This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Buy or Renew
Buy or Renew
Custom Signatures
The Custom Signatures discussion is a resource for security professionals to discuss the creation process of custom signatures in their PAN-OS appliance.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Custom Signatures
The Custom Signatures discussion is a resource for security professionals to discuss the creation process of custom signatures in their PAN-OS appliance.
About Custom Signatures

Welcome to the Custom Signatures discussion forum. This forum exists as a resource for security professionals to discuss the creation process of custom signatures in their PAN-OS appliance. Please feel free to engage with other community members and Palo Alto Networks staff. Ideas, questions, research, and observations regarding the process of custom signature creation are all actively encouraged.

For an introduction to the forum, please see the sticky!

Disclaimer:
This forum is provided for Live Community members to discuss and share information pertaining to custom signatures. Please use the information from this forum at your own risk and make sure to test and verify any signature and code presented here. For information on contacting Palo Alto Networks support, click here.

Discussions

Start a conversation

Welcome to the Custom Signatures Discussions!

To make this forum valuable and enjoyable for everyone, please review the following guidelines before participating: Rules and Best Practices Be Respectful: Treat fellow community members with professionalism and courtesy. Constructive discussions are encouraged; disrespectful or inflammatory comments are not. Stay On-Topic: This board is d...

JayGolf by Community Team Member
  • 3495 Views
  • 0 replies
  • 0 Likes

Welcome to the Palo Alto Networks Custom Signature discussion board!

The purpose of this board is to discuss everything related to custom signature creation in PAN-OS devices. Palo Alto Networks delivers a large quantity of coverage in our weekly content updates; however, we know that our customers are staffed by dedicated security professionals as well, and we would like to provide an environment in which to fos...

rcole by L4 Transporter
  • 37578 Views
  • 4 replies
  • 4 Likes

Issues Creating Custom App

In order to allow Updates to OneDrive im trying to create a custom application. (since I'm blocking PE) as it is detected as web-browsing. It does not detect that ms one drive premade application. I created a custom signature with the Client hello sni (oneclient.sfx.ms), as I found that from the packet capture. My issue is that it works for s...

signature based http-req-message-body

HI all, I'm trying to create a custom signature based on the POST payload the client is sending. This is the POST collected from the server: POST /pds HTTP/1.1 Accept: application/x-ms-application, image/jpeg, application/xaml+xml, image/gif, image/pjpeg, application/x-ms-xbap, */* Referer: https://aaa.com.cn Accept-Language: zh-CN User-Agent:...

body.png

Resolved! Custom Vulnerability to Block Old Browser Versions

Would anyone know how to properly identify and block old browser versions using custom vulnerability object? I need help with the proper "pattern" to use to be able to identify the version. I know that there is the following guide:https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClSOCA0 But this guide is generic and de...

RyanViq by L0 Member
  • 10137 Views
  • 3 replies
  • 0 Likes

Advice on blocking the 'EXTENSION PACKS for Oracle Virtual Box

Oracle's Virtual Box is free and available to use under the GPL v2 license terms. They have Extension Pack which is not free and can invoke a software audit if found. We are looking to see if anyone has an application snippet to prevent download of the Extension Pack. Unfortunately the download is a typical download in that it is available fro...

Block Platform by Country of Ownership

Hello everyone. I work at a public community college. Our state legislature has proposed legislation that would require us to block any video platform if the platform is owned by a company headquartered outside of the United States. I currently have policies to block specific countries, but I can't see any way to meet this new requirement withou...

Vulnerabilities

Seeking help creating Policies to report, log, or restrict outdated Browsers from accessing Internet Content. Seems like this would be integrated into the policies. Thanks Examples: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.63 Safari/537.36 Mozilla/5.0 (Macintosh; Intel Mac OS ...

Has anyone done a custom APP to block recursive DNS queries?

I've built two signatures for DNS. One to indicate recursive lookup and not recursive lookup. When I test, the app that is evaluated first is triggered. reverse the order and the formerly 2nd app triggers. It is like the expressions are not evaluated. Has anyone done this before? I have a case open with paloalto about this, but it has bee...

mcannady by L0 Member
  • 5024 Views
  • 4 replies
  • 0 Likes

SMTP Brute Force - different source IPs

The scenario I am seeing is SMTP brute force attempts against a username, but each time the source IP address is different, I guess they are using a botnet. Exchange will tarpit the IP for 30 seconds for the failed authentication, but it doesn't matter as the next attempt comes from a different IP address. Can someone suggest a custom signatu...

cenders by L3 Networker
  • 6602 Views
  • 4 replies
  • 1 Likes

Minimal configuration for Custom Apps

Our programmer wrote an app that uses TCP/9901 and 9902 to transfer data between the East and West buildings. Let's call it JC-App. What is the minimum configuration on both the East and West Firewalls? Also, what would need to be added to require the use of Application Override ?? Thanks. jc

Detecting TLS 1.0 and TLS 1.1 Protocol

Hi,I working with a customer that needs to detect the usage of SSLv3(already done with ID 36815), TLS 1.0 and TLS 1.1, at some point they may move to blocking this on certain traffic. They don't particularly want decrypt the traffic for this due to complaince and organizational policies, and they want to be able to run reports so doing a No decr...

Convert ScreenOS Multicast static route to PaloAlto

Hi all,i'm finally converting an old Juniper ScreenOS firewall to a PaloAlto firewall (5020). I have some problem to understand how to convert some Multicast static Routes.On screen os i have this specific entry for ex: GUI:Type: Static, ForwardingSource IP: 192.168.100.126Mgroup: 239.0.0.2Incoming Interface: eth3/6.3Outgoing interface: eth3/6.2...

  • 175 Posts
  • 86 Subscriptions
Labels
LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2026 - Palo Alto Networks