This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Cookie Policy. Click Preferences to customize your cookie settings.
Custom signature not working
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- LIVEcommunity
- Discussions
- General Topics
- Custom signature not working
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Printer Friendly Page
Custom signature not working
Options
- Mark as New
- Subscribe to RSS Feed
- Permalink
07-02-2020 11:54 PM
Hello Team,
I need to create custom VA signature which can detect specific chrome browser version and block internet also from that browser.
I have created custom signature which can detect specific version and can block http traffic too but https traffic is not blocking.
We have not enabled ssl decryption and not planned to enable it but still i need to block 443 port traffic.
I have been matching chrome browser version pattern along with tls version pattern but its not working. please let me know how i can block it without ssl decryption.
I am using below signiture.
<?xml version="1.0"?>
-<vulnerability-threat version="9.0.0">
-<entry name="41005">
-<signature>
-<standard>
-<entry name="chrome browser httpsv1">
-<and-condition>
-<entry name="And Condition 1">
-<or-condition>
-<entry name="Or Condition 1">
-<operator>
-<pattern-match>
<pattern>Chrome/83.0.4103.116</pattern>
<context>http-req-headers</context>
<negate>no</negate>
</pattern-match>
</operator>
</entry>
</or-condition>
</entry>
-<entry name="And Condition 2">
-<or-condition>
-<entry name="Or Condition 1">
-<operator>
-<equal-to>
<value>769</value>
<context>ssl-rsp-version</context>
</equal-to>
</operator>
</entry>
</or-condition>
</entry>
</and-condition>
<order-free>yes</order-free>
<scope>session</scope>
</entry>
-<entry name="chrome browser tlsv1.1">
-<and-condition>
-<entry name="And Condition 1">
-<or-condition>
-<entry name="Or Condition 1">
-<operator>
-<pattern-match>
<pattern>Chrome/83.0.4103.116</pattern>
<context>http-req-headers</context>
<negate>no</negate>
</pattern-match>
</operator>
</entry>
</or-condition>
</entry>
-<entry name="And Condition 2">
-<or-condition>
-<entry name="Or Condition 1">
-<operator>
-<equal-to>
<value>770</value>
<context>ssl-rsp-version</context>
</equal-to>
</operator>
</entry>
</or-condition>
</entry>
</and-condition>
<order-free>yes</order-free>
<scope>session</scope>
</entry>
-<entry name="chrome browser tls1.2">
-<and-condition>
-<entry name="And Condition 1">
-<or-condition>
-<entry name="Or Condition 1">
-<operator>
-<pattern-match>
<pattern>Chrome/83.0.4103.116</pattern>
<context>http-req-headers</context>
<negate>no</negate>
</pattern-match>
</operator>
</entry>
</or-condition>
</entry>
-<entry name="And Condition 2">
-<or-condition>
-<entry name="Or Condition 1">
-<operator>
-<equal-to>
<value>771</value>
<context>ssl-rsp-version</context>
</equal-to>
</operator>
</entry>
</or-condition>
</entry>
</and-condition>
<order-free>yes</order-free>
<scope>session</scope>
</entry>
-<entry name="chrome browser 1.1">
-<and-condition>
-<entry name="And Condition 1">
-<or-condition>
-<entry name="Or Condition 1">
-<operator>
-<pattern-match>
<pattern>Chrome/83.0.4103.116</pattern>
<context>http-req-headers</context>
<negate>no</negate>
</pattern-match>
</operator>
</entry>
</or-condition>
</entry>
</and-condition>
<order-free>yes</order-free>
<scope>session</scope>
</entry>
</standard>
</signature>
-<default-action>
<alert/>
</default-action>
<threatname>Chrone testing http</threatname>
<severity>low</severity>
<direction>client2server</direction>
-<affected-host>
<client>yes</client>
</affected-host>
</entry>
</vulnerability-threat>
0 REPLIES 0
Related Content
- after adding areadonline.com to my Custom URL Category allow-Arcadia Custom and after checking the URL Filtering the rule is set to allow. not sure w in General Topics
- How to run playbook on scheduled interval for all XSOAR Incidents? in Cortex XSOAR Discussions
- Problem with setIncident command in Cortex XSOAR Discussions
- Palo Alto ALG (Application Level Gateway) SIP dissable just for a particular source and destination IP addresses in a Security Policy? in Next-Generation Firewall Discussions
- Cortex XDR PoC: Monitoring Malicious Chrome Extensions in Cortex XDR Discussions
Like what you see?
Show your appreciation!
Click Like if a post is helpful to you or if you just want to show your support.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
LEGAL NOTICES
Copyright 2007 - 2023 - Palo Alto Networks