Custom Signatures
The Custom Signatures discussion is a resource for security professionals to discuss the creation process of custom signatures in their PAN-OS appliance.
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.
Custom Signatures
The Custom Signatures discussion is a resource for security professionals to discuss the creation process of custom signatures in their PAN-OS appliance.
About Custom Signatures

Welcome to the Custom Signatures discussion forum. This forum exists as a resource for security professionals to discuss the creation process of custom signatures in their PAN-OS appliance. Please feel free to engage with other community members and Palo Alto Networks staff. Ideas, questions, research, and observations regarding the process of custom signature creation are all actively encouraged.

For an introduction to the forum, please see the sticky!

Disclaimer:
This forum is provided for Live Community members to discuss and share information pertaining to custom signatures. Please use the information from this forum at your own risk and make sure to test and verify any signature and code presented here. For information on contacting Palo Alto Networks support, click here.

Discussions

Resolved! Signature by hostname

Hello guys,

 

We recently discover that sometimes, ramdonly, host called "Windows7" trays to mount a shared folder from our fileserver/DC. We discover this because our SIEM correlated some events from de DCserver. Sadly this SIEM do not show us the S

...

JuanB by L1 Bithead
  • 8126 Views
  • 7 replies
  • 0 Likes

Resolved! batch input

Hi,

i was wondering if I can input multiple inputs to create custom signature.

For example, one of our clients received a long list of files regarded as threat but not listed in threat vault. Because the list is long they would like a simpler method

...

Resolved! Case insensitive Regex expression

I am creating a regex to capture on the expression "Bank of America". I am having trouble getting case insensitivity to work so that I can capture on "Bank of America, bank of america or any other variation.  What is the format of this expression to

...

ttanzi by L2 Linker
  • 4058 Views
  • 2 replies
  • 0 Likes

Resolved! Regex Not matching when ? is in the URL.

I am trying to setup a custom application to match based on URL request which contains:

 

search=

 

This is the only consistent 7 byte string in the URL. This works fine unless the request contains a preceeding '?' in the URL. 

 

For example the foll

...

jpeters by L3 Networker
  • 5016 Views
  • 2 replies
  • 0 Likes

Resolved! RegEx - Pattern for strange string not work

Someone can help me for this pattern?

 

PATTERN:
+-----------------------------------------------------------------------+
PATTERN in Hex:
2b 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d

...

Need help with creating signature for pop3

I would need some assistance with setting up a custom signature for pop3.

 

I need to make a signature for the USER  command returning "-ERR " currently the Pan vuln signature only triggers on the Pass command in vuln id 31709. I run into a fundament

...

apike by L1 Bithead
  • 7224 Views
  • 6 replies
  • 0 Likes

Detect random sub-domain DNS query

Hello,

 

I would like know if anyone has succesfull creating a custom signature either Custom spyware object or custom vulnerability signature to detect random sub-domain in DNS query.

For example:

We don't want to block www.yahoo.com or yahoo.com do

...

Limiting File Size Upload using Custom Signature

Users in enterprise often use web based file hosting to upload big files. This creates concerns in the usage of networks bandwidth and server storage capacity, as the file can be bigger than 1GB. Below steps are usefull to control file size uploaded

...

1.1.jpg
1.2.jpg
1.3.png
1.4.jpg

custom mail app-id

hi. 

I'am trying to create a custom mail app-id filter, for matching; to whom mail is gonging to and from what domain.

I have add smtp as a parent application in the app-id.

 

My app-id is matching the helo, mail from, rcp, data. from the mail. The

...

application-smtp
application-ports
application-signature
policy-rule
klokholm by L1 Bithead
  • 2124 Views
  • 0 replies
  • 0 Likes

Resolved! Joomla Remote Code Execution - CVE-2015-8562

Hello,

 

I created a custom vulnerability signature that helps to detect and block the recently discovered Joomla RCE zero day which has since been patched by the vendor. I've opened a case with an engineer and he suggesed some additional protections

...

kalakai by L2 Linker
  • 4788 Views
  • 1 replies
  • 3 Likes

Submit a New Threat

Hello,

 

My IDS has detected a new Angler signature on my network and it was allowed by my PA firewall. The traffic was allowed being the IDS is not inline. How do I submit packets for a threat update/addition?

bkluth by L0 Member
  • 3994 Views
  • 4 replies
  • 0 Likes

How to make custom signature with segment field?

Recently, URL filter evasion application often use tcp segment field.

How to make custom application with tcp segment field?

 

Protocol sequence.

1. SYN 

2. SYN,ACK

3. ACK

4. PSH,ACK : TCP segment data has GET / HTTP/1.1

 

 

 

It can bypass our URL

...

dodgechrome_tcp_segment.png
bkim by L0 Member
  • 3961 Views
  • 2 replies
  • 0 Likes