This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Buy or Renew
Buy or Renew
Custom Signatures
The Custom Signatures discussion is a resource for security professionals to discuss the creation process of custom signatures in their PAN-OS appliance.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Custom Signatures
The Custom Signatures discussion is a resource for security professionals to discuss the creation process of custom signatures in their PAN-OS appliance.
About Custom Signatures

Welcome to the Custom Signatures discussion forum. This forum exists as a resource for security professionals to discuss the creation process of custom signatures in their PAN-OS appliance. Please feel free to engage with other community members and Palo Alto Networks staff. Ideas, questions, research, and observations regarding the process of custom signature creation are all actively encouraged.

For an introduction to the forum, please see the sticky!

Disclaimer:
This forum is provided for Live Community members to discuss and share information pertaining to custom signatures. Please use the information from this forum at your own risk and make sure to test and verify any signature and code presented here. For information on contacting Palo Alto Networks support, click here.

Discussions

Start a conversation

Welcome to the Custom Signatures Discussions!

To make this forum valuable and enjoyable for everyone, please review the following guidelines before participating: Rules and Best Practices Be Respectful: Treat fellow community members with professionalism and courtesy. Constructive discussions are encouraged; disrespectful or inflammatory comments are not. Stay On-Topic: This board is d...

JayGolf by Community Team Member
  • 3519 Views
  • 0 replies
  • 0 Likes

Welcome to the Palo Alto Networks Custom Signature discussion board!

The purpose of this board is to discuss everything related to custom signature creation in PAN-OS devices. Palo Alto Networks delivers a large quantity of coverage in our weekly content updates; however, we know that our customers are staffed by dedicated security professionals as well, and we would like to provide an environment in which to fos...

rcole by L4 Transporter
  • 37758 Views
  • 4 replies
  • 4 Likes

custom mail app-id

hi. I'am trying to create a custom mail app-id filter, for matching; to whom mail is gonging to and from what domain. I have add smtp as a parent application in the app-id. My app-id is matching the helo, mail from, rcp, data. from the mail. The policy with this custom app-id is partial match, if I only has this, the data is dropt. If ...

application-smtp
application-ports
application-signature
policy-rule
klokholm by L1 Bithead
  • 2896 Views
  • 0 replies
  • 0 Likes

Resolved! Joomla Remote Code Execution - CVE-2015-8562

Hello, I created a custom vulnerability signature that helps to detect and block the recently discovered Joomla RCE zero day which has since been patched by the vendor. I've opened a case with an engineer and he suggesed some additional protections until an official signature is released. The engineer suggested I post it here so that other peo...

kalakai by L2 Linker
  • 6081 Views
  • 1 replies
  • 3 Likes

Submit a New Threat

Hello, My IDS has detected a new Angler signature on my network and it was allowed by my PA firewall. The traffic was allowed being the IDS is not inline. How do I submit packets for a threat update/addition?

bkluth by L0 Member
  • 5298 Views
  • 4 replies
  • 0 Likes

How to make custom signature with segment field?

Recently, URL filter evasion application often use tcp segment field. How to make custom application with tcp segment field? Protocol sequence. 1. SYN 2. SYN,ACK 3. ACK 4. PSH,ACK : TCP segment data has GET / HTTP/1.1 It can bypass our URL filtering. You can download and reproduce using below link. http://1bil.net/DodgeChrome-31.zip ...

dodgechrome_tcp_segment.png

PAN-OS 7.0.3 bug with Cloning of Profiles

Ran into an issue here tonight where when you clone a profile for anti spyware and pattern match based on that, this is broken and will not alert. Be sure to create a new profile from scratch. I have submitted this to Palo for them to vet this issue and see where it's broken. I was testing this on a VM-100 using 7.0.3

h323-message-body values

We seem to have a new h.225/h.323 scanning campaign going on that disturbs meetings. The strings that seem to be the same throughout are "productId: MERA RTU" and "versionId: 4.4.0-06a". So I've tried two different methods of catching this traffic. Custom threat signatures and custom apps with the same pattern matched, but neither work. Here's...

Screenshot 2015-11-26 16.21.20.png
Froning by L1 Bithead
  • 6439 Views
  • 6 replies
  • 0 Likes

Dell Root Certificate "eDellRoot"

Good afternoon, all! Researchers have discovered a trusted root certificate being deployed by Dell on some newer laptops. For reference, see here. While an official signature from Palo Alto Networks is likely not forthcoming due to legitimate usage of the certificate, customers who do wish to alert when this certificate is detected by their ...

rcole by L4 Transporter
  • 3661 Views
  • 0 replies
  • 3 Likes

Resolved! Block External to internal when not using FQDN

I have tried to create a Custom threat a number of times that blocks people from accessing our site via IP address as the url. I have tried setting it up as so Operator: Pattern-Match Context: http-req-host-header Pattern: 111\.2\.3\.4 Qualifer: req-hdr-type Value: HOST Or Operator: Pattern-Match Context: http-req-host-header Pattern: 111\...

murphyj by L2 Linker
  • 9587 Views
  • 6 replies
  • 1 Likes

Example to Detect Malicious ELF Binaries (Linux Encoder Ransomware)

Good afternoon! We've got another sample of what can be accomplished using our custom signature engine today. Please note before continuing that:A) This signature exists as a sample to show what is possible, and has not been properly QA'd/soak tested to ensure no false positives. The hex values from the binaries were arbitrarily chosen simply to...

rcole by L4 Transporter
  • 3806 Views
  • 0 replies
  • 0 Likes

Example to detect SMTP 550 (destination email address does not exist)

Here is an example to alert when a server responds with SMTP 550 (mailbox does not exist). The context used is 'smtp-rsp-content' and the pattern to be matched is '550\ 5\.1\.1'.<pattern>550\ 5\.1\.1</pattern><context>smtp-rsp-content</context> Full example signature(7.0) attached 'sample_smtp_vulnerability_41002.xml' ...

goku123 by L7 Applicator
  • 3966 Views
  • 0 replies
  • 4 Likes

Honey pot signature

Hi, I have certain subnets that are currently not in use in our domain, I wanted to ip-block for 30 minutes all ips that access any of these subnets. Is it possible to creat a threat signature for this? Thanks, VIREN

  • 176 Posts
  • 86 Subscriptions
Labels
LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2026 - Palo Alto Networks