Custom Signatures
cancel
Showing results for 
Search instead for 
Did you mean: 
Custom Signatures
About Custom Signatures

Welcome to the Custom Signatures discussion forum. This forum exists as a resource for security professionals to discuss the creation process of custom signatures in their PAN-OS appliance. Please feel free to engage with other community members and Palo Alto Networks staff. Ideas, questions, research, and observations regarding the process of custom signature creation are all actively encouraged.

For an introduction to the forum, please see the sticky!

Disclaimer:
This forum is provided for Live Community members to discuss and share information pertaining to custom signatures. Please use the information from this forum at your own risk and make sure to test and verify any signature and code presented here. For information on contacting Palo Alto Networks support, click here.

Discussions

Custom Signature for Dahua NVR

Hello All,

 

I am working on creating a custome signature for a Dahua NVR that we would like to allow remote access to.  It operates on port 37777 which has been allowed, but traffic still shows up as unknown-tcp and is subsiquently blocked.  Does anyo

...

jjurdi by L1 Bithead
  • 3034 Views
  • 6 replies
  • 0 Likes

Help with creating a custom App

Hi Everyone,

I have a application that is currently being detected as unknown-tcp and would love to be able to create a custom app to allow it rather than having to allow uknown-tcp.

I have attached a capture from the Firewall, i am just uncertain as t

...

Customer signature to Block C & C++ Programes

Hi Team,

 

One of the customer is looking to block files based on data filtering and he wanted to block any text that contains C programs, he wants to block based on the keywords used in the program.

 

Sample Regex used by customer.

 

.*(.*(\#include).*((c

...

Signature for Clash of Clans game

I built the attached custom application signature for the Clash of Clans game (previously identified as unknown-tcp) based on taking multiple pcaps and finding the first 7 bytes of the first 4 data packets appear to be constant across sessions. Howev

...

david3 by L4 Transporter
  • 6886 Views
  • 4 replies
  • 1 Likes

Email body signature

Hi all

I have a question about the possibility to create a specific custom signature to block some mail.

I need to block email that contantains:

1- specific email address(it is easy i did it)

2- email with some specific word contained in the email body(f

...

zenmate application

hi 

 

zenmate application is available in PA app but it is not blocking the traffic , 

tried using the URL based but pcap doesnt show any URL

tried to block through client hello SNI but no lcuk ....

please advise how i can block this on PA 

 

app name - zen

...

Rameshwar by L3 Networker
  • 2446 Views
  • 10 replies
  • 0 Likes

Custom Data Patterns

I am trying to create some data patterns for credit card numbers. I cannot get it to take any of my regex statements. below is one of them the error is saying its invalid. Does anyone have any good solid Credit Card Number and Social Security Number

...

Custom App for SIP

As a SIP provider, looking for to create a custom signature that matches a SUBSCRIBE message from the packet payload w/ 10 or 11 digits. We first tried this w/ Data Patterns under the Custom Objects but that didn't solve/address our issues.

We then cr

...

markibr by L0 Member
  • 1554 Views
  • 2 replies
  • 0 Likes

Resolved! Block Macro-enabled Word documents

I am trying to create a custom signature to block macro-enabled word documents. I can't use the "39154" signature for blocking, because it also blocks other office documents, such as .xlsx. I am in the testing phase, and I have created a custom signa

...

cstarks2 by L1 Bithead
  • 4187 Views
  • 4 replies
  • 0 Likes

SMTP Signature Help

We have been slammed with random Chinese IP addresses attemping to brute-force accounts via SMTP.  Amusingly enough, our gateway doesn't even support that feature but the amount of traffic attempting it is consuming all available ports.

 

I was able to

...

Nicka by L1 Bithead
  • 3228 Views
  • 5 replies
  • 0 Likes

InfluxDB Application Traffic

Hi Everyone

 

I have a problem, in monitoring traffic, connection influxdb with port 8086 did not work. traffic status is incomplete.

I was trying setup manually application for influxdb but did not work.

 

 

 

 

Could you give me a explanation?

1.png

Block Turbo VPN 1.8.1

please advise how can i block the mentioned vpn on FW 

i have blocked all the URLS using URL filtering which was hiting the firewall showing under URL filtering after enabling alert on all catagory 

blocked unknown - tcp and unknown - udp traffic 

SSL d

...

Rameshwar by L3 Networker
  • 1167 Views
  • 0 replies
  • 0 Likes

Example Signature for WPAD.DAT Exploitation (TA16-144A)

One attack avenue for an organization that the US-CERT is currently alerting on is the abuse of Web Proxy Auto-Discovery in order to hijack traffic by directing a web browser to a proxy they own.

 

The technical details are available at: https://www.

...

rcole by L4 Transporter
  • 4131 Views
  • 1 replies
  • 1 Likes

Resolved! Custom Signature Help

Hi, 

 

I'm attempting to create an application signature to detect Amazon AWS backups. I captured SSL client hello packets to get the the below hex for the pattern match, but signature is not fireing. 

 

Packet,

 

 

Hex value,

/x 3531333438623763302d64643237

...

Amazon_TLS.PNG
Amazon_sig.PNG
phi1771 by L0 Member
  • 1930 Views
  • 2 replies
  • 0 Likes
Top Liked Posts
Top Liked Authors
Labels