Custom Signatures
cancel
Showing results for 
Search instead for 
Did you mean: 
Custom Signatures
About Custom Signatures

Welcome to the Custom Signatures discussion forum. This forum exists as a resource for security professionals to discuss the creation process of custom signatures in their PAN-OS appliance. Please feel free to engage with other community members and Palo Alto Networks staff. Ideas, questions, research, and observations regarding the process of custom signature creation are all actively encouraged.

For an introduction to the forum, please see the sticky!

Disclaimer:
This forum is provided for Live Community members to discuss and share information pertaining to custom signatures. Please use the information from this forum at your own risk and make sure to test and verify any signature and code presented here. For information on contacting Palo Alto Networks support, click here.

Forum Posts

There is no CVE-2019-9082 signature

Hi, Nowadays some attackers attack our web site relevant code injection. Perimeter firewall is Palo Alto and seperator firewall is Fortinet. This attack type is below that's not keeping by PA but it's keeping FG so prevent.I obsevered this signature ...

IPv4 flags as App-ID Signatures?

Hello, Is it possible to use simple IPv4 flag info as match criteria for App-ID signatures? I'm looking for something simple such as matching source IP, destination IP and destination port. I'm not having any luck finding patterns in the data to use ...

Danimal by L0 Member
  • 3308 Views
  • 1 replies
  • 0 Likes

Blocking web content with custom data patterns

Hi all, I'm trying to use custom data patterns to block all content related to the 'Momo' hoax. I'm having issues getting around the fact that 'momo' is smaller than 7 bytes. Do you have any recommendations on how to use an anchor 7 bytes or longer t...

Custom objects signature - DNS query length

HelloI am trying to create a custom object / custom spyware signature based on dns-req-section that would alert when the requested domain via dns is longer than x amount of characters.Currently I am stuck at the pattern requirement to have 7 fixed by...

Custom Signature to detect a PDF file

DISCLAIMER: As with all custom signatures on this forum, this signature is being provided by the author as a result of enthusiasm for the product and to share ideas with the Palo Alto Networks security community. It is: - Not recommended for deployme...

1.png
2.png
3.png
4.png
dparris by L5 Sessionator
  • 5627 Views
  • 4 replies
  • 2 Likes

Office XML with Macros

This is a custom vulnerability signature I created based on what I was seeing come through to our users. Usually, the malicious Office files with macros were in either the binary Office 2003 format or the newer Office 2007+ format. What I was seeing ...

Webmail Control via URL

Can paloalto control the sending of web mail? i want to make it impossible to send out from the webmail.There is a service called Naver that provides web mail like Google.for example, The URL for sending is as follows.mail.naver.com/n=111113333&v=f#%...

Resolved! Threat ID for CVE-2018-8653 Internet Explorer

I'm not seeing a threat ID for the new IE vulnerability (https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8653#ID0EN). Has anyone been able to create a custom ID for it, or know if Palo is working on one? Thank you

Rigbyj06 by L0 Member
  • 5818 Views
  • 3 replies
  • 1 Likes

Custom signature not working as expected

Hi GuysI have the follwoing issue:I have a policy rule where I allow smtp flow! On this rule I have a vulnerability protection profile. In this pofile I have 2 rules:- one rule which is supposed to allow emails with bb.com in the subject-the second o...

image.png
image.png
image.png
image.png

Resolved! Creating a custom app signature to block by URL path

I'm hoping to get some help with a custom signature that I've created. We're trying to block users from playing flash games on facebook, but still allow them to get to everything else. For example: https://apps.facebook.com/candycrush. The URL catego...

Snag_c5699be.png

Identifying Mobile no - Data Pattern

Dear All,Please find bellow our requirement: 1) We would like to restrict document going out from their network which has more than 5 mobile numbers.Thus would require a regex of mobile no to be configured in Data Pattern. We configure regex -((.*09(...

Top Liked Posts
Top Liked Authors
Labels