Honey pot signature

Reply
Highlighted
L0 Member

Honey pot signature

Hi,

    I have certain subnets that are currently not in use in our domain, I wanted to ip-block for 30 minutes all ips that access any of these subnets. Is it possible to creat a threat signature for this?

 

Thanks,

             VIREN

Tags (1)
Highlighted
L4 Transporter

Good afternoon, Viren!

 

Given the nature of our custom signature engine, I cannot think of a way to design a signature to accomplish what you are looking for.

 

However, what you are asking for may be possible with a Zone Protection profile under Reconnaissance Protection.

 

Please see this article for reference:

https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Block-an-IP-for-a-Specific-Period...

 

Hope this helps!

Highlighted
L0 Member

Hi,

     Thanks for your suggestion, I will look into that. What I've been trying is to set up strict vulneabilities av virus url profiles with default block and applying them to the policy. I have a request for enhancement to allow for block ip at the group level but in the mean time I've added ip block to some brute force matches to get the desired effect. Waiting to see if this works.

 

THANKS,

              VIREN

Highlighted
L4 Transporter

Viren,

 

To use custom signatures you need to tirgger on a defined traffic patten based on the contexts you have available for our use when creating a signature.  Since you want a honeypot trigger the challenge you would have is what traffic are you going to trigger on?  Might I suggest you create a security rule for you honeynet and use a logging profile that can alert you via txt message or email immediately upon being triggered.

 

Thought I would throw that out for your thoughts.

 

regards,

 

Phil 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!