Import Snort signature and MD5 hash into either custom application/threat signature

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Import Snort signature and MD5 hash into either custom application/threat signature

L1 Bithead

I would like to import my existing Snort custom signatures and MD5 hash into the PA FW. Dore it requires any tools? I couldn't find any documentation. 

 

Thanks 

4 REPLIES 4

L5 Sessionator

Hi James,

 

that will not be so straight forward. PAN does not have same signature structure nor triggers as Snort does, it is not translatable so easily.

How many custom signatures do you have? Are your MD5 hashes for the whole file or for the portions of the files? I am asking to figure out how to help you better and if your work is doable by hand or should you look into scripting this.

If they are file hashes, please use https://threatvault.paloaltonetworks.com to check if they already have coverage (in that case, you don't need to export that signature at all, as we do have it). If they are partial file hashes, depending what is hashed - you can use https://autofocus.paloaltonetworks.com to search for those files (please contact Systems Engineer assigned to your organization, if you need demo account to check Autofocus).

If you have fewish custom signatures, it might be worth of re-writing them - this article here offers a Tech Note on Custom signatures and how to create them: https://live.paloaltonetworks.com/t5/Documentation-Articles/Creating-Custom-Threat-Signatures/ta-p/5...

 

Let us know if we helped a bit and show us an example or two, perhaps, if you need more info?

 

Best regards

Luciano

Thanks for your information. Since I am working on military sector, I have tons of other customer signatures from snort, Mcafee IPS, Cisco IPSm etc. I just wondering someone from community knows how to or have some kind of script to converting over to Palo. I know many other government convert to Palo FW and wondering how they convert their current customer signatures to Palo.

If you know any script that useful, please let me know. I really appreciate for your support.

 

Thanks 

Hi James,

 

I hear you and understand issue you are facing, but as I am listening I also hear "99 problems" 🙂 Why?

Because of the following facts:

- snort signatures are yara-like, allowing more complex constructs than we can do with our signatures - therefore, not easily translatable or they easily loose their value when translated. For example, some signature might be looking for specific bytes found at unusually high offset; translating those to PAN rules cannot be automated as you cannot specify offset in bytes - you need to figure out where is it according to the protocol type. With PAN-OS, you can look for pattern match in DNS request header or DNS request body, but that cannot be specified as an offset from the start of the record.

- plenty of "other vendor" signatures cover for things that are either not applicable to be covered by us (such as end-point issues) or might already be covered by us (we have plenty of AV and vulnerability signatures already)

- "tons" of other signatures will never scale well: PAN-OS can take only "so many" custom regex patterns. More patterns in rules = less rules available; and also simpler rules (less regex) = lesser the chance to cover all (sub)variants of malware / vulnerability you are trying to cover

 

I could probably come up with few more reasons where this will not end up well if being automated, but let's discuss how could you still resolve your issue... I believe that, considering aforementioned, the best approach would be for you to:

- sort all the signatures you have according to severity,

- weed out all signatures that aren't applicable/possible to be covered by firewalls (end-point issues such as Flash or PDF abuse, for example, or for signatures irrelevant for your infrastructure - you probably don't need signatures to protect Hummingbird print services)

- when you end up with the list of what you really want covered, check in the Threat vault for CVE number or similar items to see if we are already covering that issue

- review what is left and see how many can have signatures created in Palo Alto Networks firewalls (review documentation for threat signatures prior to starting to write them, so you know what you can do in the first place)

- go with manual creation of signatures, starting from the top with severity  "critical" and going down "high" and less....

 

I would be surprised if you come up with more than few dozens that need converting, after "review" process suggested above.

 

Of course, all this is not really answering your initial question but since answer is negative, I am just suggesting how I would approach it knowing what I know already 🙂 Sorry if I did not help much. I know there were talks on creating some semi-official supported script for converting this, but I think any potential author of such script faces challenges I named above and it would be very hard to create a script that would automatically check all the things I named above from "any" set of signatures. I know nothing has been published yet or nobody reported it's existance to TAC 🙂

 

If you have a sub-set of signatures you could share for example, or can find a set of online signatures that mimic structure of signatures you have, let us know what they look like - there still might be a wild chance someone could see a pattern that could be scripted.

 

Best regards

Luciano

Thanks for thta information.

 

How about adding MD5 hash (whole file) to Palo? I can see some of our hashes were already covered with built in Palo threatvault database but someone of them are not. Since Plao checking the file hash and compare its mailcious hash database, can I add my own hashes along with Palo predefined one? Is there any way to add our custom hashes to Plao? We have over 3000 hashes from previous IPS devices and it's not easy to check every one of them through threatvalut by manual process.

 

Also, I would prefer not to hand-jam 400 snort signatures, but if we do, we would like to ensure that we are creating the new signatures properly so any help with conversion process and document to creating them would be appreciated.

 

Thanks

  • 7820 Views
  • 4 replies
  • 1 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!