I'm trying to write a custom app and vulnerability signature. Signatures are based on UDP-payload.
When I use the custom app signature, vulnerability detection does not work. Can I somehow turn on CTD for the custom app?
The other problem is that what I ideally need to do in the vulnerability is to check for the other than mine UDP-payload. So I was thinking about matching "\xaabbccddee\x" with negating turned on and "\xaabbccdd\x" in the payload in one vulnerability signature. But this does not work either.
You can enable CTD inspection for the custom app by enabling "scanning" in the advanced tab of the signature.
Regarding the negate condition in custom threat signatures, there are some restrictions. One is that it can not be the only match condition. At least one non-negate condition must be included. Also, if the signature scope is "session" the negate condition can not be the last match condition.
I did some other tests...
Yes, this we can read in some manual, but on the other hand, we can also read, that this is dependent on the parent application. These packet payloads signatures of course are not. Anyway, I tried at the end everything to turn on and it did not help. And even the property I am matching is unknown-req-udp-payload. Maybe this unknown is important
Yes, you are right again. But after 20 or so packets, this signature does not work anymore. My signature will drop the session if a vulnerability is found in the first 20 packets only. I would like to inspect every packet in the UDP stream.
I don't think it's possible to configure a custom threat signature using the "unknown" protocol decoder that will inspect every packet for the entire duration of the flow.
There are some improvements to the threat inspection process in PAN-OS 10 and so if you can run that version you might try using the "udp context free" decoder for your custom threat signature to see if there is a difference. Note that use of this context will incur a significant performance penalty.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!