This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Buy or Renew
Buy or Renew
Custom Signatures
The Custom Signatures discussion is a resource for security professionals to discuss the creation process of custom signatures in their PAN-OS appliance.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Custom Signatures
The Custom Signatures discussion is a resource for security professionals to discuss the creation process of custom signatures in their PAN-OS appliance.
About Custom Signatures

Welcome to the Custom Signatures discussion forum. This forum exists as a resource for security professionals to discuss the creation process of custom signatures in their PAN-OS appliance. Please feel free to engage with other community members and Palo Alto Networks staff. Ideas, questions, research, and observations regarding the process of custom signature creation are all actively encouraged.

For an introduction to the forum, please see the sticky!

Disclaimer:
This forum is provided for Live Community members to discuss and share information pertaining to custom signatures. Please use the information from this forum at your own risk and make sure to test and verify any signature and code presented here. For information on contacting Palo Alto Networks support, click here.

Discussions

Start a conversation

Welcome to the Custom Signatures Discussions!

To make this forum valuable and enjoyable for everyone, please review the following guidelines before participating: Rules and Best Practices Be Respectful: Treat fellow community members with professionalism and courtesy. Constructive discussions are encouraged; disrespectful or inflammatory comments are not. Stay On-Topic: This board is d...

JayGolf by Community Team Member
  • 3495 Views
  • 0 replies
  • 0 Likes

Welcome to the Palo Alto Networks Custom Signature discussion board!

The purpose of this board is to discuss everything related to custom signature creation in PAN-OS devices. Palo Alto Networks delivers a large quantity of coverage in our weekly content updates; however, we know that our customers are staffed by dedicated security professionals as well, and we would like to provide an environment in which to fos...

rcole by L4 Transporter
  • 37592 Views
  • 4 replies
  • 4 Likes

zenmate application

hi zenmate application is available in PA app but it is not blocking the traffic , tried using the URL based but pcap doesnt show any URLtried to block through client hello SNI but no lcuk ....please advise how i can block this on PA app name - zenmate - browser based proxy

Rameshwar by L3 Networker
  • 6901 Views
  • 10 replies
  • 0 Likes

Custom Data Patterns

I am trying to create some data patterns for credit card numbers. I cannot get it to take any of my regex statements. below is one of them the error is saying its invalid. Does anyone have any good solid Credit Card Number and Social Security Number Data Patterns? \b(?:3[47]\d|(?:4\d|5[1-5]|65)\d{2}|6011)\d{12}\b

Custom App for SIP

As a SIP provider, looking for to create a custom signature that matches a SUBSCRIBE message from the packet payload w/ 10 or 11 digits. We first tried this w/ Data Patterns under the Custom Objects but that didn't solve/address our issues.We then created a custom app (SIP-SUBSCRIBE) to match the sip application already available in the DB, and ...

markibr by L0 Member
  • 3768 Views
  • 2 replies
  • 0 Likes

Resolved! Block Macro-enabled Word documents

I am trying to create a custom signature to block macro-enabled word documents. I can't use the "39154" signature for blocking, because it also blocks other office documents, such as .xlsx. I am in the testing phase, and I have created a custom signature to detect and alert on just word documents with macros enabled, but so far I have been unabl...

cstarks2 by L1 Bithead
  • 8174 Views
  • 4 replies
  • 0 Likes

SMTP Signature Help

We have been slammed with random Chinese IP addresses attemping to brute-force accounts via SMTP. Amusingly enough, our gateway doesn't even support that feature but the amount of traffic attempting it is consuming all available ports. I was able to make a signature to catch it when the server responds back with a "502 Unsupported" command but ...

InfluxDB Application Traffic

Hi Everyone I have a problem, in monitoring traffic, connection influxdb with port 8086 did not work. traffic status is incomplete.I was trying setup manually application for influxdb but did not work. Could you give me a explanation?

1.png

Block Turbo VPN 1.8.1

please advise how can i block the mentioned vpn on FW i have blocked all the URLS using URL filtering which was hiting the firewall showing under URL filtering after enabling alert on all catagory blocked unknown - tcp and unknown - udp traffic SSL decryption is enabled please advise , i have a packet capture , can i block the URLS which i see...

Rameshwar by L3 Networker
  • 2871 Views
  • 0 replies
  • 0 Likes

Resolved! Custom Signature Help

Hi, I'm attempting to create an application signature to detect Amazon AWS backups. I captured SSL client hello packets to get the the below hex for the pattern match, but signature is not fireing. Packet, Hex value,/x 3531333438623763302d646432372d313164662d393337622d3038303032303063396136362e73332e616d617a6f6e6177732e636f6d /x Signature con...

Amazon_TLS.PNG
Amazon_sig.PNG
phi1771 by L1 Bithead
  • 4393 Views
  • 2 replies
  • 0 Likes

Resolved! Pokemon GO

With the rise in popularity of the new Pokemon GO app, has anyone had the opportunity to build a signature or possibly even gather a pcap of the traffic that could be shared (the site is not allowing signups right now so I am unable to produce my own test traffic to collect). I have received complaints from as high as our CIO, that too many peop...

aelmore by L0 Member
  • 7772 Views
  • 4 replies
  • 0 Likes

APPID signature for Zebra Printers showing unknown-tcp or insufficient data

I am seeing that traffic that goes to an specific vendor/model (Zebra LP 2844-z) of labeling printers is being categorized as APPid unknown-tcp or insufficient data on port 2001 TCP. I would like to know if there is a way to get this added to your APPID database so when traffic matching this signature is automatically tagged. Regards,M

Regex for syslog User-ID not working

Hi team, We have the (Cisco & Ruckus) Wireless controllers forwarding SYSLOGS to the User-ID agent running on Windows 2012 server. We want to use these syslog messages to create user-ip mappings. We tried with several different regex patterns but not having any luck. The UIA keeps showing the log as “- is not a valid IP”. I checked the regex...

ansharma by L4 Transporter
  • 4067 Views
  • 2 replies
  • 0 Likes

Custom data pattern

Hi Team I have a user who has a requirement to add a custom Data Pattern to identify a specific string Example: 1234/09/4578 (Note the second identifier is a numeric value between [1-9]) I set up the data pattern under " Custom Objects --->Data Pattern ---> Add " in the following format to achieve this "(/d/d/d/d)/-(/d[1-9])/-(/d/d/d/d...

agawade by L2 Linker
  • 3597 Views
  • 2 replies
  • 0 Likes

Resolved! Submitting DNS block without blocking the IP

I'm looking to submit a FQDN block where I don't ever block the IP. I've reviewed this article on blocking FQDN's but can't seem to figure out how to ignore the IP. We assign fake ip addresses to known malicius sites, and need the HTTP, HTTPS, SSH, etc traffic to route back to us, but the block on the FQDN is also blocking the IP once the lookup...

Wordpress wp-login.php flood

Today we built a custom vulnerability signature to block excessive request from one IP to wp-login.php. wp-login.php thread-id 42106wp-login.php thread-id 42106wp-login.php thread-id 42106wp-login.php flood threat-id 42107wp-login.php flood threat-id 42107wp-login.php flood threat-id 42107Blocked by rule

42106-1.PNG
42106-2.PNG
42106-3.PNG
wp1.PNG
PortsIT by L0 Member
  • 6233 Views
  • 0 replies
  • 2 Likes
  • 175 Posts
  • 86 Subscriptions
Labels
LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2026 - Palo Alto Networks