Custom Signatures
The Custom Signatures discussion is a resource for security professionals to discuss the creation process of custom signatures in their PAN-OS appliance.
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Custom Signatures
The Custom Signatures discussion is a resource for security professionals to discuss the creation process of custom signatures in their PAN-OS appliance.
About Custom Signatures

Welcome to the Custom Signatures discussion forum. This forum exists as a resource for security professionals to discuss the creation process of custom signatures in their PAN-OS appliance. Please feel free to engage with other community members and Palo Alto Networks staff. Ideas, questions, research, and observations regarding the process of custom signature creation are all actively encouraged.

For an introduction to the forum, please see the sticky!

Disclaimer:
This forum is provided for Live Community members to discuss and share information pertaining to custom signatures. Please use the information from this forum at your own risk and make sure to test and verify any signature and code presented here. For information on contacting Palo Alto Networks support, click here.

Discussions

Regex for User Agent for ASA Anyconnect syslog

 

We have stale userID/IPaddr entries in PA from our AD servers.

We implemented regex and syslog feed for the campus ASA so solve the issue, but need it also for Anyconnect user traffic.

 

Found what appears to be the regex for anyconnect syslog feed.

htt

...

rkemble by L1 Bithead
  • 3335 Views
  • 4 replies
  • 0 Likes

Quick Question - escaping parentheses?

So, none of the docs I can find show parentheses as a reserved character, but when I put in a regex of 'sample(_POST' it is rejected, but when I do 'sample\(POST' it is taken - in these samples the '' are not there.  

 

But, I'm not sure if the REXEX i

...

dberber1 by L2 Linker
  • 1544 Views
  • 0 replies
  • 0 Likes

Resolved! Regex Issue

 

Hey Everyone,

 

I am having an issue that I can't explain.  I am building a signature to match on IP addresses in the X-Forwarded-For Http header.  what I have come up with is this: "For: 1\.2\.[3-4]\..*"  This is working well, but I am having an issu

...

dkramer by L0 Member
  • 3010 Views
  • 2 replies
  • 0 Likes

Fortnite

Is anyone successfully blocking fortnite?  I'm also looking to block PUBG Mobile

Basic Rule to Detect/Alert on OvenVas Scanners

So I'm surprised that the Palo Alto doesn't have a signature to detect OpenVAS scanners. I would like to create a simple rule that detects "User-Agent: OpenVAS" (Ultimately I would like to just block these entirely.

 

Is something that can be easily bu

...

r_gine by L1 Bithead
  • 5216 Views
  • 2 replies
  • 0 Likes

Resolved! Create custom threat signature using the API

Is it possible to use the API to create a custom threat or vulnerability signature ?  Plenty of examples showing how to do this using the WebUI, but customer is looking for automated ability.

 

thanks, michael

mprice1 by L0 Member
  • 3799 Views
  • 1 replies
  • 0 Likes

Custom Signature for Dahua NVR

Hello All,

 

I am working on creating a custome signature for a Dahua NVR that we would like to allow remote access to.  It operates on port 37777 which has been allowed, but traffic still shows up as unknown-tcp and is subsiquently blocked.  Does anyo

...

jjurdi by L1 Bithead
  • 5211 Views
  • 6 replies
  • 0 Likes

Help with creating a custom App

Hi Everyone,

I have a application that is currently being detected as unknown-tcp and would love to be able to create a custom app to allow it rather than having to allow uknown-tcp.

I have attached a capture from the Firewall, i am just uncertain as t

...

Customer signature to Block C & C++ Programes

Hi Team,

 

One of the customer is looking to block files based on data filtering and he wanted to block any text that contains C programs, he wants to block based on the keywords used in the program.

 

Sample Regex used by customer.

 

.*(.*(\#include).*((c

...

Signature for Clash of Clans game

I built the attached custom application signature for the Clash of Clans game (previously identified as unknown-tcp) based on taking multiple pcaps and finding the first 7 bytes of the first 4 data packets appear to be constant across sessions. Howev

...

david3 by L4 Transporter
  • 9947 Views
  • 4 replies
  • 1 Likes

Email body signature

Hi all

I have a question about the possibility to create a specific custom signature to block some mail.

I need to block email that contantains:

1- specific email address(it is easy i did it)

2- email with some specific word contained in the email body(f

...

zenmate application

hi 

 

zenmate application is available in PA app but it is not blocking the traffic , 

tried using the URL based but pcap doesnt show any URL

tried to block through client hello SNI but no lcuk ....

please advise how i can block this on PA 

 

app name - zen

...

Rameshwar by L3 Networker
  • 4700 Views
  • 10 replies
  • 0 Likes