Creating Custom Application and Threat Signatures

by jseals on ‎07-29-2013 01:41 PM - edited on ‎08-22-2017 04:46 PM by bvlach (152,530 Views)

This tech note addresses topics related to creating custom application and customer vulnerability signatures. It contains regex basics, details for each custom signature context, and walk-through examples for signature creation.

Comments
by HITSSEC
on ‎07-30-2013 05:44 PM

Finally a comprehensive reference document that fills in a lot of the gaps that were missing when trying to create custom threat signatures. Glad to see it.  The example of a combination signature (Page 45-46) is quite relevant given the current Wordpress brute force attacks that are currently being observed. 

by Cap
on ‎05-27-2014 08:34 AM

This is a great write-up.... Thanks!!

by vmChad
on ‎07-08-2014 04:19 PM

This really is great. Using example 3 from the document you can also easily mitigate against the xmlrpc.php DDOS attack by following the same steps and instead of wp\-admin\.php for your pattern use xmlrpc\.php

Doing this has significantly reduced the load on our web server that is running a WordPress site.

Thank you jseals

by Tamir.n
on ‎11-17-2015 03:00 AM

We want to add a Custom Signatures of dns request to add to sinkhole.

 

Do you have any experience with it?

by cragasyah
on ‎05-13-2016 02:05 AM

Does anyone can help me up about the regex for short file, like "a.ps1" ? I've tried to use (\/a\.ps1), since the file should be downloaded using http, i put '/' in front of the file name. But still unacceptable by panOS. Please advise

by cnolan
on ‎08-22-2017 04:48 PM

Rev E of this doc introduces the new string context: 

http-req-no-version-string-small-pkt

 

 

 

 

 

Ask Questions Get Answers Join the Live Community