The Palo Alto Networks next-generation firewall supports custom vulnerability signatures using the firewall's threat engine. You can write custom regular expression patterns to identify vulnerability exploits. The resulting vulnerability patterns become available for use in vulnerability security profiles. The firewall looks for the custom-defined patterns in network traffic and takes the specified action for the vulnerability exploit.
Using the Custom Vulnerability Signature Page
You can define signatures for Vulnerability Protection profiles with the following steps.
Add the Custom Vulnerability Object by going to the Objects tab > select Vulnerability > add Custom Objects as shown below.
Firewall web interface view of Objects tab to enter Custom Vulnerability Object
In the customer vulnerability signature popup, fill out the required information on the Configuration tab. In this use case, I'll show you how to match on a specific browser version.
The mandatory fields are as follows:
Threat ID: A numeric identifier. For vulnerability signatures, the range is 41000-45000.
Name: Specify the threat name.
Severity: Assign a level that indicates the seriousness of the threat.
Direction: Indicate whether the threat is assessed from the client to server, server to client, or both.
Next, go to the Signatures tab to add a signature (1), then select the Standard radio button and click Add (2).
View of Signatures tab for Custom Vulnerability Signatures
In the Standard window, complete the following steps:
Standard: Fill in the desired name to identify the signature.
Comment: Here you can add an optional description.
Scope: Here you can select whether to apply this signature only to the current transaction or to the full user session. In this example, we'll go with Transaction.
Ordered Condition Match: Select if the order in which the signature conditions are defined is important.
Add Or Condition: Add and specify conditions to define signatures.
In the next window ,we'll specify your signature match.
Operator: Defines the type of condition that must be true for the custom signature to match to traffic. Choose from Less Than, Equal To, Greater Than, or Pattern Match operators.
When choosing a Pattern Match operator, specify for the following to be true for the signature to match to traffic:
Context: Select from the available context
Pattern: Specify a regular expression
Qualifier and Value: Add qualifier/value pairs (optional)
Negate: Select the Negate check box so the custom signature matches to traffic only when the defined Pattern Match condition is not true (this allows you to ensure that the custom signature is not triggered under certain conditions)
In this example, we'll look for the pattern match "Chrome/" in the Context field 'http-req-headers' as shown in the example below.
Why match on Chrome/?
If you take a packet capture while browsing with a Google Chrome browser, you will find the following pattern match in the capture.
Follow TCP Stream with PCAP highlighted.
Click OK to create your custom vulnerability.
Enable your signature
NOTE: The custom signature will not be enabled by default.
To enable your custom signature, go to the Vulnerability Protection Security Profile. Edit your profile. On the Exceptions tab, search for the Threat ID and enable it.
Inside the WebUI, start at Objects > select Vulnerability Protection > select the Alert > Exceptions tab > enter Threat ID > check Enable. (Note: If your signature does not show up, please select "Show all signatures" in the lower left of the Profile window.)
Enable Custom Signature in Vulnerability Protection Profile view.
Don't forget to apply this Security Profile to your Security Policy.
After committing this change, you will get alert messages in your Threat Log when you are browsing with a Google Chrome browser. Of course, you could use this signature to block traffic if you change the Action column to Block.