Custom signature for Wordpress

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Custom signature for Wordpress

Not applicable

I am fairly new to custom signature in Palo Alto, just so you are warned. I am trying to create a vulnerability signature for detecting wordpress.

The Get request will contain /? followed by 5 digits or more. User agent will be wordpress/ followed by version number. 

My plan was to create one signature with one condition for User-agent  ( http-req-headers  with pattern match 'wordpres/' ) and one for the Get request ( http-req-uri-path with pattern match  'GET /?amp' ) .

The problem I have is that the get request contains too few fixed charters. Any suggestions on how to get around this ?

4 REPLIES 4

L7 Applicator

There really is no way around the limit.  You need to either forgo that test or find a longer string.

Generally this limit is there to prevent false positives that come with very short tests.

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center

Hi Steven,

Thank you for your support.

Would it be possible to combine GET request and User-agent in one condition? I have tried but are getting DFA error.

/Lars Olav

I don't think you can combine these two.  If I understand what you are detecting correctly, the agent will be a request header and the other is a parameter header so they are check in different sections.

I assume you have seen this documentation on creating regex by section, if not, it may be helpful.

Creating Custom Threat Signatures

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center

Thank you for your reply. Yes I am familiar with the document. I was hoping that I had overlooked a solution here, but I understand that I have to find a different solution.

  • 2622 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!