a username, but each time the source IP address is different, I guess they are using a botnet.  Exchange will tarpit the IP for 30 seconds for the failed authentication, but it doesn't mat

...

cenders by L3 Networker
  • 3242 Views
  • 4 replies
  • 1 Likes

Minimal configuration for Custom Apps

Our programmer wrote an app that uses TCP/9901 and 9902 to transfer data between the East and West buildings.  Let's call it JC-App.   What is the minimum configuration on both the East and West Firewalls?  Also, what would need to be added to requir

...

Detecting TLS 1.0 and TLS 1.1 Protocol

Hi,

I working with a customer that needs to detect the usage of SSLv3(already done with ID 36815), TLS 1.0 and TLS 1.1, at some point they may move to blocking this on certain traffic. They don't particularly want decrypt the traffic for this due to c

...

Convert ScreenOS Multicast static route to PaloAlto

Hi all,

i'm finally converting an old Juniper ScreenOS firewall to a PaloAlto firewall (5020). I have some problem to understand how to convert some Multicast static Routes.

On screen os i have this specific entry for ex:

 

GUI:

Type: Static, Forwarding

So

...

Allow iOS Ring doorbell

Hello,

I'm looking for a proper way to allow the iOS Ring app to connect back to the video feed from an iOS device. Android phones work with no issue.

 

The problem is that it reports the web URL category as "unknown" which I am currently blocking.

I wro

...

Ring Policy.PNG

Custom App for unknown SIP traffic

Hi.

 

I need to create a Custom App for SIP traffic that is not identified by the firewall. I see that you can match on the sip headers but not sure how to write the pattern. 

 

Have done capture of the traffic and this is what I got...

What can be used h

...

OyvindM by L0 Member
  • 1574 Views
  • 0 replies
  • 0 Likes

Letsencrypt (acme) challenge URL

I created this pattern to recognize Letsencrypt (acme-protocol) challenge.

 

You need to create a custom application with these fields:

  • Typo: Transaction

  •  

    Context: http-req-uri-path

  •  

    Pattern:

^GET /\.well-known/acme-challenge/

 

That's the best I could bet.

 

...