Custom Signatures
cancel
Showing results for 
Search instead for 
Did you mean: 
Custom Signatures
About Custom Signatures

Welcome to the Custom Signatures discussion forum. This forum exists as a resource for security professionals to discuss the creation process of custom signatures in their PAN-OS appliance. Please feel free to engage with other community members and Palo Alto Networks staff. Ideas, questions, research, and observations regarding the process of custom signature creation are all actively encouraged.

For an introduction to the forum, please see the sticky!

Disclaimer:
This forum is provided for Live Community members to discuss and share information pertaining to custom signatures. Please use the information from this forum at your own risk and make sure to test and verify any signature and code presented here. For information on contacting Palo Alto Networks support, click here.

Discussions

Resolved! Pokemon GO

With the rise in popularity of the new Pokemon GO app, has anyone had the opportunity to build a signature or possibly even gather a pcap of the traffic that could be shared (the site is not allowing signups right now so I am unable to produce my own

...

aelmore by L0 Member
  • 3934 Views
  • 4 replies
  • 0 Likes

Regex for syslog User-ID not working

Hi team,

 

We have the (Cisco & Ruckus) Wireless controllers forwarding SYSLOGS to the User-ID agent running on Windows 2012 server.

 

We want to use these syslog messages to create user-ip mappings. We tried with several different regex patterns but not

...

ansharma by L4 Transporter
  • 1651 Views
  • 2 replies
  • 0 Likes

Custom data pattern

Hi Team 

 

I have a user who has a requirement to add a custom Data Pattern to identify a specific string 

 

Example: 1234/09/4578 

 

(Note the second identifier is a numeric value between [1-9])

 

I set up the data pattern under " Custom Objects --->Data Pa

...

agawade by L1 Bithead
  • 1406 Views
  • 2 replies
  • 0 Likes

Resolved! Submitting DNS block without blocking the IP

I'm looking to submit a FQDN block where I don't ever block the IP.

 

I've reviewed this article on blocking FQDN's but can't seem to figure out how to ignore the IP. We assign fake ip addresses to known malicius sites, and need the HTTP, HTTPS, SSH, e

...

Wordpress wp-login.php flood

Today we built a custom vulnerability signature to block excessive request from one IP to wp-login.php. 

 

 wp-login.php thread-id 42106wp-login.php thread-id 42106wp-login.php thread-id 42106wp-login.php flood threat-id 42107wp-login.php flood threat-

...

42106-1.PNG
42106-2.PNG
42106-3.PNG
wp1.PNG
PortsIT by L0 Member
  • 1239 Views
  • 0 replies
  • 2 Likes

Signature for HULK attack?

Hi Everyone,

 

We are in the process of migrating from Cisco ASA firewalls on our Edge to PA 5020. Recently one of our websites was hit with a DDoS attack. After analysis, we determined that it was the HULK attack. 

 

I got my hands on the HULK python sc

...

Resolved! Detect any ELF executable

I would like to block any ELF executable, but this is not support in file blocking. I have tried to achieve this using two methods:

 

Create a custom data pattern. This didn't really work out, as the minimum string length is 7 bytes, but the file ident

...

Possible To Block HTTP/1.0 Requests?

Can't seem to find a way to do it. I don't see a built-in signature, and was going to make a custom one, but the patern match context doesn't seem to cover the HTTP version for some odd reason. Maybe I'm missing something?

pwebber by L2 Linker
  • 2341 Views
  • 3 replies
  • 0 Likes

PAN-SA Signatures

Good day,

 

Seeing as security device targetted attacks a re increasing, I'd like to know if PANW releases the PAN-SA advisories as actual signatures. I can filter and analyse the CVE's disclosed for each PAN-SA, when available, but therse are general

...

BruceL by L0 Member
  • 636 Views
  • 0 replies
  • 0 Likes

help on Custom signature base on the return traffic

Dear Bros

 

     Anyone has the experience of create custom signature base on the return traffic? attached please find the PCAP file

 

     This is JBoss attack while custom want us to alert base on the server return traffic content pattern which means a

...

kowu by L1 Bithead
  • 1976 Views
  • 5 replies
  • 0 Likes

Custom Application Signatures

Hi

 

I have created custom Application id for one of my web application server hosted in Amazon cloud. but its not working. can anyone help against this.  Here with i have attached xml file for your reference.

Ntrust by L0 Member
  • 1352 Views
  • 2 replies
  • 0 Likes
Top Liked Posts
Top Liked Authors
Labels