IPS Signatures

L0 Member

IPS Signatures

Hello friends,


I have some signatures with fortigate names and I neet to know the equivalence in Palo Alto, by the CVE Palo Alto dont indentify it, could anyone help me?


web_app3: Narcissus.Image.Configuration.Remote.Command.Execution
CVE-2015-1579 CVE-2014-9734

applications3: Ektron.XSLT.Transform.Remote.Code.Execution

applications3: OpenVAS.Web.Scanner





L7 Applicator

Re: IPS Signatures

Are these CVE still active in the wild?


If CVE's are no longer active in the wild, or have long been patched, they are removed from the PANW threat vault to make way for more current signatures

L7 Applicator

Re: IPS Signatures


All of these CVEs you've identified, as @reaper made note to, have been addressed by software updates for a while. If you are still running software that this actually covers I would HIGHLY recommend that you update them to something current. 

Ektron has been packed for literally years, the first two threats that you mention are only on select themes and only two of the affected themes are under active developement with patched versions. 

I would say that this is mostly a 'non-issue' for the most part. You shouldn't actually need these signatures anymore.

L0 Member

Re: IPS Signatures

Sorry but, If I understood:


This CVEs were active for a while but Palo Alto erase it from its signatures because with updating the host application made it-self non exploitable by this methods?


Thanks and regards.

L7 Applicator

Re: IPS Signatures

In short: yes


The longer version is: To ensure we are able to scan traffic quickly it is efficient to kjeep the threat database small in size: To be able to provide the best possible coverage we investigate which signatures are active 'in the wild', which ones are dangerous and which ones are still relevant


If a vulnerability is widely patched, it is safe to assume the threat level becomes lower, and if the signature is not picked up in the wild much any more, that means the signature has become obsolete and it is safe to dselete from the repository,, thus ensuring only the important signatures are used to scan your traffic

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!