01-22-2018 11:13 AM
Is it possible to use the API to create a custom threat or vulnerability signature ? Plenty of examples showing how to do this using the WebUI, but customer is looking for automated ability.
thanks, michael
01-23-2018 06:02 AM
Hello, Michael,
and welcome to our forums.
At the moment, that is not recommended approach, mostly because it is relatively easy to hit the limitation of the device when it comes to custom signatures. Those limitations aren't hard coded in the sense of how many particular rules can be set; they are rather limited in the terms of cumulative number of custom regex lookups that are contained in all custom signatures across the device. While it is possible to create quite a few custom signatures, depending on the complexity of those it is also possible to deplete firewall's resources when it comes to usage of custom regex lookups. Therefore, we are still expecting users to do this by hand.
If your customer should have relevant information on attacks and/or trends they are seeing, it is always possible to open a TAC case and offer tangible information (exploitation strings seen, or the POC code, or whatever logs customers have) and we would evaluate and create relevant signatures per need; those would not influence number of custom rules and signatures as they are counted differently.
Hope this helps; if there is more info or feedback from customer please let us know. If they still want to automate this maybe open a TAC case and route it to Threat Specialist, so we can look at it together and find a graceful way to do it.
Best regards,
Luciano
01-23-2018 06:02 AM
Hello, Michael,
and welcome to our forums.
At the moment, that is not recommended approach, mostly because it is relatively easy to hit the limitation of the device when it comes to custom signatures. Those limitations aren't hard coded in the sense of how many particular rules can be set; they are rather limited in the terms of cumulative number of custom regex lookups that are contained in all custom signatures across the device. While it is possible to create quite a few custom signatures, depending on the complexity of those it is also possible to deplete firewall's resources when it comes to usage of custom regex lookups. Therefore, we are still expecting users to do this by hand.
If your customer should have relevant information on attacks and/or trends they are seeing, it is always possible to open a TAC case and offer tangible information (exploitation strings seen, or the POC code, or whatever logs customers have) and we would evaluate and create relevant signatures per need; those would not influence number of custom rules and signatures as they are counted differently.
Hope this helps; if there is more info or feedback from customer please let us know. If they still want to automate this maybe open a TAC case and route it to Threat Specialist, so we can look at it together and find a graceful way to do it.
Best regards,
Luciano
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
