02-02-2016 02:18 AM
Hello,
I would like to make custom application signature for using refer of http header.
Can I ????
I made the follwoing signature. but PA is not detecting.
I would like to hear any your opinion and assistance.
Thanks,
KC Lee
02-02-2016 04:38 AM - edited 02-11-2016 08:59 AM
Good morning!
I usually work with custom threat signatures so I'm less familiar with the intricacies of custom application signatures.
However, I have a few pointers to try and help!
- There appears to be no space between Referer: and http. In most HTTP request headers, I see whitespace between the referer and it's contents, ie:
Referer: http://uquest\.u-quest\.net
- There is an unescaped special character in your pattern "-". According to page 37 of the Creating Custom Signatures document, "-" should be escaped with "\-" as it is a special character used for range expressions.
In addition to the two above points, when trying to troubleshoot a signature, I usually try to start from the most basic form of the signature to identify where in the process the signature is not working. In this case, removing the GET qualifier to test just that the pattern matching itself is functioning would be a good step to take in my opinion. Then, once the pattern match is working, add the qualifier back.
I hope this helps.
02-02-2016 04:38 AM - edited 02-11-2016 08:59 AM
Good morning!
I usually work with custom threat signatures so I'm less familiar with the intricacies of custom application signatures.
However, I have a few pointers to try and help!
- There appears to be no space between Referer: and http. In most HTTP request headers, I see whitespace between the referer and it's contents, ie:
Referer: http://uquest\.u-quest\.net
- There is an unescaped special character in your pattern "-". According to page 37 of the Creating Custom Signatures document, "-" should be escaped with "\-" as it is a special character used for range expressions.
In addition to the two above points, when trying to troubleshoot a signature, I usually try to start from the most basic form of the signature to identify where in the process the signature is not working. In this case, removing the GET qualifier to test just that the pattern matching itself is functioning would be a good step to take in my opinion. Then, once the pattern match is working, add the qualifier back.
I hope this helps.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
