The purpose of this board is to discuss everything related to custom signature creation in PAN-OS devices. Palo Alto Networks delivers a large quantity of coverage in our weekly content updates; however, we know that our customers are staffed by dedicated security professionals as well, and we would like to provide an environment in which to foster discussion of their ideas for coverage that may not currently exist, or may be particularly applicable to their unique environment.
Customers may find traffic within their network in packet captures, web server logs, SIEM queries, firewall logs, etc. that a custom signature would be useful to alert on, or prevent. This forum exists as a place to work through this process in a community that can assist you, and get your creative minds inspiring one another.
When creating a discussion, try to provide as much detail as possible to better assist your peers in understanding what exactly you need.
Additionally, this link is a fantastic resource for understanding custom signature creation: https://live.paloaltonetworks.com/t5/Documentation-Articles/Creating-Custom-Threat-Signatures/ta-p/5...
The above document will assist with explaining each custom signature context and what is contained within them. Additionally, it contains some examples of custom signature creation, common RegEx mistakes, error troubleshooting, and a significant amount of other detail that anyone seriously interested in pursuing custom signature creation should read.
Questions that foster good discussion:
Are you asking for assistance in finding a unique pattern within data you’ve already gathered to trigger off of?
Do you have an idea for a signature based off of traffic you have identified, and need to discern which custom signature context Palo Alto Networks exposes can best be used to detect the traffic?
Do you have a recommendation for improving a current signature?
Posts that do not foster good discussion:
A request for CVE coverage in which no data is provided, or no exploit data has been revealed for.
A request for detecting traffic in which no packet capture data can be provided, or no research has been completed to first identify data that can be used during the creation process.
Recommended detail to include:
Use justification! What does the signature detect, and why?
Upload of any existing XML export of a custom signature you have created, and are troubleshooting.
Data gathered during research to help identify unique patterns to detect on.
Links to research or resources to support the signature creation.
Common Errors in Custom Signature Creation:
To get the ball rolling, let’s try a few examples!
Example 1: Use of system.multicall method in XMLRPC calls.
Justification: Brute force attacks are occurring against Wordpress instances with XMLRPC enabled, where many username login attempts can be nested in a single system.multicall method and evade traditional brute force detection.
Signature Example: See attachment System Multicall Use.xml
Description: Signature evaluates http-req-message-body context in the directionality of client to server, for the hex values “3c6d6574686f6443616c6c3e3c6d6574686f644e616d653e73797374656d2e6d756c746963616c6c” which translates to “<methodCall><methodName>system.multicall” indicating that an HTTP request message body was sent with a system.multicall method embedded in it.
Potential for improvement: Additional signature to operate as parent to indicate the child signature has been executed X amount in Y seconds.
Example 2: Detecting Nikto Scans through User Agent.
Justification: Palo Alto Networks extensive coverage looks to make signatures based on unchanging exploitation, where there is little to no variation in the data being evaluated. Detecting tools based on user agent strings that are easily modified by users is not the most effective way to do this. However, many customers have use cases in which reporting on basic usage of certain tools by detecting user agent strings may be valuable. This can be done through a very basic custom signature, and can catch penetration testers who opt for the easy way out and don’t attempt to evade detection effectively.
Research: Download Kali Linux, where Nikto Scan comes embedded, and you will see default scans have an easily identifiable user agent string.
Signature Example: See attachment “Nikto User Agent.xml”
Description: Signature evaluates http-req-headers for the string “User-Agent: Mozilla/5.00 (Nikto”, indicating default user-agent string for Nikto scan has been detected.
Potential for improvement: Our built in coverage for the vulnerabilities Nikto scan actually exploits will cover Nikto scans that seek to hide by changing their user agent, which will evade this signature.
Example 3: Detecting NMAP Scripting Engine use through User Agent
Justification: See justification for Nikto; this is identical!
Research: Download Kali Linux, and run any of NMAPs NSE scripts, and you will see web based scans have an easily identifiable user agent string.
Signature Example: See attachment “NMAP NSE User Agent.xml”
Description: Signature evaluates http-req-headers for the string “User-Agent: Mozilla/5.0 (compatible; Nmap Scripting Engine” indicating default user-agent string for NMAP NSE usage has been detected
Potential for improvement: Our built in coverage for NMAP NSE scripts will cover some common NSE usage, which may evade this signature if user agent is altered.
Here is an expanded version of the NMap signature. We noticed an additional web requests associated with the NMap tool and have included it in our signature. Below is what we have added as an "or condition" string:
Operator = pattern-match
Context = http-req-uri-path
Value = /\.git/HEAD
Team - need some help here. Trying to create a custom filter that will allow us to detect TLS 1.0 negotiations and block them at the firewall. Here's the summary info:
Justification: TLS needs to be blocked at the perimeter as a interim solution until TLS can be disabled on each server. This is to meet requirements of PCI.
Research: Sample PCAP screen capture was found here.
Testing: We have tried to do the following:
ssl-rsp-server-hello && ssl-req-client-hello
Pattern="Version: TLS 1.0"
Neither of them are working though. Any suggestions?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!