I am fairly new to custom signature in Palo Alto, just so you are warned. I am trying to create a vulnerability signature for detecting wordpress.
The Get request will contain /? followed by 5 digits or more. User agent will be wordpress/ followed by version number.
My plan was to create one signature with one condition for User-agent ( http-req-headers with pattern match 'wordpres/' ) and one for the Get request ( http-req-uri-path with pattern match 'GET /?amp' ) .
The problem I have is that the get request contains too few fixed charters. Any suggestions on how to get around this ?
There really is no way around the limit. You need to either forgo that test or find a longer string.
Generally this limit is there to prevent false positives that come with very short tests.
I don't think you can combine these two. If I understand what you are detecting correctly, the agent will be a request header and the other is a parameter header so they are check in different sections.
I assume you have seen this documentation on creating regex by section, if not, it may be helpful.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!