Custom signature based on URL and number of hits?

Reply
Highlighted
L4 Transporter

Custom signature based on URL and number of hits?

Hi,

I have a requirement to generate alert if a website is accessed frequently in short time. For e.g. www.google.com is accessed every 5 mins etc. Is there any way to generate a signature based on URL and hits?

Highlighted
Palo Alto Networks Guru

Re: Custom signature based on URL and number of hits?

I do not believe there is a way to configure a signature to accomplish your request.  Would you explain why you need to generate this alert?  Is the request only for URLs or for Applications as well?  Are you trying to limit the number of times a user is going to a site? 

Highlighted
L4 Transporter

Re: Custom signature based on URL and number of hits?

Here is the use case. We had seen some of the test systems using www.google.com in monitoring test. Over the time or with continuous probes, Google starts doing image verification. We would like to have a way to identify hosts and block. This may be applicable to other sites as well. We just want to make sure that a wrongly configured test system does not cause to block our egress IP and cause issues for all normal users.

Highlighted
L6 Presenter

Re: Custom signature based on URL and number of hits?

As a workaround why not completely block access to *.google.com and google.com from your test systems?

And then hunt the sysadmins with a torch if they still send testpackets towards www.google.com...

Highlighted
L4 Transporter

Re: Custom signature based on URL and number of hits?

The test systems are spread across and hence difficult to block *.google.com. Yes we always find the culprit however wanted trying to see if there is any way to get a proactive notification when a certain hit rate threshold reached.

Highlighted
L6 Presenter

Re: Custom signature based on URL and number of hits?

Would be great if you can file this as a feature request to your SE.

Another way to use this is to get an alarm if a specific client over time tries to download malware (which is identified as malware and blocked).

For example a specific client trying to download a malware once... not that interresting (mainly because the malware was blocked). But if the same client over and over tries to download various malware then its time to take a closer look at this client box if something else happend on it.

The workaround is obviously, as in your case, to create an alarm for each single event and then somewhere else apply the logic of "if srcip > x number of times within y minutes" - but it would be nice if this could be setup within the PA unit itself as a specific alarm (which you can lets say classify as high or even critical to get a better attention in the SEIM).

Highlighted
L2 Linker

Re: Custom signature based on URL and number of hits?

Do these monitoring systems use a custom "user agent string" in their web request? I'd hope they weren't so evasive as to spoof generic IE or Mozilla browser useragentstrings if they are legitimate monitoring apps.. 

If they use unique strings you might be able to create a custom signature or app to detect and control based on that.

Here's an example for detecting iPads based on their user agent string.

Highlighted
L4 Transporter

Re: Custom signature based on URL and number of hits?

Thanks - The requirement is simple www.google.com port 80 hits and then apply control based on hits per second (similar to brute force attack signature thresholds). I however like the custom iPad signature. I can definitely use it for something else :smileyhappy:. Thanks for sharing.

Highlighted
L3 Networker

Re: Custom signature based on URL and number of hits?

You could maybe do a custom report which includes the column "quarter hour" and "count". This could give you an idea of which IP's are hitting Google and how many times per 15 minutes.

You'll have to add multiple IP's in the query builder for Google since Google does some sort of DNS inbound load balancing.

Non-authoritative answer:

Name:    www.google.com

Addresses:  2c0f:fb50:4002:801::1013

          74.125.233.82

          74.125.233.83

          74.125.233.81

          74.125.233.84

          74.125.233.80

custom_report_google_hits.PNG

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!