This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Custom signature for Wordpress

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Custom signature for Wordpress

LarsOlav
Not applicable

‎07-12-2014 03:50 AM

I am fairly new to custom signature in Palo Alto, just so you are warned. I am trying to create a vulnerability signature for detecting wordpress.

The Get request will contain /? followed by 5 digits or more. User agent will be wordpress/ followed by version number. 

My plan was to create one signature with one condition for User-agent  ( http-req-headers  with pattern match 'wordpres/' ) and one for the Get request ( http-req-uri-path with pattern match  'GET /?amp' ) .

The problem I have is that the get request contains too few fixed charters. Any suggestions on how to get around this ?

Labels:
0 Likes Likes
4 REPLIES 4

pulukas
L7 Applicator

‎07-12-2014 06:29 AM

There really is no way around the limit.  You need to either forgo that test or find a longer string.

Generally this limit is there to prevent false positives that come with very short tests.

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center

LarsOlav
Not applicable
In response to pulukas

‎07-12-2014 10:13 PM

Hi Steven,

Thank you for your support.

Would it be possible to combine GET request and User-agent in one condition? I have tried but are getting DFA error.

/Lars Olav

0 Likes Likes

pulukas
L7 Applicator
In response to LarsOlav

‎07-13-2014 06:54 AM

I don't think you can combine these two.  If I understand what you are detecting correctly, the agent will be a request header and the other is a parameter header so they are check in different sections.

I assume you have seen this documentation on creating regex by section, if not, it may be helpful.

Creating Custom Threat Signatures

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center

LarsOlav
Not applicable
In response to pulukas

‎07-13-2014 07:00 AM

Thank you for your reply. Yes I am familiar with the document. I was hoping that I had overlooked a solution here, but I understand that I have to find a different solution.

0 Likes Likes
  • 2378 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks