Welcome to the Palo Alto Networks Custom Signature discussion board!

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Welcome to the Palo Alto Networks Custom Signature discussion board!

L4 Transporter

The purpose of this board is to discuss everything related to custom signature creation in PAN-OS devices. Palo Alto Networks delivers a large quantity of coverage in our weekly content updates; however, we know that our customers are staffed by dedicated security professionals as well, and we would like to provide an environment in which to foster discussion of their ideas for coverage that may not currently exist, or may be particularly applicable to their unique environment.

 

Customers may find traffic within their network in packet captures, web server logs, SIEM queries, firewall logs, etc. that a custom signature would be useful to alert on, or prevent. This forum exists as a place to work through this process in a community that can assist you, and get your creative minds inspiring one another.

When creating a discussion, try to provide as much detail as possible to better assist your peers in understanding what exactly you need.

 

Additionally, this link is a fantastic resource for understanding custom signature creation: https://live.paloaltonetworks.com/t5/Documentation-Articles/Creating-Custom-Threat-Signatures/ta-p/5...

 

The above document will assist with explaining each custom signature context and what is contained within them. Additionally, it contains some examples of custom signature creation, common RegEx mistakes, error troubleshooting, and a significant amount of other detail that anyone seriously interested in pursuing custom signature creation should read.

 

 

Questions that foster good discussion:

 

Are you asking for assistance in finding a unique pattern within data you’ve already gathered to trigger off of?

 

Do you have an idea for a signature based off of traffic you have identified, and need to discern which custom signature context Palo Alto Networks exposes can best be used to detect the traffic?

 

Do you have a recommendation for improving a current signature?

 

 

Posts that do not foster good discussion:

 

A request for CVE coverage in which no data is provided, or no exploit data has been revealed for.

 

A request for detecting traffic in which no packet capture data can be provided, or no research has been completed to first identify data that can be used during the creation process.

 

 

Recommended detail to include:

 

Use justification! What does the signature detect, and why?

 

Upload of any existing XML export of a custom signature you have created, and are troubleshooting.

 

Data gathered during research to help identify unique patterns to detect on.

 

Links to research or resources to support the signature creation.

 

 

Common Errors in Custom Signature Creation:

 

  • Every pattern you create must contain at least a 7-byte string with fixed values. Refer to page 39 of the Custom Signature Creation document.
    • Example error: “can’t support repetition without string pattern behind it in pattern”
    • Example error: “can't handle two dfas next to each other in pattern”
  • Pattern matching IS case sensitive (with some caveats; refer to page 38 of the Custom Signature Creation document)
  • Pattern matches are restricted to 127 characters; using AND operators to attach multiple strings together can assist in bypassing this limitation.
  • Remember: the more complex the signature becomes, the dataplane on the PAN-OS device must work harder and use more resources during inspection!

 

 

To get the ball rolling, let’s try a few examples!

 

Example 1: Use of system.multicall method in XMLRPC calls.

Justification: Brute force attacks are occurring against Wordpress instances with XMLRPC enabled, where many username login attempts can be nested in a single system.multicall method and evade traditional brute force detection.

Research: https://blog.sucuri.net/2015/10/brute-force-amplification-attacks-against-wordpress-xmlrpc.html

Signature Example:  See attachment System Multicall Use.xml

Description: Signature evaluates http-req-message-body context in the directionality of client to server, for the hex values “3c6d6574686f6443616c6c3e3c6d6574686f644e616d653e73797374656d2e6d756c746963616c6c” which translates to “<methodCall><methodName>system.multicall” indicating that an HTTP request message body was sent with a system.multicall method embedded in it.

Potential for improvement: Additional signature to operate as parent to indicate the child signature has been executed X amount in Y seconds.

 

 

Example 2: Detecting Nikto Scans through User Agent.

Justification: Palo Alto Networks extensive coverage looks to make signatures based on unchanging exploitation, where there is little to no variation in the data being evaluated. Detecting tools based on user agent strings that are easily modified by users is not the most effective way to do this. However, many customers have use cases in which reporting on basic usage of certain tools by detecting user agent strings may be valuable. This can be done through a very basic custom signature, and can catch penetration testers who opt for the easy way out and don’t attempt to evade detection effectively.

Research: Download Kali Linux, where Nikto Scan comes embedded, and you will see default scans have an easily identifiable user agent string.

Signature Example: See attachment “Nikto User Agent.xml”

Description: Signature evaluates http-req-headers for the string “User-Agent: Mozilla/5.00 (Nikto”, indicating default user-agent string for Nikto scan has been detected.

Potential for improvement: Our built in coverage for the vulnerabilities Nikto scan actually exploits will cover Nikto scans that seek to hide by changing their user agent, which will evade this signature.

 

 

Example 3: Detecting NMAP Scripting Engine use through User Agent

Justification: See justification for Nikto; this is identical!

Research: Download Kali Linux, and run any of NMAPs NSE scripts, and you will see web based scans have an easily identifiable user agent string.

Signature Example: See attachment “NMAP NSE User Agent.xml”

Description: Signature evaluates http-req-headers for the string “User-Agent: Mozilla/5.0 (compatible; Nmap Scripting Engine” indicating default user-agent string for NMAP NSE usage has been detected

Potential for improvement: Our built in coverage for NMAP NSE scripts will cover some common NSE usage, which may evade this signature if user agent is altered.

 

4 REPLIES 4

L4 Transporter

Rcole,

 

Here is an expanded version of the NMap signature.  We noticed an additional web requests associated with the NMap tool and have included it in our signature. Below is what we have added as an "or condition" string:

 

Operator = pattern-match

Context = http-req-uri-path

Value = /\.git/HEAD

 

Thanks,

 

Phil

L1 Bithead

Team - need some help here.  Trying to create a custom filter that will allow us to detect TLS 1.0 negotiations and block them at the firewall.  Here's the summary info:

 

Justification: TLS needs to be blocked at the perimeter as a interim solution until TLS can be disabled on each server. This is to meet requirements of PCI.

Research: Sample PCAP screen capture was found here.

 

Testing: We have tried to do the following:

ssl-rsp-server-hello &&  ssl-req-client-hello
Pattern="Version: TLS 1.0"

 

Neither of them are working though. Any suggestions?

hello

"><h1 onmouseover=prompt(document.cookie)>Test</h1>

Hi all, @all

 

please let me know how can i add the below commands to Panos ansible-playbook to get output just like ios device 

 

set cli pager off
set cli config-output-format
set configure
show

 

,,, Below is output of my playbook. I want this in each line: 

 

{'response': {'@status': 'success', 'result': {'system': {'hostname': 'PA-VM', 'ip-address': '10.10.10.200', 'public-ip-address': 'unknown', 'netmask': '255.255.255.0', 'default-gateway': '10.10.10.254', 'is-dhcp': 'no', 'ipv6-address': 'unknown', 'ipv6-link-local-address': 'fe80::250:56ff:fe9e:b9cf/64', 'ipv6-default-gateway': None, 'mac-address': '00:50:56:9e:b9:cf', 'time': 'Mon Apr 12 04:22:03 2021', 'uptime': '34 days, 4:24:47', 'devicename': 'PA-VM', 'family': 'vm', 'model': 'PA-VM', 'serial': 'unknown', 'vm-mac-base': 'BA:DB:EE:FB:AD:00', 'vm-mac-count': '255', 'vm-uuid': '421EB442-36E0-565E-1EEA-979DAA2D8C3E', 'vm-cpuid': 'ESX:54060500FFFBAB1F', 'vm-license': 'none', 'vm-mode': 'VMWare ESXi', 'cloud-mode': 'non-cloud', 'sw-version': '9.0.4', 'global-protect-client-package-version': '0.0.0', 'app-version': '8103-5197', 'app-release-date': None, 'av-version': '0', 'av-release-date': None, 'threat-version': '0', 'threat-release-date': None, 'wf-private-version': '0', 'wf-private-release-date': 'unknown', 'url-db': 'paloaltonetworks', 'wildfire-version': '0', 'wildfire-release-date': None, 'url-filtering-version': '0000.00.00.000', 'global-protect-datafile-version': 'unknown', 'global-protect-datafile-release-date': 'unknown', 'global-protect-clientless-vpn-version': '0', 'global-protect-clientless-vpn-release-date': None, 'logdb-version': '9.0.10', 'plugin_versions': {'entry': {'@name': 'vm_series', '@version': '1.0.6', 'pkginfo': 'vm_series-1.0.6'}}, 'platform-family': 'vm', 'vpn-disable-mode': 'off', 'multi-vsys': 'off', 'operational-mode': 'normal'}}}}
{'response': {'@status': 'success', 'result': {'system': {'hostname': 'PA-VM', 'ip-address': '10.10.10.200', 'public-ip-address': 'unknown', 'netmask': '255.255.255.0', 'default-gateway': '10.10.10.254', 'is-dhcp': 'no', 'ipv6-address': 'unknown', 'ipv6-link-local-address': 'fe80::250:56ff:fe9e:b9cf/64', 'ipv6-default-gateway': None, 'mac-address': '00:50:56:9e:b9:cf', 'time': 'Mon Apr 12 05:23:44 2021', 'uptime': '34 days, 5:26:28', 'devicename': 'PA-VM', 'family': 'vm', 'model': 'PA-VM', 'serial': 'unknown', 'vm-mac-base': 'BA:DB:EE:FB:AD:00', 'vm-mac-count': '255', 'vm-uuid': '421EB442-36E0-565E-1EEA-979DAA2D8C3E', 'vm-cpuid': 'ESX:54060500FFFBAB1F', 'vm-license': 'none', 'vm-mode': 'VMWare ESXi', 'cloud-mode': 'non-cloud', 'sw-version': '9.0.4', 'global-protect-client-package-version': '0.0.0', 'app-version': '8103-5197', 'app-release-date': None, 'av-version': '0', 'av-release-date': None, 'threat-version': '0', 'threat-release-date': None, 'wf-private-version': '0', 'wf-private-release-date': 'unknown', 'url-db': 'paloaltonetworks', 'wildfire-version': '0', 'wildfire-release-date': None, 'url-filtering-version': '0000.00.00.000', 'global-protect-datafile-version': 'unknown', 'global-protect-datafile-release-date': 'unknown', 'global-protect-clientless-vpn-version': '0', 'global-protect-clientless-vpn-release-date': None, 'logdb-version': '9.0.10', 'plugin_versions': {'entry': {'@name': 'vm_series', '@version': '1.0.6', 'pkginfo': 'vm_series-1.0.6'}}, 'platform-family': 'vm', 'vpn-disable-mode': 'off', 'multi-vsys': 'off', 'operational-mode': 'normal'}}}}

  • 30900 Views
  • 4 replies
  • 4 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!