Can I make custom application signature for using referer of http header?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Can I make custom application signature for using referer of http header?

L4 Transporter

Hello,

 

I would like to make custom application signature for using refer of http header. 

Can I ????

 

I made the follwoing signature. but PA is not detecting.

 

failed signature for referer.PNG

 

I would like to hear any your opinion and assistance.

 

Thanks,

KC Lee

 

1 accepted solution

Accepted Solutions

L4 Transporter

Good morning!

 

I usually work with custom threat signatures so I'm less familiar with the intricacies of custom application signatures.

 

However, I have a few pointers to try and help!

 

- There appears to be no space between Referer: and http. In most HTTP request headers, I see whitespace between the referer and it's contents, ie:

Referer: http://uquest\.u-quest\.net

 

- There is an unescaped special character in your pattern "-". According to page 37 of the Creating Custom Signatures document, "-" should be escaped with "\-" as it is a special character used for range expressions.

 

In addition to the two above points, when trying to troubleshoot a signature, I usually try to start from the most basic form of the signature to identify where in the process the signature is not working. In this case, removing the GET qualifier to test just that the pattern matching itself is functioning would be a good step to take in my opinion. Then, once the pattern match is working, add the qualifier back.

 

I hope this helps.

View solution in original post

2 REPLIES 2

L4 Transporter

Good morning!

 

I usually work with custom threat signatures so I'm less familiar with the intricacies of custom application signatures.

 

However, I have a few pointers to try and help!

 

- There appears to be no space between Referer: and http. In most HTTP request headers, I see whitespace between the referer and it's contents, ie:

Referer: http://uquest\.u-quest\.net

 

- There is an unescaped special character in your pattern "-". According to page 37 of the Creating Custom Signatures document, "-" should be escaped with "\-" as it is a special character used for range expressions.

 

In addition to the two above points, when trying to troubleshoot a signature, I usually try to start from the most basic form of the signature to identify where in the process the signature is not working. In this case, removing the GET qualifier to test just that the pattern matching itself is functioning would be a good step to take in my opinion. Then, once the pattern match is working, add the qualifier back.

 

I hope this helps.

@rcole

 

Thanks a lot.

Your advice is so helpful to me.

 

  • 1 accepted solution
  • 6820 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!