Custom Vulnerability Signature. Is this limitation correct or is a fail?

Reply
L4 Transporter

Custom Vulnerability Signature. Is this limitation correct or is a fail?

Hello

I've been trying to create a custom vulnerability and I have encountered this limitation:

vulnerability 41003.jpg

Currently in Threat Database Vault 529 version there are 50 signatures for PHP.

 I'm trying to add all PHP signatures and this message appears when it exceeds 17 signatures. 

 

:-(

Is this limitation correct or is a fail? 

:-(

 

A few days ago we suffer multiple PHP vulnerability scanning in our web servers:

 

SIEM scan vulnerability.jpg

The source IP 188.78.195.67 is in many blacklists.

  

I would like to create a custom signature for IP auto-block attacker for 1 hour, if 10 times in 10 seconds any PHP Scan Vulnerability.

 

 

Thanks and regards,

dicu

Highlighted
L7 Applicator

Re: Custom Vulnerability Signature. Is this limitation correct or is a fail?

Hello,

I'm not sure on the custom Vulnerabilities issue, perhaps a support case is in order? However if the IP is on many lists, have you considered Dynamic Block Lists?

 

https://isc.sans.edu/forums/diary/Subscribing+to+the+DShield+Top+20+on+a+Palo+Alto+Networks+Firewall...

 

https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Configure-Dynamic-Block-List-DBL-...

 

Just a thought.

 

Highlighted
L4 Transporter

Re: Custom Vulnerability Signature. Is this limitation correct or is a fail?

Hello

 

To address the limit of 16 patterns you just need to add another signature as shown below:

 

 Capture-Signature-Details.PNG

 

Each signature can have 16 "or"  values.   I have signatures that have +50 string patterns

Hope this helps.

 

Phil

Highlighted
L4 Transporter

Re: Custom Vulnerability Signature. Is this limitation correct or is a fail?

Hello

 

First of all thanks for your answer Otakar.Klier.

About "Dynamic Block List" I already knew and I already had put to work this in any of our clients.

I think it is a correct answer.

But first I would like to try every option that gives the IPS Palo Alto and one of these are the "Custom Vulnerability Signature".

It is a way to demonstrate the potential of Palo Alto firewalls.

 

Regards,

 

dicu

 

 

Highlighted
L4 Transporter

Re: Custom Vulnerability Signature. Is this limitation correct or is a fail?

Hello HITSSEC

 

I don't understand. 

I think you mean to use patterns instead of signatures.

I think it might work but what are the patterns of each firm? or where can I find them?

 

https://threatvault.paloaltonetworks.com/

Note that currently in Threat Database Vault 529 version there are 50 signatures for PHP.

 

Thanks and regards,

 

dicu

Highlighted
L4 Transporter

Re: Custom Vulnerability Signature. Is this limitation correct or is a fail?

The signature can have multiple sets of patterns.  Each set of patterns (max 16) can be "or" conditions.  The pattern string can be for specific purposes such as misuse of access to PHP related resources.

 

Does this add any clarity or am I missing something.

 

Phil 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!