Threat ID Ranges in the Palo Alto Networks Content Database

by kadak on ‎07-01-2014 03:15 PM - edited on ‎10-02-2017 12:30 AM by Community Manager (69,171 Views)

Overview

This document describes the general threat ID ranges in the Palo Alto Networks content database.

 

Details

Anti-Virus Signatures

  • PE: 2000000 - 2900000
  • PDF: 1100000 - 1102000
  • Android File Format (APK): 1000000 - 1010000
  • DNS: 4000000 - 4100000
  • Office2003/RTF: 1200000 - 1202000
  • JAVA Class: 1250000 - 1253000
  • Flash: 1270000 - 1273000
  • MS Office2007 or later: 1210000 - 1211000
  • SWFZWS: 6000000 - 6000500
  • PKG: 1050000 - 1051000
  • MACH-O: 1060000 - 1062000
  • APP: 1070000 - 1071000
  • DMG: 6010000 - 6015000

 

WildFire Public Cloud Signatures

  • PE: 3000000 - 3100000
  • PDF: 3100000 - 3101000
  • Android File Format (APK): 3110000 - 3111000
  • DNS: 3800000 - 3804000
  • Office2003/RTF: 3130000 - 3131000
  • JAVA Class: 3140000 - 3141000
  • Flash: 3150000 - 3151000
  • MS Office2007 or later: 3160000 - 3161000
  • Wildfire Suspicious DNS Signatures: 3800000 - 4999999
  • SWFZWS: 6200000 - 6200500
  • PKG: 3400000 - 3400500
  • MACH-O: 3402000 - 3402500
  • APP: 3404000 - 3404500
  • DMG: 6205000 - 6206000

 

WildFire Private Cloud (WF-500) Signatures

  • PE: 5000000 - 5100000
  • PDF: 5200000 - 5300000
  • Flash: 5300000 - 5400000
  • MS Office: 5400000 - 5600000
  • RTF: 5600000 - 5650000
  • JAVA Class: 5650000 - 5700000
  • DNS: 5800000 - 6000000

 

Spyware Signatures

  • Threat ID range: 10000- 29999
  • Additional Threat ID range added for PAN-OS 7.1 and newer: 80001 - 99999
  • Custom threat ID range: 15000 - 18000
  • Custom DNS Signature Block List: Generic threat ID 12000000
  • Categories in spyware: Adware, Backdoor, Botnet, Browser, Browser-hijack, Data-Theft, Keylogger, Net-Worm and Spyware

 

Vulnerability Signatures

  • Threat ID range: 30000- 45000
  • Additional Threat ID range added for PAN-OS 7.1 and newer: 54001 - 59999
  • Custom threat ID range: 41000 - 45000
  • Categories in vulnerability: Brute-force, Code Execution, DoS, Info-leak, Overflow and SQL Injection

 

File types

https://live.paloaltonetworks.com/t5/Configuration-Articles/FileType-list-with-the-Threat-ID-number/...

 

 

owner: kadak

Comments
by tmyzw
on ‎11-09-2014 10:32 PM

I got some malwares above of 3150000 and it looks flash files. Clould you update this document?

by panagent
on ‎11-10-2014 08:53 AM

Thanks for bringing this to our attention. The document has been updated.

by ascit
on ‎05-19-2015 05:26 PM

I've received a threat of type 'wildfire-virus' with ID '53000000'. Is there ranges for the wildfire appliance? Please update the document.

by angel.parrizas
on ‎07-06-2015 12:48 AM

Hello,

We have detected some misclassified events. For example

-Virus/Win32.WGeneric.fmrcb(3130801) -> This is not a wildfire event (not detected by a wildfire engine at all), but the ID assigned is into the range

"Office (WildFire): 3130000 - 3140000" which it is totally wrong

-Trojan-Downloader/Win32.upatre.mqi(3057409) -> This is not a wildfire event (not detected by a wildfire engine at all), but the ID assigned is into the range "PE (WildFire): 3000000 - 3100000" which it is totally wrong

If you need the full logs, please contact me

Thanks

by jochristian
on ‎10-30-2015 04:02 AM

Hi,

 

Is this document updated?
Looks like the id range's have been changed?!

Seeing this ID today for DNS signature.. 3822315

by oschuler
on ‎10-30-2015 06:36 AM
Right, we no longer can't run Windows Updates. It's beeing DNS-blackholed through Threat ID 3822315...
by rcole
on ‎01-06-2016 03:47 PM

Signatures 3,800,000-3,999,999 are suspicious DNS signatures that live in Wildfire content and have not yet been migrated to AV content.

by ajrockn
on ‎01-22-2016 08:59 AM
We're showing None:9. and None:7. and None:4 and None:c.....What are these classified as? Thanks!
by rcole
on ‎01-22-2016 10:58 AM

ajrockn: add the ID column to the threat monitor. That will tell you the threat ID number, which is what this article details. :)

by ytsuji
on ‎02-04-2016 12:34 AM

Below WildFire Suspicious DNS Sigunature range is expected to be end at 3900000. 4000000 overlaps another. Could you check it and revise if it's wrong?

 

  • Wildfire Suspicious DNS Signatures: 3800000 - 4000000
by angel.parrizas
on ‎09-26-2016 05:38 AM

 Hello,

 

I see signature  4000000 triggering quite often. Looking at the documentation it falls under two groups:

 

  • DNS: 4000000 - 4100000
    • Wildfire Suspicious DNS Signatures: 3800000 - 4000000

 

Which one is the correct one?

 

Also, can you please review in the document if the signature range is correct? I see some alert with signature 3825582 and 3820251 not produced by a Wildfire device and following the documentation they fall on WildFire Range.

 

Thanks, 

by benmeagher
on ‎04-30-2018 12:32 PM

New spyware threat categories have been added as well..

Autogen, DNS, DNS-Wildfire and Phishing-kit.

Ignite 2018, Amsterdam, Netherlands
Ask Questions Get Answers Join the Live Community