Custom Snort Signature

Announcements

Changes to the LIVEcommunity experience are coming soon... Here's what you need to know.

Reply
Mohammed_Yasin
L3 Networker

Custom Snort Signature

creating a custom snort signature on Palo alto Firewall but didn’t found the concern context operator for match pattern.

Shall we create a context operator or how it can add the pattern if the context operator is not available?

 

For example:

alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"[CIS] Emotet C2 Traffic Using Form Data to Send Passwords"; content:"POST"; http_method; content:"Content-Type|3a 20|multipart/form-data|3b 20|boundary="; http_header; fast_pattern; content:"Content-Disposition|3a 20|form-data|3b 20|name=|22|"; http_client_body; content:!"------WebKitFormBoundary"; http_client_body; content:!"Cookie|3a|"; pcre:"/:?(chrome|firefox|safari|opera|ie|edge) passwords/i"; reference:url,cofen

 

Not availableSnort.jpg

 

HTTP _ method

HTTP _ client_body

OtakarKlier
Cyber Elite

Hello,

The problem with custom signatures is that they are not dynamic. I would say configure the PAN with best practices and enable, Anti-Virus, Vulnerability, URL Filtering, DNS SinkHole, wildfire, secure DNS, SSL decryption, etc. Alsong with this enable sending telemetry back to PAN for statistics, this also helps build new signatures etc. This should protect you from most of everything. In your example you have Emotet, and if you look at the threat vault there are already many signatures for it.

https://threatvault.paloaltonetworks.com/

 

There are also External Dynamic lists and other things you can do as an overarching strategy, static entries are a major pain and hard to keep up with. Perhaps also implement another IDS to supplement you security posture?

 

Hope that helps.

BPry
Cyber Elite

@Mohammed_Yasin,

Just to add on to what @OtakarKlier mentioned, you aren't going to have a one to one match on a snort rule when you attempt to map them via a custom signature. The terminology isn't the same at all, but generally speaking every option you are looking for is going to be present. The real change here is that PAN separates a lot of this information between request and response, so in a lot of situations you'll actually have to know the direction of traffic. 

I wouldn't recommend building a custom threat signature unless you actually need to within your environment. So the Snort rule that you pulled from MS-ISAC is an example of what Snort can look at, but PAN is already providing more than 200+ signatures to detect emotet related traffic and threats. If I really wanted to take every single Snort rule that they built out to ensure we were covered from the threat, I would simply install a snort node.

CCACieszkowski
L1 Bithead

Hi @Mohammed_Yasin,

 

To actually respond to your question: http_method in the Custom Vulnerability Object is the http-method Qualifier and the http_client_body is the http-req-message-body Context, i.e.,:

 

CCACieszkowski_0-1613655082750.png

 

Albert

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!