This tech note addresses topics related to creating custom application and customer vulnerability signatures. It contains regex basics, details for each custom signature context, and walk-through examples for signature creation.
Finally a comprehensive reference document that fills in a lot of the gaps that were missing when trying to create custom threat signatures. Glad to see it. The example of a combination signature (Page 45-46) is quite relevant given the current Wordpress brute force attacks that are currently being observed.
This is a great write-up.... Thanks!!
This really is great. Using example 3 from the document you can also easily mitigate against the xmlrpc.php DDOS attack by following the same steps and instead of wp\-admin\.php for your pattern use xmlrpc\.php
Doing this has significantly reduced the load on our web server that is running a WordPress site.
Thank you jseals
We want to add a Custom Signatures of dns request to add to sinkhole.
Do you have any experience with it?
Does anyone can help me up about the regex for short file, like "a.ps1" ? I've tried to use (\/a\.ps1), since the file should be downloaded using http, i put '/' in front of the file name. But still unacceptable by panOS. Please advise
Rev E of this doc introduces the new string context: