Custom Signatures
The Custom Signatures discussion is a resource for security professionals to discuss the creation process of custom signatures in their PAN-OS appliance.
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Custom Signatures
The Custom Signatures discussion is a resource for security professionals to discuss the creation process of custom signatures in their PAN-OS appliance.
About Custom Signatures

Welcome to the Custom Signatures discussion forum. This forum exists as a resource for security professionals to discuss the creation process of custom signatures in their PAN-OS appliance. Please feel free to engage with other community members and Palo Alto Networks staff. Ideas, questions, research, and observations regarding the process of custom signature creation are all actively encouraged.

For an introduction to the forum, please see the sticky!

Disclaimer:
This forum is provided for Live Community members to discuss and share information pertaining to custom signatures. Please use the information from this forum at your own risk and make sure to test and verify any signature and code presented here. For information on contacting Palo Alto Networks support, click here.

Discussions

Resolved! Custom Signature to allow LDAPS as SSL port 636

Hello Everyone,

 

Has anyone created a custom signature to create a custom APP-ID to allow SSL over port 636? I have read that decryption needs to be implemented for the Palo to identify the traffic to the right application but if decryption can not be

...

palmanza by L0 Member
  • 15043 Views
  • 2 replies
  • 0 Likes

re: 01339413

Hi Team 

 

One of my Customer has configured a custom signature to block the windows 7 machine based on Http request headers. This signature is working but hitting a lot of false positives as well. For example, he can see that window 8 and windows 10 a

...

alal by L2 Linker
  • 4469 Views
  • 1 replies
  • 0 Likes

Safari Montage YouTube

We have a school system that is want to utilize Safari Montage to filter video that an administrator whitelisted. These whitelisted video adds a referrer (somesite.someschool.org) to the http request that will go to that specific video hosted at YouT

...

MCabe by L0 Member
  • 3408 Views
  • 0 replies
  • 0 Likes

Context for Custom AppID

I’m looking to create a custom AppID for our Softphones by PureCloud. In short, we are attempting to block the chat feature within the application. The application is web-browser based and encrypted, so we setup decryption for the traffic in the hope

...

rsummers by L0 Member
  • 3614 Views
  • 0 replies
  • 0 Likes

Resolved! Vulnerability Custom signature not detected

Hi,

I have configured this signature:

Operator: Pattern Match

Context: http-req-params

Pattern: WAITFOR\%20DELAY

 

When I digit for example http://www.mysite.com/index.php?WAITFOR%20DELAY the signature is not matched.

Can someone help me about this?

 

 

s_quasar by L3 Networker
  • 5655 Views
  • 1 replies
  • 0 Likes

KNX/IP custom APP-ID signatures

Hi,

 

I have created a APP-ID signature set for detecting KNX.

If you have a KNX smarthouse or industrial system this could be helpful.

 

I will try to implement decrypt and detection of KNX in Gira S1 traffic as well in the future.

 

Wikipedia - KNX

 

best r

...

pattern match for less than 7 byte application

Hello all,

 

we are trying to implement user-Agent feature that's exist in MWG proxy. on attched wireshark capture screen shot "wget" user agent has only 4 bytes. do you have work around to make signature equal to 7 bytes. 

I also attached screen shot e

...

IPv4 flags as App-ID Signatures?

Hello,

 

 Is it possible to use simple IPv4 flag info as match criteria for App-ID signatures? I'm looking for something simple such as matching source IP, destination IP and destination port. I'm not having any luck finding patterns in the data to use

...

Danimal by L0 Member
  • 5227 Views
  • 1 replies
  • 0 Likes

There is no CVE-2019-9082 signature

Hi,

 

Nowadays some attackers attack our web site relevant code injection. Perimeter firewall is Palo Alto and seperator firewall is Fortinet. This attack type is below that's not keeping by PA but it's keeping FG so prevent.

I obsevered this signature

...

  • 165 Posts
  • 82 Subscriptions
Labels