This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Custom Snort Signature

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Custom Snort Signature

Mohammed_Yasin
L4 Transporter

‎10-07-2020 12:12 AM

creating a custom snort signature on Palo alto Firewall but didn’t found the concern context operator for match pattern.

Shall we create a context operator or how it can add the pattern if the context operator is not available?

 

For example:

alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"[CIS] Emotet C2 Traffic Using Form Data to Send Passwords"; content:"POST"; http_method; content:"Content-Type|3a 20|multipart/form-data|3b 20|boundary="; http_header; fast_pattern; content:"Content-Disposition|3a 20|form-data|3b 20|name=|22|"; http_client_body; content:!"------WebKitFormBoundary"; http_client_body; content:!"Cookie|3a|"; pcre:"/:?(chrome|firefox|safari|opera|ie|edge) passwords/i"; reference:url,cofen

 

Not availableSnort.jpg

 

HTTP _ method

HTTP _ client_body

0 Likes Likes
3 REPLIES 3

OtakarKlier
Cyber Elite
Cyber Elite

‎10-07-2020 12:37 PM

Hello,

The problem with custom signatures is that they are not dynamic. I would say configure the PAN with best practices and enable, Anti-Virus, Vulnerability, URL Filtering, DNS SinkHole, wildfire, secure DNS, SSL decryption, etc. Alsong with this enable sending telemetry back to PAN for statistics, this also helps build new signatures etc. This should protect you from most of everything. In your example you have Emotet, and if you look at the threat vault there are already many signatures for it.

https://threatvault.paloaltonetworks.com/

 

There are also External Dynamic lists and other things you can do as an overarching strategy, static entries are a major pain and hard to keep up with. Perhaps also implement another IDS to supplement you security posture?

 

Hope that helps.

0 Likes Likes

BPry
Cyber Elite
Cyber Elite

‎10-07-2020 02:22 PM

@Mohammed_Yasin,

Just to add on to what @OtakarKlier mentioned, you aren't going to have a one to one match on a snort rule when you attempt to map them via a custom signature. The terminology isn't the same at all, but generally speaking every option you are looking for is going to be present. The real change here is that PAN separates a lot of this information between request and response, so in a lot of situations you'll actually have to know the direction of traffic. 

I wouldn't recommend building a custom threat signature unless you actually need to within your environment. So the Snort rule that you pulled from MS-ISAC is an example of what Snort can look at, but PAN is already providing more than 200+ signatures to detect emotet related traffic and threats. If I really wanted to take every single Snort rule that they built out to ensure we were covered from the threat, I would simply install a snort node.

0 Likes Likes

CCACieszkowski
L1 Bithead

‎02-18-2021 05:32 AM - edited ‎02-18-2021 05:33 AM

Hi @Mohammed_Yasin,

 

To actually respond to your question: http_method in the Custom Vulnerability Object is the http-method Qualifier and the http_client_body is the http-req-message-body Context, i.e.,:

 

CCACieszkowski_0-1613655082750.png

 

Albert

0 Likes Likes
  • 2355 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks