Custom threat signature- search full TCP payload of any AppId

Reply
Highlighted
L2 Linker

Custom threat signature- search full TCP payload of any AppId

I'm trying to write a custom threat signature.  The pattern matches just fine if I send it using netcat, but it does not match the actual application traffic.  I believe that this is because the actual traffic is processed and detected as a known application, whereas the signature Context is "unknown-req-tcp-payload".

 

Is this context only for traffic that is application = unknown-tcp?  If a known application is detected, does "unknown-req-tcp-payload" not apply?

 


Accepted Solutions
Highlighted
L2 Linker

Hi John,

 

You are correct in that versions prior to 10.0 you can not write a custom signature against a known application unless the decoder for that protocol/context is "exposed" in the user interface.

 

In 10.0, there is more flexibility, including a "context-less" signature that may meet your requirements.  Be advised that there can be performance penalties when using these expanded capabilities.  More info here:

 

https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-new-features/content-inspection-features/enhanc...

 

 

View solution in original post


All Replies
Highlighted
L2 Linker

Replying to myself here...

Per this thread, it looks like my initial assumption was correct: https://live.paloaltonetworks.com/t5/custom-signatures/need-help-with-creating-signature-for-pop3/m-...

 

...So is there any way to search the payload of a TCP datagram of a known application - but an application lacking a pre-built Context?  I think we need a Context called "raw-req-tcp-payload".  I find it hard to believe that PAN would assume that someone who goes to the trouble of creating a custom vulnerability signature would only do so for traffic that is not classified as a known application.  In fact, these are the type of people who will also go to the trouble of creating a custom application signature to eliminate unknown-tcp from their environment.

Highlighted
L2 Linker

Hi John,

 

You are correct in that versions prior to 10.0 you can not write a custom signature against a known application unless the decoder for that protocol/context is "exposed" in the user interface.

 

In 10.0, there is more flexibility, including a "context-less" signature that may meet your requirements.  Be advised that there can be performance penalties when using these expanded capabilities.  More info here:

 

https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-new-features/content-inspection-features/enhanc...

 

 

View solution in original post

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!