Create custom threat signature using the API

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Create custom threat signature using the API

L0 Member

Is it possible to use the API to create a custom threat or vulnerability signature ?  Plenty of examples showing how to do this using the WebUI, but customer is looking for automated ability.

 

thanks, michael

1 accepted solution

Accepted Solutions

L5 Sessionator

Hello, Michael,

 

and welcome to our forums.

 

At the moment, that is not recommended approach, mostly because it is relatively easy to hit the limitation of the device when it comes to custom signatures. Those limitations aren't hard coded in the sense of how many particular rules can be set; they are rather limited in the terms of cumulative number of custom regex lookups that are contained in all custom signatures across the device. While it is possible to create quite a few custom signatures, depending on the complexity of those it is also possible to deplete firewall's resources when it comes to usage of custom regex lookups. Therefore, we are still expecting users to do this by hand.

 

If your customer should have relevant information on attacks and/or trends they are seeing, it is always possible to open a TAC case and offer tangible information (exploitation strings seen, or the POC code, or whatever logs customers have) and we would evaluate and create relevant signatures per need; those would not influence number of custom rules and signatures as they are counted differently.

 

Hope this helps; if there is more info or feedback from customer please let us know. If they still want to automate this maybe open a TAC case and route it to Threat Specialist, so we can look at it together and find a graceful way to do it.

 

Best regards,
Luciano

View solution in original post

1 REPLY 1

L5 Sessionator

Hello, Michael,

 

and welcome to our forums.

 

At the moment, that is not recommended approach, mostly because it is relatively easy to hit the limitation of the device when it comes to custom signatures. Those limitations aren't hard coded in the sense of how many particular rules can be set; they are rather limited in the terms of cumulative number of custom regex lookups that are contained in all custom signatures across the device. While it is possible to create quite a few custom signatures, depending on the complexity of those it is also possible to deplete firewall's resources when it comes to usage of custom regex lookups. Therefore, we are still expecting users to do this by hand.

 

If your customer should have relevant information on attacks and/or trends they are seeing, it is always possible to open a TAC case and offer tangible information (exploitation strings seen, or the POC code, or whatever logs customers have) and we would evaluate and create relevant signatures per need; those would not influence number of custom rules and signatures as they are counted differently.

 

Hope this helps; if there is more info or feedback from customer please let us know. If they still want to automate this maybe open a TAC case and route it to Threat Specialist, so we can look at it together and find a graceful way to do it.

 

Best regards,
Luciano

  • 1 accepted solution
  • 4073 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!