This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

vulnerability signature with payload and negate

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

vulnerability signature with payload and negate

MCervenka
L1 Bithead

‎02-14-2021 03:17 PM

Hello.

I'm trying to write a custom app and vulnerability signature. Signatures are based on UDP-payload.

When I use the custom app signature, vulnerability detection does not work. Can I somehow turn on CTD for the custom app?

The other problem is that what I ideally need to do in the vulnerability is to check for the other than mine UDP-payload. So I was thinking about matching "\xaabbccddee\x" with negating turned on and "\xaabbccdd\x" in the payload in one vulnerability signature. But this does not work either. 

Any suggestions?

Thank you.

0 Likes Likes
5 REPLIES 5

claudec
L2 Linker

‎02-15-2021 06:43 AM

Hello,

 

You can enable CTD inspection for the custom app by enabling "scanning" in the advanced tab of the signature.

 

Regarding the negate condition in custom threat signatures, there are some restrictions.  One is that it can not be the only match condition.  At least one non-negate condition must be included.  Also, if the signature scope is "session" the negate condition can not be the last match condition.

MCervenka
L1 Bithead
In response to claudec

‎02-15-2021 07:05 AM

Hello,

I did some other tests...

Yes, this we can read in some manual, but on the other hand, we can also read, that this is dependent on the parent application. These packet payloads signatures of course are not. Anyway, I tried at the end everything to turn on and it did not help. And even the property I am matching is unknown-req-udp-payload. Maybe this unknown is important 😞 So I ended with this question.

Yes, you are right again. But after 20 or so packets, this signature does not work anymore. My signature will drop the session if a vulnerability is found in the first 20 packets only. I would like to inspect every packet in the UDP stream.

 

0 Likes Likes

claudec
L2 Linker
In response to MCervenka

‎02-15-2021 09:15 AM

 I don't think it's possible to configure a custom threat signature using the "unknown" protocol decoder that will inspect every packet for the entire duration of the flow.

 

There are some improvements to the threat inspection process in PAN-OS 10 and so if you can run that version you might try using the "udp context free" decoder for your custom threat signature to see if there is a difference.  Note that use of this context will incur a significant performance penalty.

0 Likes Likes

MCervenka
L1 Bithead
In response to claudec

‎02-15-2021 12:40 PM

Thank you Claudec. I will try. But as I read before, this will gives us an opportunity to search in the headers?

Anyway, I will try it and post the results.

 

M.

0 Likes Likes

MCervenka
L1 Bithead
In response to MCervenka

‎02-15-2021 01:02 PM

Same results, unfortunately.

0 Likes Likes
  • 5578 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks