Custom Signatures
The Custom Signatures discussion is a resource for security professionals to discuss the creation process of custom signatures in their PAN-OS appliance.
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.
Custom Signatures
The Custom Signatures discussion is a resource for security professionals to discuss the creation process of custom signatures in their PAN-OS appliance.
About Custom Signatures

Welcome to the Custom Signatures discussion forum. This forum exists as a resource for security professionals to discuss the creation process of custom signatures in their PAN-OS appliance. Please feel free to engage with other community members and Palo Alto Networks staff. Ideas, questions, research, and observations regarding the process of custom signature creation are all actively encouraged.

For an introduction to the forum, please see the sticky!

Disclaimer:
This forum is provided for Live Community members to discuss and share information pertaining to custom signatures. Please use the information from this forum at your own risk and make sure to test and verify any signature and code presented here. For information on contacting Palo Alto Networks support, click here.

Discussions

Identifying Mobile no - Data Pattern

Dear All,

Please find bellow our requirement:

 

1) We would like to restrict document going out from their network which has more than 5 mobile numbers.

Thus would require a regex of mobile no to be configured in Data Pattern.

 

We configure regex  -

((.*09

...

To customize app-id or no

Hi

 

Newish user to PA's 1 year now I think.

 

I came from cisco - ip / port acl's

 

I am trying to move to app-id nicer easier policies.

So for office traffic I use app-id 

for my prod platform I use applicaiton overide to custom applications, so that I can

...

Custom signature for IMAP

Hey there!

 

I need to create a custom application based on the LOGIN string sent to an IMAP server (Office 365) via port 993 (TLS/SSL encrypted) to differentiate it from other O365 traffic. Tech_Note-Creating_Custom_Signatures-RevE.pdf I should be abl

...

Lets Encrypt

Our customer is implementing the Lets Encrypt (https://letsencrypt.org/) in the whole his infrastructure. 

This way, every certificates SSL expired in 90 days.

The Palo Alto use certificate SSL to VPN, Captive Portal, and others services.

Is there an au

...

Custom App-ID for DNS-over-https

Hi community

 

As you may have noticed DNSSec is extremely slowly getting attention and it even does not improve the users privacy because the dns request are only signed but not encrypted. So other people and companies are searching alternatives to se

...

Remo by L7 Applicator
  • 11444 Views
  • 1 replies
  • 7 Likes

How to submit changes to existing Add-id?

Hello.

 

We're noticed that webex app uses SIP connection over port 5061. I don't see it's listed in App-ID database and I believe it should be there. Please correct me if I'm wrong.

How do I submit App-ID change request? Since it's related to webex in

...

A few questions about signatures and custom apps

So I've had some issues with the most recent custom app I'm attempting to make.  Our server team is implementing Papercut on campus and there doesn't seem to be a pre-built app for it.  I submitted a request for it but figured I'd try to take a crack

...

pcap.png
customapp1.png
customapp2.png
customapp3.png
jsalmans by L4 Transporter
  • 4369 Views
  • 4 replies
  • 0 Likes

Regex for User Agent for ASA Anyconnect syslog

 

We have stale userID/IPaddr entries in PA from our AD servers.

We implemented regex and syslog feed for the campus ASA so solve the issue, but need it also for Anyconnect user traffic.

 

Found what appears to be the regex for anyconnect syslog feed.

htt

...

rkemble by L1 Bithead
  • 3231 Views
  • 4 replies
  • 0 Likes

Quick Question - escaping parentheses?

So, none of the docs I can find show parentheses as a reserved character, but when I put in a regex of 'sample(_POST' it is rejected, but when I do 'sample\(POST' it is taken - in these samples the '' are not there.  

 

But, I'm not sure if the REXEX i

...

dberber1 by L2 Linker
  • 1512 Views
  • 0 replies
  • 0 Likes