This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Buy or Renew
Buy or Renew
Custom Signatures
The Custom Signatures discussion is a resource for security professionals to discuss the creation process of custom signatures in their PAN-OS appliance.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Custom Signatures
The Custom Signatures discussion is a resource for security professionals to discuss the creation process of custom signatures in their PAN-OS appliance.
About Custom Signatures

Welcome to the Custom Signatures discussion forum. This forum exists as a resource for security professionals to discuss the creation process of custom signatures in their PAN-OS appliance. Please feel free to engage with other community members and Palo Alto Networks staff. Ideas, questions, research, and observations regarding the process of custom signature creation are all actively encouraged.

For an introduction to the forum, please see the sticky!

Disclaimer:
This forum is provided for Live Community members to discuss and share information pertaining to custom signatures. Please use the information from this forum at your own risk and make sure to test and verify any signature and code presented here. For information on contacting Palo Alto Networks support, click here.

Discussions

Start a conversation

Welcome to the Custom Signatures Discussions!

To make this forum valuable and enjoyable for everyone, please review the following guidelines before participating: Rules and Best Practices Be Respectful: Treat fellow community members with professionalism and courtesy. Constructive discussions are encouraged; disrespectful or inflammatory comments are not. Stay On-Topic: This board is d...

JayGolf by Community Team Member
  • 3495 Views
  • 0 replies
  • 0 Likes

Welcome to the Palo Alto Networks Custom Signature discussion board!

The purpose of this board is to discuss everything related to custom signature creation in PAN-OS devices. Palo Alto Networks delivers a large quantity of coverage in our weekly content updates; however, we know that our customers are staffed by dedicated security professionals as well, and we would like to provide an environment in which to fos...

rcole by L4 Transporter
  • 37573 Views
  • 4 replies
  • 4 Likes

Custom Snort Signature context operator not found

creating a custom snort signature on Palo alto Firewall but didn’t found the concern context operator for match pattern.Shall we create a context operator or how it can add the pattern if the context operator is not available? For example:alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"[CIS] Emotet C2 Traffic Using Form Data to Send Passwo...

Snort.jpg

vulnerability signature with payload and negate

Hello.I'm trying to write a custom app and vulnerability signature. Signatures are based on UDP-payload.When I use the custom app signature, vulnerability detection does not work. Can I somehow turn on CTD for the custom app?The other problem is that what I ideally need to do in the vulnerability is to check for the other than mine UDP-payload. ...

Block Pubg and Fortnite

Hi, Is anyone tried to block PUBG and Fortnite? I tried everything its not able to, please suggest the step would be helpful. RegardsAsif

Asifk by L0 Member
  • 3183 Views
  • 0 replies
  • 0 Likes

It's possible to block custom file hash-256 in Palo alto.

It's possible to block custom file hash-256It's possible to block custom file hash-256 in Palo alto.Please let me know how I can check the respective file hashes disposition at a wildfire, either it is in block or not. Here is below the file hashes need to know for disposition. f743c0849d69b5ea2f7eaf28831c86c1536cc27ae470f20e49223cbdba9c677ce56d...

Resolved! Custom threat signature- search full TCP payload of any AppId

I'm trying to write a custom threat signature. The pattern matches just fine if I send it using netcat, but it does not match the actual application traffic. I believe that this is because the actual traffic is processed and detected as a known application, whereas the signature Context is "unknown-req-tcp-payload". Is this context only for tr...

control URL Filtering bypass by IP

Any way we can achieve this by creating custom signature that allows only valid http requests to URLs and not to IP addresses?As currently Blocked domain or URL not HTTPS or protected by cloud-fare can easily get passed URL filtering blockUnderstanding that IP is not a url filtering problem, so looking for ways to prevent that.

pshah1 by L1 Bithead
  • 5211 Views
  • 1 replies
  • 0 Likes

create a custom url/custom application matching the below string

I have a requirement, where the customer wants to allow only the below url:https://chrome.google.com/webstore/detail/zotero-connector/ekhagklcjbdpajgpjgmbionohlpdbjgc Basically the above is the url for a chrome addon : zotero-connectorHe wants to allow only the above addon and block rest of the addon to get downloaded. I tried to use url filter...

Custom AppID for NAT-T traffic

I am looking for a way to identify NAT-T traffic on an IPSEC connection and define a custom app for it. To identify the IKE control plane traffic we would be looking for a 4 zero-valued bytes pattern at IP offset 28 on UDP 4500 traffic. It seems the 00 00 00 00 is the only consistent pattern in the traffic stream. Can RegEx be used to create a 7...

Screen Shot 2020-07-02 at 8.47.39 AM.png

Virus/Win32.WGeneric.ajbecg(340897548) Need assistance

Hi Team,These are the below sign identified in our network and want to know the reason for this trigger.Please provide the related application effected?Any additional information will be appreciated. Virus/Win32.WGeneric.ajbsuc(341044866) Virus/Win32.WGeneric.ajbecg(340897548) Virus/Win32.WGeneric.aeqdlm(295866360)

How to stop MortiAgent Malware using the snort rule ?

I want to stop the MortiAgent malware by applying /using snort rule & also using yara rule? How to configure this in Palo alto ? Below are snort & Yara Rules: 1. The below SNORT rule can be used to detect the MoriAgent Beacon.alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:" MoriAgent BeaconHTTP Request"; content:"/Index.php...

Need guidance to block download/upload of any file types

Hi,In my environment, we have a requirement to block download/upload any types of files between two machines.I had deployed "File Blocking" profile and added the profile in the policy. Its served the purpose only for the known files types available in palo-alto, example:.exe,.pdf,.zip etc are getting blocked.txt, .log, .dat are getting blocked. ...

Create Custom Application with pattern for XMPP (Jabber)

Could anyone help me to build a custom application with a pattern. Application: JabberPort: TCP/5222 I want to use this URL as a pattern xyz.ab.example.com. I have followed some kb and created a custom app but the app did not match in the security policy. I need assistance with this to work.

Resolved! Custom Signature to allow LDAPS as SSL port 636

Hello Everyone, Has anyone created a custom signature to create a custom APP-ID to allow SSL over port 636? I have read that decryption needs to be implemented for the Palo to identify the traffic to the right application but if decryption can not be completed how can this be done. Thanks in advance.

palmanza by L0 Member
  • 19928 Views
  • 2 replies
  • 0 Likes

re: 01339413

Hi Team One of my Customer has configured a custom signature to block the windows 7 machine based on Http request headers. This signature is working but hitting a lot of false positives as well. For example, he can see that window 8 and windows 10 also detected by this signature. The customer has followed this KB article: https://knowledgebase....

alal by L2 Linker
  • 4962 Views
  • 1 replies
  • 0 Likes

Safari Montage YouTube

We have a school system that is want to utilize Safari Montage to filter video that an administrator whitelisted. These whitelisted video adds a referrer (somesite.someschool.org) to the http request that will go to that specific video hosted at YouTube. With SSL Decrypt enable and quic being block, the firewall will inspect the outbound traffic...

MCabe by L0 Member
  • 3811 Views
  • 0 replies
  • 0 Likes
  • 175 Posts
  • 86 Subscriptions
Labels
LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2026 - Palo Alto Networks