Custom Signatures
The Custom Signatures discussion is a resource for security professionals to discuss the creation process of custom signatures in their PAN-OS appliance.
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.
Custom Signatures
The Custom Signatures discussion is a resource for security professionals to discuss the creation process of custom signatures in their PAN-OS appliance.
About Custom Signatures

Welcome to the Custom Signatures discussion forum. This forum exists as a resource for security professionals to discuss the creation process of custom signatures in their PAN-OS appliance. Please feel free to engage with other community members and Palo Alto Networks staff. Ideas, questions, research, and observations regarding the process of custom signature creation are all actively encouraged.

For an introduction to the forum, please see the sticky!

Disclaimer:
This forum is provided for Live Community members to discuss and share information pertaining to custom signatures. Please use the information from this forum at your own risk and make sure to test and verify any signature and code presented here. For information on contacting Palo Alto Networks support, click here.

Discussions

h323-message-body values

We seem to have a new h.225/h.323 scanning campaign going on that disturbs meetings. The strings that seem to be the same throughout are "productId: MERA RTU" and "versionId: 4.4.0-06a".

 

So I've tried two different methods of catching this traffic.

...

Screenshot 2015-11-26 16.21.20.png
Froning by L1 Bithead
  • 4492 Views
  • 6 replies
  • 0 Likes

Dell Root Certificate "eDellRoot"

Good afternoon, all!

 

Researchers have discovered a trusted root certificate being deployed by Dell on some newer laptops. For reference, see here.

 

While an official signature from Palo Alto Networks is likely not forthcoming due to legitimate usa

...

rcole by L4 Transporter
  • 2777 Views
  • 0 replies
  • 3 Likes

Resolved! Block External to internal when not using FQDN

I have tried to create a Custom threat a number of times that blocks people from accessing our site via IP address as the url. I have tried setting it up as so

 

Operator: Pattern-Match

Context: http-req-host-header

Pattern: 111\.2\.3\.4

Qualifer: re

...

murphyj by L2 Linker
  • 7160 Views
  • 6 replies
  • 1 Likes

Honey pot signature

Hi,

    I have certain subnets that are currently not in use in our domain, I wanted to ip-block for 30 minutes all ips that access any of these subnets. Is it possible to creat a threat signature for this?

 

Thanks,

             VIREN