Custom Signatures
cancel
Showing results for 
Search instead for 
Did you mean: 
Custom Signatures
About Custom Signatures

Welcome to the Custom Signatures discussion forum. This forum exists as a resource for security professionals to discuss the creation process of custom signatures in their PAN-OS appliance. Please feel free to engage with other community members and Palo Alto Networks staff. Ideas, questions, research, and observations regarding the process of custom signature creation are all actively encouraged.

For an introduction to the forum, please see the sticky!

Disclaimer:
This forum is provided for Live Community members to discuss and share information pertaining to custom signatures. Please use the information from this forum at your own risk and make sure to test and verify any signature and code presented here. For information on contacting Palo Alto Networks support, click here.

Discussions

Minimal configuration for Custom Apps

Our programmer wrote an app that uses TCP/9901 and 9902 to transfer data between the East and West buildings.  Let's call it JC-App.   What is the minimum configuration on both the East and West Firewalls?  Also, what would need to be added to requir

...

Convert ScreenOS Multicast static route to PaloAlto

Hi all,

i'm finally converting an old Juniper ScreenOS firewall to a PaloAlto firewall (5020). I have some problem to understand how to convert some Multicast static Routes.

On screen os i have this specific entry for ex:

 

GUI:

Type: Static, Forwarding

So

...

Allow iOS Ring doorbell

Hello,

I'm looking for a proper way to allow the iOS Ring app to connect back to the video feed from an iOS device. Android phones work with no issue.

 

The problem is that it reports the web URL category as "unknown" which I am currently blocking.

I wro

...

Ring Policy.PNG

Custom App for unknown SIP traffic

Hi.

 

I need to create a Custom App for SIP traffic that is not identified by the firewall. I see that you can match on the sip headers but not sure how to write the pattern. 

 

Have done capture of the traffic and this is what I got...

What can be used h

...

OyvindM by L0 Member
  • 288 Views
  • 0 replies
  • 0 Likes

Letsencrypt (acme) challenge URL

I created this pattern to recognize Letsencrypt (acme-protocol) challenge.

 

You need to create a custom application with these fields:

  • Typo: Transaction

  •  

    Context: http-req-uri-path

  •  

    Pattern:

^GET /\.well-known/acme-challenge/

 

That's the best I could bet.

 

...

Custom signature for catch specific query

Hello all

 

I'm trying to catch suspicious ldap queries (recon activity).
For the example I want catch this kind of querie : (primaryGroupID=512)

I tried to make a custom rule. However for ldap, there are only 2 possibilities:
- ldap-req-searchrequest-bas

...

jsv93 by L0 Member
  • 493 Views
  • 1 replies
  • 0 Likes

Allow or drop traffic based on headers

Hi,
I need to allow/drop traffic based on headers.
I need a custom signature to make sure the HOST is one of:
1. abc.com (or)
2. xyz.com

AND
The XFF header is one of:
1. 1.1.1.1 (or)
2. 2.2.2.2 (or)
3. 3.3.3.3

AND
A header name "X-MyHeader" has the value: "123"

...

Resolved! Threat signature for ICMP type

Has anyone had success in creation of threat signatures for ICMP type?  I've seen (and tested) the Palo Alto guide on creation of an app to block/allow specific ICMP types and was trying to log a threat event for potential use and visibility versus c

...

Custom Signature to detect a PDF file

DISCLAIMER:

 

As with all custom signatures on this forum, this signature is being provided by the author as a result of enthusiasm for the product and to share ideas with the Palo Alto Networks security community.

 

 

 

It is:

 

- Not recommended fo

...

1.png
2.png
3.png
4.png
dparris by L5 Sessionator
  • 7391 Views
  • 4 replies
  • 3 Likes

Limiting http methods to specific URLs

Has anyone had luck limiting http methods like PUT to limited URLs? For example, limiting a PUT to https://www.foo.com/ but not to https://www.foo.com/folder1 ? I've created a custom vulnerability that allows the http-method (http-req-header length >

...

IamJoeG by L0 Member
  • 1578 Views
  • 3 replies
  • 0 Likes
Labels