11-24-2025 04:37 AM - edited 12-03-2025 10:20 PM
Hi all,
I'm playing with the app-id custom signature to catch the DNS Rebinding. I have some experience with the custom app-ids and I do understand the difference between the "transaction" and "session" context (well, at least I thought so). The thing is... I want to base my signature based on the DNS req and res in a way they need to be "glued". For example, if I see a DNS req/res:
DNS query: abc.example.com
DNS answer: 10.10.10.10
it should match my custom app id.
In contrast, if a req/res looks like:
DNS query: abc.example.com
DNS answer: 10.10.10.11
I don't want to match on that.
Now comes the confusing part. For me, DNS req/res should be part of "transaction", i.e., Palo Alto sees a DNS req and waiting for the DNS res to match the signature. No difference than what we have with the HTTP req/res.
For some reason it seems this does not work for DNS. If I change the context to "session" based, it works. Unfortunately, there is no much, if any example on creating more complex signatures with multiple AND/OR operators and there is almost none documentation about "transaction" and "session" context, although it should be pretty clear what it is - it seems there are some intrinsic about it.
Any thoughts?
12-02-2025 08:30 AM - edited 12-02-2025 08:32 AM
What about combination signature that matches 1 signature for request and 1 for response? I think maybe in some cases a transaction could be one direction also just in case see that your signature is configured to trigger in the two directions not just client to server or server to client.
I have seen simmilar issue for HTTP req/response as I have mentioned in:
12-03-2025 10:25 PM
Hi Nikoolayy1,
Thanks for replying!
Unfortunately, combination signature is for custom vulnerability. We don't have that option for app-id.
Anyhow, I would like to understand why it is working this way.
12-08-2025 03:26 AM - edited 12-08-2025 03:29 AM
Forgot that we are talking app signatures and if Palo Alto Adds combination signature option for this as well it will be nice! Maybe open request for enhancement ? See Palo Alto New Feature Requests | Palo Alto Networks LIVEcommunity
I am wondering because DNS usually is UDP and the DNS decoder to be only in one direction for a transaction. Maybe try DNS over TCP and if you want open a case as Palo Alto Engineers may confirm if the DNS Decoder for transactions is just in one direction.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
