This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Custom Signatures
The Custom Signatures discussion is a resource for security professionals to discuss the creation process of custom signatures in their PAN-OS appliance.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Custom Signatures
The Custom Signatures discussion is a resource for security professionals to discuss the creation process of custom signatures in their PAN-OS appliance.
About Custom Signatures

Welcome to the Custom Signatures discussion forum. This forum exists as a resource for security professionals to discuss the creation process of custom signatures in their PAN-OS appliance. Please feel free to engage with other community members and Palo Alto Networks staff. Ideas, questions, research, and observations regarding the process of custom signature creation are all actively encouraged.

For an introduction to the forum, please see the sticky!

Disclaimer:
This forum is provided for Live Community members to discuss and share information pertaining to custom signatures. Please use the information from this forum at your own risk and make sure to test and verify any signature and code presented here. For information on contacting Palo Alto Networks support, click here.

Discussions

Start a conversation

Limiting File Size Upload using Custom Signature

Users in enterprise often use web based file hosting to upload big files. This creates concerns in the usage of networks bandwidth and server storage capacity, as the file can be bigger than 1GB. Below steps are usefull to control file size uploaded

...

1.1.jpg
1.2.jpg
1.3.png
1.4.jpg

custom mail app-id

hi. 

I'am trying to create a custom mail app-id filter, for matching; to whom mail is gonging to and from what domain.

I have add smtp as a parent application in the app-id.

 

My app-id is matching the helo, mail from, rcp, data. from the mail. The

...

application-smtp
application-ports
application-signature
policy-rule
klokholm by L1 Bithead
  • 2264 Views
  • 0 replies
  • 0 Likes

Resolved! Joomla Remote Code Execution - CVE-2015-8562

Hello,

 

I created a custom vulnerability signature that helps to detect and block the recently discovered Joomla RCE zero day which has since been patched by the vendor. I've opened a case with an engineer and he suggesed some additional protections

...

kalakai by L2 Linker
  • 5031 Views
  • 1 replies
  • 3 Likes

Submit a New Threat

Hello,

 

My IDS has detected a new Angler signature on my network and it was allowed by my PA firewall. The traffic was allowed being the IDS is not inline. How do I submit packets for a threat update/addition?

bkluth by L0 Member
  • 4253 Views
  • 4 replies
  • 0 Likes

How to make custom signature with segment field?

Recently, URL filter evasion application often use tcp segment field.

How to make custom application with tcp segment field?

 

Protocol sequence.

1. SYN 

2. SYN,ACK

3. ACK

4. PSH,ACK : TCP segment data has GET / HTTP/1.1

 

 

 

It can bypass our URL

...

dodgechrome_tcp_segment.png
bkim by L0 Member
  • 4185 Views
  • 2 replies
  • 0 Likes

PAN-OS 7.0.3 bug with Cloning of Profiles

Ran into an issue here tonight where when you clone a profile for anti spyware and pattern match based on that, this is broken and will not alert. Be sure to create a new profile from scratch. I have submitted this to Palo for them to vet this issue...

h323-message-body values

We seem to have a new h.225/h.323 scanning campaign going on that disturbs meetings. The strings that seem to be the same throughout are "productId: MERA RTU" and "versionId: 4.4.0-06a".

 

So I've tried two different methods of catching this traffic.

...

Screenshot 2015-11-26 16.21.20.png
Froning by L1 Bithead
  • 4996 Views
  • 6 replies
  • 0 Likes

Dell Root Certificate "eDellRoot"

Good afternoon, all!

 

Researchers have discovered a trusted root certificate being deployed by Dell on some newer laptops. For reference, see here.

 

While an official signature from Palo Alto Networks is likely not forthcoming due to legitimate usa

...

rcole by L4 Transporter
  • 3017 Views
  • 0 replies
  • 3 Likes

Resolved! Block External to internal when not using FQDN

I have tried to create a Custom threat a number of times that blocks people from accessing our site via IP address as the url. I have tried setting it up as so

 

Operator: Pattern-Match

Context: http-req-host-header

Pattern: 111\.2\.3\.4

Qualifer: re

...

murphyj by L2 Linker
  • 7821 Views
  • 6 replies
  • 1 Likes

Honey pot signature

Hi,

    I have certain subnets that are currently not in use in our domain, I wanted to ip-block for 30 minutes all ips that access any of these subnets. Is it possible to creat a threat signature for this?

 

Thanks,

             VIREN

  • 164 Posts
  • 80 Subscriptions
Top Liked Authors
View All
Labels
LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks