Brute force and scanning signatures

Showing results for 
Search instead for 
Did you mean: 

Brute force and scanning signatures

Not applicable
Box: PA-2020 (probably all)
OS Version: PANOS-3.0.6
I have some questions and suggestions for the threat-ips part of the box.
1. Ability to view settings for scanning and brute force signatures.
- What are the settings for these signatures? I cant find for instance how many attempts/ips/ports is needed for the signature to trigger.
2. Ability to change settings on brute force and scanning signatures.
- Sometimes you want to change the default behaviour of a signature. For instance we want to change how many attempts a client needs to do before a brute force signature triggers. This is also applicable for scanning signatures.
3. More detail in signature summaries
- When looking at a SSH Brute force alarm, it states "count": 1. If its only 1 attempt its not a brute force attack :smileyhappy: When checking the packet-capture data we only see 1 packet. It would be great to get more information of these "summarizing, threshold" signatures.
4. Regexp signatures
- The ability to view the regular expressions on signatures that you don't need to protect would be nice.

For me it is a must to be able to at least be able to customize the severity level for a non-custom vulnerability signature. I understand that PA might not want to allow modification of their internal signatures, but modifying the severity is a very important requirement for my organization. I bet it is the same for many other organizations. After all, what it is medium for some it could be high for others, or the other way around. Everybody has a different risk tolerance.

By the other hand, it would be very useful to be able to have the ability of making a copy of an internal signature and be able to modify it to suit the customer's needs. In that way organizations can leverage the work already made by PA.

I strongly request to add the ability to customize the severity level as a feature in next releases of PAN-OS.


Not applicable

Any news regarding the ability to view the "matching pattern" or settings for brute force and scanning signatures directly in the GUI ? Will this be available in future versions?

The ability to view the "matching pattern" is very helpful in deciding if the alarm is a false positive or not. If you have pcap active and can see the "matching pattern" you can make up your own mind if its a FP or not.


I just ran into the same requirement ... OfficeMax would like the ability to customize the severity level of a threat in our Threat DB.  We already allow them to customize the Risk Level of an App ... they want the same ability for the Severity Level of a Threat/Spyware.

Dave Klein

Hello Panse,

you can get a hold of your sales contact or call into support and open up an ehancement request regarding this.



Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!