This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Buy or Renew
Buy or Renew
Custom Signatures
The Custom Signatures discussion is a resource for security professionals to discuss the creation process of custom signatures in their PAN-OS appliance.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Custom Signatures
The Custom Signatures discussion is a resource for security professionals to discuss the creation process of custom signatures in their PAN-OS appliance.
About Custom Signatures

Welcome to the Custom Signatures discussion forum. This forum exists as a resource for security professionals to discuss the creation process of custom signatures in their PAN-OS appliance. Please feel free to engage with other community members and Palo Alto Networks staff. Ideas, questions, research, and observations regarding the process of custom signature creation are all actively encouraged.

For an introduction to the forum, please see the sticky!

Disclaimer:
This forum is provided for Live Community members to discuss and share information pertaining to custom signatures. Please use the information from this forum at your own risk and make sure to test and verify any signature and code presented here. For information on contacting Palo Alto Networks support, click here.

Discussions

Start a conversation

Welcome to the Custom Signatures Discussions!

To make this forum valuable and enjoyable for everyone, please review the following guidelines before participating: Rules and Best Practices Be Respectful: Treat fellow community members with professionalism and courtesy. Constructive discussions are encouraged; disrespectful or inflammatory comments are not. Stay On-Topic: This board is d...

JayGolf by Community Team Member
  • 3495 Views
  • 0 replies
  • 0 Likes

Welcome to the Palo Alto Networks Custom Signature discussion board!

The purpose of this board is to discuss everything related to custom signature creation in PAN-OS devices. Palo Alto Networks delivers a large quantity of coverage in our weekly content updates; however, we know that our customers are staffed by dedicated security professionals as well, and we would like to provide an environment in which to fos...

rcole by L4 Transporter
  • 37590 Views
  • 4 replies
  • 4 Likes

A few questions about signatures and custom apps

So I've had some issues with the most recent custom app I'm attempting to make. Our server team is implementing Papercut on campus and there doesn't seem to be a pre-built app for it. I submitted a request for it but figured I'd try to take a crack at it myself. It's turned out to be fairly interesting... Windows and Apple iOS devices ended up...

pcap.png
customapp1.png
customapp2.png
customapp3.png
jsalmans by L4 Transporter
  • 6216 Views
  • 4 replies
  • 0 Likes

Office 365 Vulnerability of HTML “baseStriker attack” and Mitigation by PAN Firewall

Hi Team,recently there is one vulnerability found in office 365 vulnerability has been identified in Microsoft Office 365, a remote user can exploit this vulnerability to trigger Security Restriction Bypass on the targeted system. Is there any way to block the office split HTML in PAN firewall. Vulnerability Types and Methods: Found using in th...

Regex for User Agent for ASA Anyconnect syslog

We have stale userID/IPaddr entries in PA from our AD servers.We implemented regex and syslog feed for the campus ASA so solve the issue, but need it also for Anyconnect user traffic. Found what appears to be the regex for anyconnect syslog feed.https://live.paloaltonetworks.com/t5/Automation-API-Discussions/Cisco-Anyconnect-Regex-for-User-ID/m-...

rkemble by L1 Bithead
  • 4512 Views
  • 4 replies
  • 0 Likes

Quick Question - escaping parentheses?

So, none of the docs I can find show parentheses as a reserved character, but when I put in a regex of 'sample(_POST' it is rejected, but when I do 'sample\(POST' it is taken - in these samples the '' are not there. But, I'm not sure if the REXEX is matching on the \( or just ( <edit> here is an error example: pattern '=@eval(base64_dec...

dberber1 by L2 Linker
  • 2032 Views
  • 0 replies
  • 0 Likes

Resolved! Regex Issue

Hey Everyone, I am having an issue that I can't explain. I am building a signature to match on IP addresses in the X-Forwarded-For Http header. what I have come up with is this: "For: 1\.2\.[3-4]\..*" This is working well, but I am having an issue with certain ranges I have one that is "For: x\.x\.[176-179]\..*" this throws an invalid patter...

dkramer by L0 Member
  • 4155 Views
  • 2 replies
  • 0 Likes

Custom APP-ID for more granular access to MS Office online components

I would like to have more granular control over access to Microsoft online resources, specifically Visual Studio tools. Access to the site currently is identified as 'ms-office365-base' but I would like to specifically identify the logon page and resources under 'visualstudio,com' as a separate app from 'ms-office365-base' so that I can allow ac...

kstiver by L0 Member
  • 2288 Views
  • 0 replies
  • 0 Likes

Basic Rule to Detect/Alert on OvenVas Scanners

So I'm surprised that the Palo Alto doesn't have a signature to detect OpenVAS scanners. I would like to create a simple rule that detects "User-Agent: OpenVAS" (Ultimately I would like to just block these entirely. Is something that can be easily built?

r_gine by L1 Bithead
  • 7806 Views
  • 2 replies
  • 0 Likes

Resolved! Create custom threat signature using the API

Is it possible to use the API to create a custom threat or vulnerability signature ? Plenty of examples showing how to do this using the WebUI, but customer is looking for automated ability. thanks, michael

mprice1 by L0 Member
  • 4872 Views
  • 1 replies
  • 0 Likes

How to create new APP ID or signature to block VPN360 App

Hi ! I was refered by TAC support to post requst here. we want to block VPN360 Apps on Iphone. It uses proxy IP to access internet bypassing URL filtering. IP is hopping and changing everytime you disconnected and reconnected App and it is standard SSL. Following is App in App store https://itunes.apple.com/us/app/vpn-360-unlimited-vpn-proxy/id...

Custom Signature for Dahua NVR

Hello All, I am working on creating a custome signature for a Dahua NVR that we would like to allow remote access to. It operates on port 37777 which has been allowed, but traffic still shows up as unknown-tcp and is subsiquently blocked. Does anyone have experience working with one of these devices or creating a signature for it? We opened ...

jjurdi by L1 Bithead
  • 8132 Views
  • 6 replies
  • 0 Likes

Help with creating a custom App

Hi Everyone,I have a application that is currently being detected as unknown-tcp and would love to be able to create a custom app to allow it rather than having to allow uknown-tcp.I have attached a capture from the Firewall, i am just uncertain as to what data to pull out of this and what fields to fill in in relation to signature (actually unc...

What purpose is 'parent app' when to create custom app?

Hello, I don't understand why 'parent app' is.What is it used for? and When is it used?if I choose 'facebook-base' in parent app when I create 'ABC' of custom application, the 'ABC' application is inherited the signature from 'facebook-base'? Honestly, I don't think it as above. I thought this setting is just information showed. I hope to get ad...

Customer signature to Block C & C++ Programes

Hi Team, One of the customer is looking to block files based on data filtering and he wanted to block any text that contains C programs, he wants to block based on the keywords used in the program. Sample Regex used by customer. .*(.*(\#include).*((cout)|(cin)|(return)|(main)|(iostream))) Can anyone be of some assistance to us on this query.

Email body signature

Hi allI have a question about the possibility to create a specific custom signature to block some mail.I need to block email that contantains:1- specific email address(it is easy i did it)2- email with some specific word contained in the email body(for exemple "i wont you")3- email with specific URL in the body(ex. "www.link.com") Is it possible...

  • 175 Posts
  • 86 Subscriptions
Labels
LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2026 - Palo Alto Networks