This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Buy or Renew
Buy or Renew
Custom Signatures
The Custom Signatures discussion is a resource for security professionals to discuss the creation process of custom signatures in their PAN-OS appliance.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Custom Signatures
The Custom Signatures discussion is a resource for security professionals to discuss the creation process of custom signatures in their PAN-OS appliance.
About Custom Signatures

Welcome to the Custom Signatures discussion forum. This forum exists as a resource for security professionals to discuss the creation process of custom signatures in their PAN-OS appliance. Please feel free to engage with other community members and Palo Alto Networks staff. Ideas, questions, research, and observations regarding the process of custom signature creation are all actively encouraged.

For an introduction to the forum, please see the sticky!

Disclaimer:
This forum is provided for Live Community members to discuss and share information pertaining to custom signatures. Please use the information from this forum at your own risk and make sure to test and verify any signature and code presented here. For information on contacting Palo Alto Networks support, click here.

Discussions

Start a conversation

Welcome to the Custom Signatures Discussions!

To make this forum valuable and enjoyable for everyone, please review the following guidelines before participating: Rules and Best Practices Be Respectful: Treat fellow community members with professionalism and courtesy. Constructive discussions are encouraged; disrespectful or inflammatory comments are not. Stay On-Topic: This board is d...

JayGolf by Community Team Member
  • 3501 Views
  • 0 replies
  • 0 Likes

Welcome to the Palo Alto Networks Custom Signature discussion board!

The purpose of this board is to discuss everything related to custom signature creation in PAN-OS devices. Palo Alto Networks delivers a large quantity of coverage in our weekly content updates; however, we know that our customers are staffed by dedicated security professionals as well, and we would like to provide an environment in which to fos...

rcole by L4 Transporter
  • 37632 Views
  • 4 replies
  • 4 Likes

Allow iOS Ring doorbell

Hello,I'm looking for a proper way to allow the iOS Ring app to connect back to the video feed from an iOS device. Android phones work with no issue. The problem is that it reports the web URL category as "unknown" which I am currently blocking.I wrote my policy (below) to allow ssl traffic for all unauthenticated users (mobile devices) to conne...

Ring Policy.PNG

Custom App for unknown SIP traffic

Hi. I need to create a Custom App for SIP traffic that is not identified by the firewall. I see that you can match on the sip headers but not sure how to write the pattern. Have done capture of the traffic and this is what I got...What can be used here and how do I write the pattern? INVITE sip:2574@10.100.118.40 SIP/2.0Min-SE: 300Date: Wed, 02...

OyvindM by L0 Member
  • 2236 Views
  • 0 replies
  • 0 Likes

"email-headers" and "smtp-email-headers" context in customer application definition

Hello,Is there any difference between "email-headers" and "smtp-email-headers" context in the customer application definition?I didn't find description of the "smtp-email-headers" context in "Custom Application IDs and Signatures" guide.Maybe "email-headers" can be used for any email protocol and "smtp-email-headers" only for SMTP?Thanks

SergiyL by L1 Bithead
  • 4420 Views
  • 2 replies
  • 0 Likes

Letsencrypt (acme) challenge URL

I created this pattern to recognize Letsencrypt (acme-protocol) challenge. You need to create a custom application with these fields:Typo: Transaction Context: http-req-uri-path Pattern:^GET /\.well-known/acme-challenge/ That's the best I could bet. Btw, I did not know before that "http-req-uri-path" had to include the method (GET), so I had a h...

Custom signature for catch specific query

Hello all I'm trying to catch suspicious ldap queries (recon activity).For the example I want catch this kind of querie : (primaryGroupID=512)I tried to make a custom rule. However for ldap, there are only 2 possibilities:- ldap-req-searchrequest-baseobject- ldap-rsp-searchresentry-objectnameboth of them don't fit my needs cause they don't match...

jsv93 by L0 Member
  • 2813 Views
  • 1 replies
  • 0 Likes

Allow or drop traffic based on headers

Hi,I need to allow/drop traffic based on headers.I need a custom signature to make sure the HOST is one of:1. abc.com (or)2. xyz.comANDThe XFF header is one of:1. 1.1.1.1 (or)2. 2.2.2.2 (or)3. 3.3.3.3ANDA header name "X-MyHeader" has the value: "123"If one of the above condition is false, drop the traffic. I will appreciate any help. Noam.

Resolved! Threat signature for ICMP type

Has anyone had success in creation of threat signatures for ICMP type? I've seen (and tested) the Palo Alto guide on creation of an app to block/allow specific ICMP types and was trying to log a threat event for potential use and visibility versus creation of a new application (and needing to create a new app-id group to accommodate all ICMP ty...

Custom Signature to detect a PDF file

DISCLAIMER: As with all custom signatures on this forum, this signature is being provided by the author as a result of enthusiasm for the product and to share ideas with the Palo Alto Networks security community. It is: - Not recommended for deployment in a production network of any kind without internal testing. - Not a solution to an...

1.png
2.png
3.png
4.png
dparris by L5 Sessionator
  • 11963 Views
  • 4 replies
  • 3 Likes

Limiting http methods to specific URLs

Has anyone had luck limiting http methods like PUT to limited URLs? For example, limiting a PUT to https://www.foo.com/ but not to https://www.foo.com/folder1 ? I've created a custom vulnerability that allows the http-method (http-req-header length > 0 which http-method=PUT) in a custom vulnerability but I am having trouble limiting it to the...

IamJoeG by L0 Member
  • 5564 Views
  • 3 replies
  • 0 Likes

DDOS, Brute force and referer header match options with custom signatures for app-id and vulnerability.

Hello to All, I have made a post with examples in an another part of this forum but now I see that there is a seperate discussion for custom signatures, so I am posting it here. Now with version 10 as there is no 7 byte limit it is much more easier to do such things with application or Spyware/Vulnerability combination signature: https://live....

Welcome to the Palo Alto Networks Custom Signature discussion board!

The purpose of this board is to discuss everything related to custom signature creation in PAN-OS devices. Palo Alto Networks delivers a large quantity of coverage in our weekly content updates; however, we know that our customers are staffed by dedicated security professionals as well, and we would like to provide an environment in which to fos...

rcole by L4 Transporter
  • 37632 Views
  • 4 replies
  • 4 Likes

Custom objects signature - DNS query length

HelloI am trying to create a custom object / custom spyware signature based on dns-req-section that would alert when the requested domain via dns is longer than x amount of characters.Currently I am stuck at the pattern requirement to have 7 fixed bytes. Any ideas? (We are not using dns proxying)(I'm trying to detect this: https://blog.talosint...

Application ID for MS-Edge

Due to the constraints placed on us by management, we don't support Chrome, and early on, I created a custom app ID specifically for Chrome and was able to block it fairly effectively. Then MS released Edge, which fouled everything up. So all of the chrome blocks had to be changed allows, so edge would work. So, like an idiot, I thought I cou...

bwsaloum by L2 Linker
  • 8263 Views
  • 4 replies
  • 0 Likes

Resolved! Pattern regex less then 7 bytes

Hi all,I have been asked to create a new Application signature to block any access to /abc/*But when adding the pattern /abc/* in context http-req-uri-pathI get an error: "pattern must be at least 7 bytes [/abc/*]" How can I block any access to /abc/* ? Regards,Noam.

  • 175 Posts
  • 86 Subscriptions
Labels
LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2026 - Palo Alto Networks