This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Buy or Renew
Buy or Renew
Custom Signatures
The Custom Signatures discussion is a resource for security professionals to discuss the creation process of custom signatures in their PAN-OS appliance.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Custom Signatures
The Custom Signatures discussion is a resource for security professionals to discuss the creation process of custom signatures in their PAN-OS appliance.
About Custom Signatures

Welcome to the Custom Signatures discussion forum. This forum exists as a resource for security professionals to discuss the creation process of custom signatures in their PAN-OS appliance. Please feel free to engage with other community members and Palo Alto Networks staff. Ideas, questions, research, and observations regarding the process of custom signature creation are all actively encouraged.

For an introduction to the forum, please see the sticky!

Disclaimer:
This forum is provided for Live Community members to discuss and share information pertaining to custom signatures. Please use the information from this forum at your own risk and make sure to test and verify any signature and code presented here. For information on contacting Palo Alto Networks support, click here.

Discussions

Start a conversation

Welcome to the Custom Signatures Discussions!

To make this forum valuable and enjoyable for everyone, please review the following guidelines before participating: Rules and Best Practices Be Respectful: Treat fellow community members with professionalism and courtesy. Constructive discussions are encouraged; disrespectful or inflammatory comments are not. Stay On-Topic: This board is d...

JayGolf by Community Team Member
  • 3495 Views
  • 0 replies
  • 0 Likes

Welcome to the Palo Alto Networks Custom Signature discussion board!

The purpose of this board is to discuss everything related to custom signature creation in PAN-OS devices. Palo Alto Networks delivers a large quantity of coverage in our weekly content updates; however, we know that our customers are staffed by dedicated security professionals as well, and we would like to provide an environment in which to fos...

rcole by L4 Transporter
  • 37576 Views
  • 4 replies
  • 4 Likes

Context for Custom AppID

I’m looking to create a custom AppID for our Softphones by PureCloud. In short, we are attempting to block the chat feature within the application. The application is web-browser based and encrypted, so we setup decryption for the traffic in the hopes we could enforce security policies on the decrypted traffic. The decryption is working fine and...

rsummers by L0 Member
  • 4031 Views
  • 0 replies
  • 0 Likes

Resolved! Vulnerability Custom signature not detected

Hi,I have configured this signature:Operator: Pattern MatchContext: http-req-paramsPattern: WAITFOR\%20DELAY When I digit for example http://www.mysite.com/index.php?WAITFOR%20DELAY the signature is not matched.Can someone help me about this?

s_quasar by L3 Networker
  • 6366 Views
  • 1 replies
  • 0 Likes

KNX/IP custom APP-ID signatures

Hi, I have created a APP-ID signature set for detecting KNX.If you have a KNX smarthouse or industrial system this could be helpful. I will try to implement decrypt and detection of KNX in Gira S1 traffic as well in the future. Wikipedia - KNX best regardsThomas

Custom Threat is being identified, but not taking the correct action.

We have a custom vulnerability for Datanyze Scraping that is being idenfied but only alerting. This signature looks for http-req-headers and dns-req-headers for the value of Datanyze. This is working great, I can see the traffic in the threat log so I know it is being properly identified. The configuration of the signature has it set as Severi...

pattern match for less than 7 byte application

Hello all, we are trying to implement user-Agent feature that's exist in MWG proxy. on attched wireshark capture screen shot "wget" user agent has only 4 bytes. do you have work around to make signature equal to 7 bytes. I also attached screen shot erro from Palo

IPv4 flags as App-ID Signatures?

Hello, Is it possible to use simple IPv4 flag info as match criteria for App-ID signatures? I'm looking for something simple such as matching source IP, destination IP and destination port. I'm not having any luck finding patterns in the data to use and I really need an App-ID to adjust TCP time out values. This is to accomidate poorly designe...

Danimal by L0 Member
  • 5907 Views
  • 1 replies
  • 0 Likes

There is no CVE-2019-9082 signature

Hi, Nowadays some attackers attack our web site relevant code injection. Perimeter firewall is Palo Alto and seperator firewall is Fortinet. This attack type is below that's not keeping by PA but it's keeping FG so prevent.I obsevered this signature but I couldn't find on the PA database.This type of attack are increase last a few mounth. please...

how to get vulnerability signature pattern

HI @reaper Palo alto is releasing content update every week and changes in default action will be changed periodically. Recenty in Content version 8146 vulnerability 55570 Oracle WebLogic wls9-async Remote Code Execution Vulnerability action is set to resert-server. How can i get the signature pattern used by this vulnerability to confirm th...

Block access to websites available over their IP (and not a FQDN)

Hi community Does anyone already managed to block access to websites available directly with their IP? Actually with regex this would be an easy task, but I have some difficulties creating a custom application signature as there isn't the full regex available and there is also the limitation that the first 7 bytes of the signature need to be a s...

Remo by L7 Applicator
  • 3755 Views
  • 0 replies
  • 0 Likes

Unable to negate Signature pattern-match. Why Custom Vulnerability has Negate option but Apps NOT?

I created custom app for ldaps tcp/636 based on signature (ssl-rsp-certificate) which contains text from certificateThis caused https - tcp/443 (ssl based) traffic to match this new custom app.After some investigation I realised that https context ssl-req-client-hello contains http/version (i.e. http/1.1) and wanted to filter out this in my cust...

olukacko by L0 Member
  • 4333 Views
  • 0 replies
  • 0 Likes

Blocking web content with custom data patterns

Hi all, I'm trying to use custom data patterns to block all content related to the 'Momo' hoax. I'm having issues getting around the fact that 'momo' is smaller than 7 bytes. Do you have any recommendations on how to use an anchor 7 bytes or longer that would block momo Google, Image and Youtube searches? So far I can only stop searches from th...

Office XML with Macros

This is a custom vulnerability signature I created based on what I was seeing come through to our users. Usually, the malicious Office files with macros were in either the binary Office 2003 format or the newer Office 2007+ format. What I was seeing were Office XML (2003 era) files. Note, this signature includes a specific string match for Wor...

Custom Antivirus Signatures

Is it possible to create custom antivirus signatures?Goal is to block files with certain hashes. The original file is not available, only the hash.Is there any way to submit hashes to PANW so that they create signatures? (Something similar like for URLs)

Anon1 by L4 Transporter
  • 15038 Views
  • 4 replies
  • 3 Likes
  • 175 Posts
  • 86 Subscriptions
Labels
LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2026 - Palo Alto Networks