Custom Signatures
The Custom Signatures discussion is a resource for security professionals to discuss the creation process of custom signatures in their PAN-OS appliance.
cancel
Showing results for 
Search instead for 
Did you mean: 
Custom Signatures
The Custom Signatures discussion is a resource for security professionals to discuss the creation process of custom signatures in their PAN-OS appliance.
About Custom Signatures

Welcome to the Custom Signatures discussion forum. This forum exists as a resource for security professionals to discuss the creation process of custom signatures in their PAN-OS appliance. Please feel free to engage with other community members and Palo Alto Networks staff. Ideas, questions, research, and observations regarding the process of custom signature creation are all actively encouraged.

For an introduction to the forum, please see the sticky!

Disclaimer:
This forum is provided for Live Community members to discuss and share information pertaining to custom signatures. Please use the information from this forum at your own risk and make sure to test and verify any signature and code presented here. For information on contacting Palo Alto Networks support, click here.

Discussions

Custom objects signature - DNS query length

Hello

I am trying to create a custom object / custom spyware signature based on dns-req-section that would alert when the requested domain via dns is longer than x amount of characters.
Currently I am stuck at the pattern requirement to have 7 fixed by

...

Application ID for MS-Edge

Due to the constraints placed on us by management, we don't support Chrome, and early on, I created a custom app ID specifically for Chrome and was able to block it fairly effectively.  Then MS released Edge, which fouled everything up.  So all of th

...

Resolved! Pattern regex less then 7 bytes

Hi all,

I have been asked to create a new Application signature to block any access to /abc/*

But when adding the pattern /abc/* in context http-req-uri-path

I get an error: "pattern must be at least 7 bytes [/abc/*]"

 

How can I block any access to /abc/

...

Custom Snort Signature context operator not found

creating a custom snort signature on Palo alto Firewall but didn’t found the concern context operator for match pattern.

Shall we create a context operator or how it can add the pattern if the context operator is not available?

 

For example:

alert tcp $

...

Snort.jpg

vulnerability signature with payload and negate

Hello.

I'm trying to write a custom app and vulnerability signature. Signatures are based on UDP-payload.

When I use the custom app signature, vulnerability detection does not work. Can I somehow turn on CTD for the custom app?

The other problem is that

...

control URL Filtering bypass by IP

Any way we can achieve this by creating custom signature that allows only valid http requests to URLs and not to IP addresses?

As currently Blocked domain or URL not HTTPS or protected by cloud-fare can easily get passed URL filtering block

Understandi

...

pshah1 by L1 Bithead
  • 2742 Views
  • 1 replies
  • 0 Likes

Custom AppID for NAT-T traffic

I am looking for a way to identify NAT-T traffic on an IPSEC connection and define a custom app for it. To identify the IKE control plane traffic we would be looking for a 4 zero-valued bytes pattern at IP offset 28 on UDP 4500 traffic.

 

It seems the

...

Screen Shot 2020-07-02 at 8.47.39 AM.png
Labels