Rate-Limiting File Uploads with Palo Alto Networks Custom Signatures.

I have made this article to show how to rate limit the file upload HTTP requests on the file upload URL for a source IP address.

• Before you begin, I recommend reviewing my article on How to Write Palo Alto Networks Custom Vulnerability and Application Signatures with Examples.  That article provides a foundation for this topic by demonstrating how to use a combination signature with the "Time" option for protecting web login pages from brute-force attacks. 

• If your goal is to limit the file size of uploads, Palo Alto Networks has an official guide on this topic: Limiting File Size Upload using Custom Signature - Knowledge Base - Palo Alto Networks

1. To begin, you must first identify the specific file upload URL for your web application. Some single-page applications (SPAs) that use AJAX may require you to use browser developer tools to find the actual upload endpoint. For this example I have used the test DVWA app that can be found at Metasploitable 2 Exploitability Guide | Metasploit Documentation
   
   
   
   
2. Once the necessary information is collected, you can write a custom vulnerability signature.  For optimal performance, we will use two conditions with an "AND" operator to ensure both must be true for the signature to match.
   
   

   1. The first condition matches the URL path for file uploads, with a qualifier for the POST method, which is typically used for file uploads.

   2. The second condition matches the "Content-Type" header value, which is usually "multipart/form-data" for file uploads.

   
   You can find a complete list of signature contexts in the official documentation: https://docs.paloaltonetworks.com/pan-os/u-v/custom-app-id-and-threat-signatures/custom-application-...

    

   

    

    

3. Next, we will use a Combination Signature to apply rate-limiting. This signature type allows you to specify a threshold, so the policy action is only triggered after a certain number of matches, rather than on the very first one. For more about combination signatures see: Create a Combination Signature

    

    

    

4. Now we can first test if the normal signature (not combination one) is triggered as there is no point moving on if it is not. So just set the vulnerability profile to block/reject or drop and open the web browser and try uploading a file. Do this on a test system or with a rule that matches just your source IP address and attach the vulnerability profile to the rule.  Once you confirm the signature is triggering as expected, you can move on to the combination signature.

    

5. Optional: To limit only successful file uploads, you can add an extra condition that checks the HTTP response code.  I found it easier using "http-rsp-reason" with matching "OK" which is returned after the 200 response. This signature is in direction of server to client as it is in the response and you just add it to the combination signature. You can try adding this under the file upload signature with direction set to "both" but I saw some issues doing that (During testing, it was observed that the "time" option appears to evaluate each individual signature within the combination signature separately. For example, to achieve a rate limit of 5 requests per minute, a rate of 15 might be required). 

    

    

    

    

   I hope this guide helps you implement effective rate-limiting policies for file uploads on your network.