03-04-2016 12:42 PM
I would need some assistance with setting up a custom signature for pop3.
I need to make a signature for the USER command returning "-ERR " currently the Pan vuln signature only triggers on the Pass command in vuln id 31709. I run into a fundamental issue which is the 7 bytes. pop3 does not have 7 bites min on return codes.
I'm suspecting I will need to do something like the following but this is not triggering.
'Server Ack
context unknown-rsp-tcp-payload
pattern "\+OK.{0,70}(POP3 MDaemon).{0,70}"
negate no
'User passes username
context unknown-req-tcp-payload
pattern "/user/i .{0,100}"
negate no
context unknown-rsp-tcp-payload
pattern "/\-ERR/i.{0,70}"
negate no
any idea on how I can get this done would be appreciated.
03-04-2016 12:56 PM
Good evening, apike!
I understand what you are requesting; however, given the current custom signature contexts available within PAN-OS, I am not certain if it is possible. I do not see any exposed POP3 contexts in our custom signature engine, meaning writing signatures for them is likely not possible.
The contexts unknown-req-tcp-payload and context unknown-rsp-tcp-payload are for applications not successfully identified by the PAN-OS device (IE: application unknown-tcp); since the traffic you are trying to trigger off of is nested within a properly interpretted application (POP3), this signature will not trigger.
The short version of my response is that I am uncertain if what you are trying to do via custom signature is possible; if it is, I do not know of a way to do it.
03-04-2016 08:35 PM - edited 03-04-2016 08:40 PM
Hi apike, welcome to community forums.
I am not completely sure but I am thinking this might help: you need to work around of Rick's comment because he is right; why don't you try creating custom app "myPOP3" and define it for port tcp/110; thus you will override built-in decoder for pop3 because custom apps should kick in first and disable further lookup therefore chance exists your vuln sigs will trigger now?
Or just create a custom app for your condition (perhaps in the whole session) and block that app. You have an explanation here how to create signatures for the session (part of base signature creation).
Can you try and let us know what was your mileage?
Best regards
Luciano
03-06-2016 10:41 AM - edited 03-06-2016 01:13 PM
I need help with the Regex according to my regex "user ([A-Z a-z 0-9._\ \@]{0,100})" this is vaild but not according to PANOS
any thoughts?
03-08-2016 11:03 AM - edited 03-08-2016 11:09 AM
Hi,
For what it's worth, I think your signature is mostly valid but it has some extra spaces and it also should probably escape brackets, I am not completely sure what are you trying to match, do you need brackets or not? Anyways, that is regex-wise; for PAN-OS you are failing to meet another requirement: Problem you are seeing is that for any custom signature, you have to have at least 7 bytes of fixed string that must be fixed; so no regex can be used WITHIN those 7 characters / bytes. You can use regex together with that anchor, but you must have a 7-byte anchor.
I really don't have any pop3 service running or configurable to test this with, but there MUST be some string in email header that you can grab for this? (I still am not sure if my proposal works as I can't test it)
What I would try - I would set:
1. custom but simple application for pop3, as explained, just defining tcp/110,
2. simple vulnerability signature catching onto fixed string, something like "subject",
3. make an exception in all existing vuln profiles for this signature (you don't want it catching everything and anything before you test it!),
4. create new vuln profile (that does not have this in exception),
5. create new security policy applying only to sender/receiver of email, using custom app, using vulnerability protection profile from step 4 (only one that does not have new vuln profile in exception list)
This way, you will start with very simple signature and work out if this works at all, if it does, than you can perhaps share with us how your headers usually look so maybe we can together find some 7-byte string that would work better.
Best regards,
Luciano
03-08-2016 03:14 PM
Hi Luciano,
We are targetting users sign-on failed auth message unfortunatly there is nothing more then the user command and the perameter the attacker uses. I don't need the brakets notice they did not make a diffrence if there in or not.
https://www.ietf.org/rfc/rfc1939.txt (page 12-13) This is due to an attack we have seen and the last one was ~50K user attempts the bot never went to Pass command which would have trigger the failed login attempt. I have asked PA to step in at this point to develop some kind of recon signature for this type of attack/recon.
hopefully they will come up with something. Thanks for your help!
03-09-2016 11:21 AM
Hi,
just to let you know - I checked, my idea with custom app won't work - it will not override settings of the default decoder. Scratch that and talk to PAN SE or TAC.
Best regards
Luciano
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
