Anyone know how to compare two headers in custom spyware signature?

Anyone know how to compare two headers in custom spyware signature?

ie "http-req-host-header" == ssl-req-client-hello 

Allow iOS Ring doorbell

Hello,

I'm looking for a proper way to allow the iOS Ring app to connect back to the video feed from an iOS device. Android phones work with no issue.

The problem is that it reports the web URL category as "unknown" which I am currently blocking.

I wro

Custom App for unknown SIP traffic

Hi.

I need to create a Custom App for SIP traffic that is not identified by the firewall. I see that you can match on the sip headers but not sure how to write the pattern. 

Have done capture of the traffic and this is what I got...

What can be used h

"email-headers" and "smtp-email-headers" context in customer application definition

Hello,

Is there any difference between "email-headers" and "smtp-email-headers" context in the customer application definition?

I didn't find description of the "smtp-email-headers" context in "Custom Application IDs and Signatures" guide.

Maybe "email-

Letsencrypt (acme) challenge URL

I created this pattern to recognize Letsencrypt (acme-protocol) challenge.

You need to create a custom application with these fields:

• Typo: Transaction

•  

  Context: http-req-uri-path

•  

  Pattern:

That's the best I could bet.

Custom signature for catch specific query

Hello all

I'm trying to catch suspicious ldap queries (recon activity).
For the example I want catch this kind of querie : (primaryGroupID=512)

I tried to make a custom rule. However for ldap, there are only 2 possibilities:
- ldap-req-searchrequest-bas

Allow or drop traffic based on headers

Hi,
I need to allow/drop traffic based on headers.
I need a custom signature to make sure the HOST is one of:
1. abc.com (or)
2. xyz.com

AND
The XFF header is one of:
1. 1.1.1.1 (or)
2. 2.2.2.2 (or)
3. 3.3.3.3

AND
A header name "X-MyHeader" has the value: "123"

Custom Signature to detect a PDF file

DISCLAIMER:

As with all custom signatures on this forum, this signature is being provided by the author as a result of enthusiasm for the product and to share ideas with the Palo Alto Networks security community.

It is:

- Not recommended fo

Limiting http methods to specific URLs

Has anyone had luck limiting http methods like PUT to limited URLs? For example, limiting a PUT to https://www.foo.com/ but not to https://www.foo.com/folder1 ? I've created a custom vulnerability that allows the http-method (http-req-header length >

DDOS, Brute force and referer header match options with custom signatures for app-id and vulnerability.

Hello to All,

I have made a post with examples in an another part of this forum but now I see that there is a seperate discussion for custom signatures, so I am posting it here. Now with version 10 as there is no 7 byte limit it is much more easier

Welcome to the Palo Alto Networks Custom Signature discussion board!

The purpose of this board is to discuss everything related to custom signature creation in PAN-OS devices. Palo Alto Networks delivers a large quantity of coverage in our weekly content updates; however, we know that our customers are staffed by dedi

Custom objects signature - DNS query length

Hello

I am trying to create a custom object / custom spyware signature based on dns-req-section that would alert when the requested domain via dns is longer than x amount of characters.
Currently I am stuck at the pattern requirement to have 7 fixed by

Application ID for MS-Edge

Due to the constraints placed on us by management, we don't support Chrome, and early on, I created a custom app ID specifically for Chrome and was able to block it fairly effectively.  Then MS released Edge, which fouled everything up.  So all of th