This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Buy or Renew
Buy or Renew
Custom Signatures
The Custom Signatures discussion is a resource for security professionals to discuss the creation process of custom signatures in their PAN-OS appliance.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Custom Signatures
The Custom Signatures discussion is a resource for security professionals to discuss the creation process of custom signatures in their PAN-OS appliance.
About Custom Signatures

Welcome to the Custom Signatures discussion forum. This forum exists as a resource for security professionals to discuss the creation process of custom signatures in their PAN-OS appliance. Please feel free to engage with other community members and Palo Alto Networks staff. Ideas, questions, research, and observations regarding the process of custom signature creation are all actively encouraged.

For an introduction to the forum, please see the sticky!

Disclaimer:
This forum is provided for Live Community members to discuss and share information pertaining to custom signatures. Please use the information from this forum at your own risk and make sure to test and verify any signature and code presented here. For information on contacting Palo Alto Networks support, click here.

Discussions

Start a conversation

Welcome to the Custom Signatures Discussions!

To make this forum valuable and enjoyable for everyone, please review the following guidelines before participating: Rules and Best Practices Be Respectful: Treat fellow community members with professionalism and courtesy. Constructive discussions are encouraged; disrespectful or inflammatory comments are not. Stay On-Topic: This board is d...

JayGolf by Community Team Member
  • 3495 Views
  • 0 replies
  • 0 Likes

Welcome to the Palo Alto Networks Custom Signature discussion board!

The purpose of this board is to discuss everything related to custom signature creation in PAN-OS devices. Palo Alto Networks delivers a large quantity of coverage in our weekly content updates; however, we know that our customers are staffed by dedicated security professionals as well, and we would like to provide an environment in which to fos...

rcole by L4 Transporter
  • 37589 Views
  • 4 replies
  • 4 Likes

Signature for Clash of Clans game

I built the attached custom application signature for the Clash of Clans game (previously identified as unknown-tcp) based on taking multiple pcaps and finding the first 7 bytes of the first 4 data packets appear to be constant across sessions. However, I have a rather limited test bed of one iPad accessing one clan at this time. Comments and re...

david3 by L4 Transporter
  • 12014 Views
  • 3 replies
  • 1 Likes

Example Signature for WPAD.DAT Exploitation (TA16-144A)

One attack avenue for an organization that the US-CERT is currently alerting on is the abuse of Web Proxy Auto-Discovery in order to hijack traffic by directing a web browser to a proxy they own. The technical details are available at: https://www.us-cert.gov/ncas/alerts/TA16-144A There are three avenues of detection I am aware of: 1) Dete...

rcole by L4 Transporter
  • 7647 Views
  • 0 replies
  • 1 Likes

Resolved! Singature for Jabber tcp/2748

Hi, I try to create a custom signature for Jabber CTI (http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucm/port/9_0_1/CUCM_BK_T98E8963_00_tcp-port-usage-guide-90/CUCM_BK_T98E8963_00_tcp-port-usage-guide-90_chapter_01.html) running on port 2748. The packet dump give me this result for the client request: 5e 00 00 00 00 00 00 00 dd dd ff f...

Resolved! Signature by hostname

Hello guys, We recently discover that sometimes, ramdonly, host called "Windows7" trays to mount a shared folder from our fileserver/DC. We discover this because our SIEM correlated some events from de DCserver. Sadly this SIEM do not show us the Source IP Address so, we add a PAN in SPAM port mode to the switch to tray to capture the ms-smb...

JuanB by L1 Bithead
  • 10301 Views
  • 7 replies
  • 0 Likes

Resolved! batch input

Hi, i was wondering if I can input multiple inputs to create custom signature. For example, one of our clients received a long list of files regarded as threat but not listed in threat vault. Because the list is long they would like a simpler method rather than just typing one by one. Regards, Zaki

Resolved! Case insensitive Regex expression

I am creating a regex to capture on the expression "Bank of America". I am having trouble getting case insensitivity to work so that I can capture on "Bank of America, bank of america or any other variation. What is the format of this expression to account for case insensitivity? thanks all

ttanzi by L2 Linker
  • 5461 Views
  • 2 replies
  • 0 Likes

Resolved! Regex Not matching when ? is in the URL.

I am trying to setup a custom application to match based on URL request which contains: search= This is the only consistent 7 byte string in the URL. This works fine unless the request contains a preceeding '?' in the URL. For example the following URL would not match /some.php?af=352485245&search=blahblah While this URL would match...

jpeters by L3 Networker
  • 6201 Views
  • 2 replies
  • 0 Likes

Resolved! RegEx - Pattern for strange string not work

Someone can help me for this pattern? PATTERN: +-----------------------------------------------------------------------+ PATTERN in Hex: 2b 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2...

Need help with creating signature for pop3

I would need some assistance with setting up a custom signature for pop3. I need to make a signature for the USER command returning "-ERR " currently the Pan vuln signature only triggers on the Pass command in vuln id 31709. I run into a fundamental issue which is the 7 bytes. pop3 does not have 7 bites min on return codes. I'm suspecting I...

apike by L1 Bithead
  • 9154 Views
  • 6 replies
  • 0 Likes

Detecting an SSLv2 Server Response with a Custom Signature

DISCLAIMER: As with all custom signatures on this forum, this signature is being provided by the author as a result of enthusiasm for the product and to share ideas with the Palo Alto Networks security community. It is: - Not recommended for deployment in a production network of any kind. - Not a solution to any vulnerability. - Not an officia...

Capture.PNG
rcole by L4 Transporter
  • 4371 Views
  • 0 replies
  • 2 Likes

Detect random sub-domain DNS query

Hello, I would like know if anyone has succesfull creating a custom signature either Custom spyware object or custom vulnerability signature to detect random sub-domain in DNS query. For example: We don't want to block www.yahoo.com or yahoo.com domain query. But if there are query something like abcd1234.yahoo.com, we should detect and alert ...

Limiting File Size Upload using Custom Signature

Users in enterprise often use web based file hosting to upload big files. This creates concerns in the usage of networks bandwidth and server storage capacity, as the file can be bigger than 1GB. Below steps are usefull to control file size uploaded to a web server using HTTP Request Content-Length parameter. PAN-OS version: 6.1.0-b43 Cre...

1.1.jpg
1.2.jpg
1.3.png
1.4.jpg

Resolved! Detecting overly long DNS Responses for CVE-2015-7547 glibc getaddrinfo() stack-based buffer over..

Objective: I'm trying to write a custom vuln for detecting DNS responses with payloads greater than 512 bytes. This is one of the recommended mitigations for CVE-2015-7547. Editorial: I know that there are better places to apply mitigations, such as the clients themselves, caching nameservers, etc, but please for the sake of defense-in-dept...

mgentile by L2 Linker
  • 6254 Views
  • 2 replies
  • 0 Likes

custom mail app-id

hi. I'am trying to create a custom mail app-id filter, for matching; to whom mail is gonging to and from what domain. I have add smtp as a parent application in the app-id. My app-id is matching the helo, mail from, rcp, data. from the mail. The policy with this custom app-id is partial match, if I only has this, the data is dropt. If ...

application-smtp
application-ports
application-signature
policy-rule
klokholm by L1 Bithead
  • 2884 Views
  • 0 replies
  • 0 Likes
  • 175 Posts
  • 86 Subscriptions
Labels
LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2026 - Palo Alto Networks