Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

Custom Pattern and Signatures without hex

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Custom Pattern and Signatures without hex

L3 Networker

I am wondering not beeing able to declare hexadecimal data in custom pattern/signatures. Perhaps i am in mistake, but i found nowhere any complete explanation of "building regex with Palo Alto systems".

For instance, i did not found the solution to declare "<" in a pattern regex ( "<" or "\<" don't work) or "Beginning of the file" (perhaps "^" ?).

greetings

Manfred

1 accepted solution

Accepted Solutions

L4 Transporter

For hex patterns in custom sigs use "\x" at the beginning of the hex pattern, then "\x" at the end of the hex pattern. For example:  .*\x42 3f 36 2b 7a 70 49 50 44 35 39 77 3d 3d 3f 3d\x. We will work on get this into the admin guide.

Alfred

View solution in original post

2 REPLIES 2

L4 Transporter

For hex patterns in custom sigs use "\x" at the beginning of the hex pattern, then "\x" at the end of the hex pattern. For example:  .*\x42 3f 36 2b 7a 70 49 50 44 35 39 77 3d 3d 3f 3d\x. We will work on get this into the admin guide.

Alfred

Hi Alfred,

do you know the method to declare "Beginning of file" ? Am i right to guess, that "\x41 6c 66 72 65 64\x" without ".*" is "Alfred" at the very beginning?

mfg

Manfred

  • 1 accepted solution
  • 3061 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!