This document describes the general threat ID ranges in the Palo Alto Networks content database.
WildFire Public Cloud Signatures
WildFire Private Cloud (WF-500) Signatures
I got some malwares above of 3150000 and it looks flash files. Clould you update this document?
Thanks for bringing this to our attention. The document has been updated.
I've received a threat of type 'wildfire-virus' with ID '53000000'. Is there ranges for the wildfire appliance? Please update the document.
We have detected some misclassified events. For example
-Virus/Win32.WGeneric.fmrcb(3130801) -> This is not a wildfire event (not detected by a wildfire engine at all), but the ID assigned is into the range
"Office (WildFire): 3130000 - 3140000" which it is totally wrong
-Trojan-Downloader/Win32.upatre.mqi(3057409) -> This is not a wildfire event (not detected by a wildfire engine at all), but the ID assigned is into the range "PE (WildFire): 3000000 - 3100000" which it is totally wrong
If you need the full logs, please contact me
Is this document updated?Looks like the id range's have been changed?!
Seeing this ID today for DNS signature.. 3822315
Signatures 3,800,000-3,999,999 are suspicious DNS signatures that live in Wildfire content and have not yet been migrated to AV content.
ajrockn: add the ID column to the threat monitor. That will tell you the threat ID number, which is what this article details. :)
Below WildFire Suspicious DNS Sigunature range is expected to be end at 3900000. 4000000 overlaps another. Could you check it and revise if it's wrong?
I see signature 4000000 triggering quite often. Looking at the documentation it falls under two groups:
Which one is the correct one?
Also, can you please review in the document if the signature range is correct? I see some alert with signature 3825582 and 3820251 not produced by a Wildfire device and following the documentation they fall on WildFire Range.
New spyware threat categories have been added as well..
Autogen, DNS, DNS-Wildfire and Phishing-kit.