Custom Signatures
cancel
Showing results for 
Search instead for 
Did you mean: 
Custom Signatures
About Custom Signatures

Welcome to the Custom Signatures discussion forum. This forum exists as a resource for security professionals to discuss the creation process of custom signatures in their PAN-OS appliance. Please feel free to engage with other community members and Palo Alto Networks staff. Ideas, questions, research, and observations regarding the process of custom signature creation are all actively encouraged.

For an introduction to the forum, please see the sticky!

Disclaimer:
This forum is provided for Live Community members to discuss and share information pertaining to custom signatures. Please use the information from this forum at your own risk and make sure to test and verify any signature and code presented here. For information on contacting Palo Alto Networks support, click here.

Discussions

Custom signature for IMAP

Hey there!

 

I need to create a custom application based on the LOGIN string sent to an IMAP server (Office 365) via port 993 (TLS/SSL encrypted) to differentiate it from other O365 traffic. Tech_Note-Creating_Custom_Signatures-RevE.pdf I should be abl

...

Lets Encrypt

Our customer is implementing the Lets Encrypt (https://letsencrypt.org/) in the whole his infrastructure. 

This way, every certificates SSL expired in 90 days.

The Palo Alto use certificate SSL to VPN, Captive Portal, and others services.

Is there an au

...

Custom App-ID for DNS-over-https

Hi community

 

As you may have noticed DNSSec is extremely slowly getting attention and it even does not improve the users privacy because the dns request are only signed but not encrypted. So other people and companies are searching alternatives to se

...

How to submit changes to existing Add-id?

Hello.

 

We're noticed that webex app uses SIP connection over port 5061. I don't see it's listed in App-ID database and I believe it should be there. Please correct me if I'm wrong.

How do I submit App-ID change request? Since it's related to webex in

...

A few questions about signatures and custom apps

So I've had some issues with the most recent custom app I'm attempting to make.  Our server team is implementing Papercut on campus and there doesn't seem to be a pre-built app for it.  I submitted a request for it but figured I'd try to take a crack

...

pcap.png
customapp1.png
customapp2.png
customapp3.png
jsalmans by L4 Transporter
  • 2828 Views
  • 4 replies
  • 0 Likes

Regex for User Agent for ASA Anyconnect syslog

 

We have stale userID/IPaddr entries in PA from our AD servers.

We implemented regex and syslog feed for the campus ASA so solve the issue, but need it also for Anyconnect user traffic.

 

Found what appears to be the regex for anyconnect syslog feed.

htt

...

rkemble by L1 Bithead
  • 1751 Views
  • 4 replies
  • 0 Likes

Quick Question - escaping parentheses?

So, none of the docs I can find show parentheses as a reserved character, but when I put in a regex of 'sample(_POST' it is rejected, but when I do 'sample\(POST' it is taken - in these samples the '' are not there.  

 

But, I'm not sure if the REXEX i

...

dberber1 by L2 Linker
  • 578 Views
  • 0 replies
  • 0 Likes

Resolved! Regex Issue

 

Hey Everyone,

 

I am having an issue that I can't explain.  I am building a signature to match on IP addresses in the X-Forwarded-For Http header.  what I have come up with is this: "For: 1\.2\.[3-4]\..*"  This is working well, but I am having an issu

...

dkramer by L0 Member
  • 1532 Views
  • 2 replies
  • 0 Likes

Fortnite

Is anyone successfully blocking fortnite?  I'm also looking to block PUBG Mobile

Basic Rule to Detect/Alert on OvenVas Scanners

So I'm surprised that the Palo Alto doesn't have a signature to detect OpenVAS scanners. I would like to create a simple rule that detects "User-Agent: OpenVAS" (Ultimately I would like to just block these entirely.

 

Is something that can be easily bu

...

r_gine by L1 Bithead
  • 2798 Views
  • 2 replies
  • 0 Likes

Resolved! Create custom threat signature using the API

Is it possible to use the API to create a custom threat or vulnerability signature ?  Plenty of examples showing how to do this using the WebUI, but customer is looking for automated ability.

 

thanks, michael

mprice1 by L0 Member
  • 2429 Views
  • 1 replies
  • 0 Likes
Top Liked Posts
Top Liked Authors
Labels