Custom Signatures
The Custom Signatures discussion is a resource for security professionals to discuss the creation process of custom signatures in their PAN-OS appliance.
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Custom Signatures
The Custom Signatures discussion is a resource for security professionals to discuss the creation process of custom signatures in their PAN-OS appliance.
About Custom Signatures

Welcome to the Custom Signatures discussion forum. This forum exists as a resource for security professionals to discuss the creation process of custom signatures in their PAN-OS appliance. Please feel free to engage with other community members and Palo Alto Networks staff. Ideas, questions, research, and observations regarding the process of custom signature creation are all actively encouraged.

For an introduction to the forum, please see the sticky!

Disclaimer:
This forum is provided for Live Community members to discuss and share information pertaining to custom signatures. Please use the information from this forum at your own risk and make sure to test and verify any signature and code presented here. For information on contacting Palo Alto Networks support, click here.

Discussions

How to submit changes to existing Add-id?

Hello.

 

We're noticed that webex app uses SIP connection over port 5061. I don't see it's listed in App-ID database and I believe it should be there. Please correct me if I'm wrong.

How do I submit App-ID change request? Since it's related to webex in

...

A few questions about signatures and custom apps

So I've had some issues with the most recent custom app I'm attempting to make.  Our server team is implementing Papercut on campus and there doesn't seem to be a pre-built app for it.  I submitted a request for it but figured I'd try to take a crack

...

pcap.png
customapp1.png
customapp2.png
customapp3.png
jsalmans by L4 Transporter
  • 3798 Views
  • 4 replies
  • 0 Likes

Regex for User Agent for ASA Anyconnect syslog

 

We have stale userID/IPaddr entries in PA from our AD servers.

We implemented regex and syslog feed for the campus ASA so solve the issue, but need it also for Anyconnect user traffic.

 

Found what appears to be the regex for anyconnect syslog feed.

htt

...

rkemble by L1 Bithead
  • 2716 Views
  • 4 replies
  • 0 Likes

Quick Question - escaping parentheses?

So, none of the docs I can find show parentheses as a reserved character, but when I put in a regex of 'sample(_POST' it is rejected, but when I do 'sample\(POST' it is taken - in these samples the '' are not there.  

 

But, I'm not sure if the REXEX i

...

dberber1 by L2 Linker
  • 1215 Views
  • 0 replies
  • 0 Likes

Resolved! Regex Issue

 

Hey Everyone,

 

I am having an issue that I can't explain.  I am building a signature to match on IP addresses in the X-Forwarded-For Http header.  what I have come up with is this: "For: 1\.2\.[3-4]\..*"  This is working well, but I am having an issu

...

dkramer by L0 Member
  • 2338 Views
  • 2 replies
  • 0 Likes

Fortnite

Is anyone successfully blocking fortnite?  I'm also looking to block PUBG Mobile

Basic Rule to Detect/Alert on OvenVas Scanners

So I'm surprised that the Palo Alto doesn't have a signature to detect OpenVAS scanners. I would like to create a simple rule that detects "User-Agent: OpenVAS" (Ultimately I would like to just block these entirely.

 

Is something that can be easily bu

...

r_gine by L1 Bithead
  • 4182 Views
  • 2 replies
  • 0 Likes

Resolved! Create custom threat signature using the API

Is it possible to use the API to create a custom threat or vulnerability signature ?  Plenty of examples showing how to do this using the WebUI, but customer is looking for automated ability.

 

thanks, michael

mprice1 by L0 Member
  • 3217 Views
  • 1 replies
  • 0 Likes

Custom Signature for Dahua NVR

Hello All,

 

I am working on creating a custome signature for a Dahua NVR that we would like to allow remote access to.  It operates on port 37777 which has been allowed, but traffic still shows up as unknown-tcp and is subsiquently blocked.  Does anyo

...

jjurdi by L1 Bithead
  • 4257 Views
  • 6 replies
  • 0 Likes

Help with creating a custom App

Hi Everyone,

I have a application that is currently being detected as unknown-tcp and would love to be able to create a custom app to allow it rather than having to allow uknown-tcp.

I have attached a capture from the Firewall, i am just uncertain as t

...