09-15-2020 11:30 AM
I'm trying to write a custom threat signature. The pattern matches just fine if I send it using netcat, but it does not match the actual application traffic. I believe that this is because the actual traffic is processed and detected as a known application, whereas the signature Context is "unknown-req-tcp-payload".
Is this context only for traffic that is application = unknown-tcp? If a known application is detected, does "unknown-req-tcp-payload" not apply?
09-15-2020 11:57 AM
Hi John,
You are correct in that versions prior to 10.0 you can not write a custom signature against a known application unless the decoder for that protocol/context is "exposed" in the user interface.
In 10.0, there is more flexibility, including a "context-less" signature that may meet your requirements. Be advised that there can be performance penalties when using these expanded capabilities. More info here:
09-15-2020 11:44 AM
Replying to myself here...
Per this thread, it looks like my initial assumption was correct: https://live.paloaltonetworks.com/t5/custom-signatures/need-help-with-creating-signature-for-pop3/m-...
...So is there any way to search the payload of a TCP datagram of a known application - but an application lacking a pre-built Context? I think we need a Context called "raw-req-tcp-payload". I find it hard to believe that PAN would assume that someone who goes to the trouble of creating a custom vulnerability signature would only do so for traffic that is not classified as a known application. In fact, these are the type of people who will also go to the trouble of creating a custom application signature to eliminate unknown-tcp from their environment.
09-15-2020 11:57 AM
Hi John,
You are correct in that versions prior to 10.0 you can not write a custom signature against a known application unless the decoder for that protocol/context is "exposed" in the user interface.
In 10.0, there is more flexibility, including a "context-less" signature that may meet your requirements. Be advised that there can be performance penalties when using these expanded capabilities. More info here:
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
