Custom Signatures
cancel
Showing results for 
Search instead for 
Did you mean: 
Custom Signatures
About Custom Signatures

Welcome to the Custom Signatures discussion forum. This forum exists as a resource for security professionals to discuss the creation process of custom signatures in their PAN-OS appliance. Please feel free to engage with other community members and Palo Alto Networks staff. Ideas, questions, research, and observations regarding the process of custom signature creation are all actively encouraged.

For an introduction to the forum, please see the sticky!

Disclaimer:
This forum is provided for Live Community members to discuss and share information pertaining to custom signatures. Please use the information from this forum at your own risk and make sure to test and verify any signature and code presented here. For information on contacting Palo Alto Networks support, click here.

Forum Posts

Custom data pattern

Hi Team I have a user who has a requirement to add a custom Data Pattern to identify a specific string Example: 1234/09/4578 (Note the second identifier is a numeric value between [1-9]) I set up the data pattern under " Custom Objects --->Data Patte...

agawade by L1 Bithead
  • 984 Views
  • 2 replies
  • 0 Likes

Wordpress wp-login.php flood

Today we built a custom vulnerability signature to block excessive request from one IP to wp-login.php. wp-login.php thread-id 42106wp-login.php thread-id 42106wp-login.php thread-id 42106wp-login.php flood threat-id 42107wp-login.php flood threat-id...

42106-1.PNG
42106-2.PNG
42106-3.PNG
wp1.PNG
PortsIT by L0 Member
  • 861 Views
  • 0 replies
  • 2 Likes

Regex for syslog User-ID not working

Hi team, We have the (Cisco & Ruckus) Wireless controllers forwarding SYSLOGS to the User-ID agent running on Windows 2012 server. We want to use these syslog messages to create user-ip mappings. We tried with several different regex patterns but not...

ansharma by L4 Transporter
  • 1357 Views
  • 2 replies
  • 0 Likes

Signature for HULK attack?

Hi Everyone, We are in the process of migrating from Cisco ASA firewalls on our Edge to PA 5020. Recently one of our websites was hit with a DDoS attack. After analysis, we determined that it was the HULK attack. I got my hands on the HULK python scr...

Resolved! Submitting DNS block without blocking the IP

I'm looking to submit a FQDN block where I don't ever block the IP. I've reviewed this article on blocking FQDN's but can't seem to figure out how to ignore the IP. We assign fake ip addresses to known malicius sites, and need the HTTP, HTTPS, SSH, e...

PAN-SA Signatures

Good day, Seeing as security device targetted attacks a re increasing, I'd like to know if PANW releases the PAN-SA advisories as actual signatures. I can filter and analyse the CVE's disclosed for each PAN-SA, when available, but therse are general ...

BruceL by L0 Member
  • 414 Views
  • 0 replies
  • 0 Likes

Possible To Block HTTP/1.0 Requests?

Can't seem to find a way to do it. I don't see a built-in signature, and was going to make a custom one, but the patern match context doesn't seem to cover the HTTP version for some odd reason. Maybe I'm missing something?

pwebber by L2 Linker
  • 1537 Views
  • 3 replies
  • 0 Likes

Basic Rule to Detect/Alert on OvenVas Scanners

So I'm surprised that the Palo Alto doesn't have a signature to detect OpenVAS scanners. I would like to create a simple rule that detects "User-Agent: OpenVAS" (Ultimately I would like to just block these entirely. Is something that can be easily bu...

r_gine by L1 Bithead
  • 1833 Views
  • 2 replies
  • 0 Likes

help on Custom signature base on the return traffic

Dear Bros Anyone has the experience of create custom signature base on the return traffic? attached please find the PCAP file This is JBoss attack while custom want us to alert base on the server return traffic content pattern which means attack most...

kowu by L1 Bithead
  • 1257 Views
  • 5 replies
  • 0 Likes

Help with creating a custom App

Hi Everyone,I have a application that is currently being detected as unknown-tcp and would love to be able to create a custom app to allow it rather than having to allow uknown-tcp.I have attached a capture from the Firewall, i am just uncertain as t...

Custom Application Signatures

Hi I have created custom Application id for one of my web application server hosted in Amazon cloud. but its not working. can anyone help against this. Here with i have attached xml file for your reference.

Ntrust by L0 Member
  • 899 Views
  • 2 replies
  • 0 Likes
Top Solution Authors
Top Liked Authors
Labels