- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
09-23-2015 02:20 AM - edited 09-23-2015 02:21 AM
Hello
I've been trying to create a custom vulnerability and I have encountered this limitation:
Currently in Threat Database Vault 529 version there are 50 signatures for PHP.
I'm trying to add all PHP signatures and this message appears when it exceeds 17 signatures.
😞
Is this limitation correct or is a fail?
😞
A few days ago we suffer multiple PHP vulnerability scanning in our web servers:
The source IP 188.78.195.67 is in many blacklists.
I would like to create a custom signature for IP auto-block attacker for 1 hour, if 10 times in 10 seconds any PHP Scan Vulnerability.
Thanks and regards,
dicu
09-23-2015 07:36 AM
Hello,
I'm not sure on the custom Vulnerabilities issue, perhaps a support case is in order? However if the IP is on many lists, have you considered Dynamic Block Lists?
Just a thought.
10-11-2015 06:34 PM
Hello
To address the limit of 16 patterns you just need to add another signature as shown below:
Each signature can have 16 "or" values. I have signatures that have +50 string patterns
Hope this helps.
Phil
10-13-2015 12:49 AM
Hello
First of all thanks for your answer Otakar.Klier.
About "Dynamic Block List" I already knew and I already had put to work this in any of our clients.
I think it is a correct answer.
But first I would like to try every option that gives the IPS Palo Alto and one of these are the "Custom Vulnerability Signature".
It is a way to demonstrate the potential of Palo Alto firewalls.
Regards,
dicu
10-13-2015 01:17 AM
Hello HITSSEC
I don't understand.
I think you mean to use patterns instead of signatures.
I think it might work but what are the patterns of each firm? or where can I find them?
https://threatvault.paloaltonetworks.com/
Note that currently in Threat Database Vault 529 version there are 50 signatures for PHP.
Thanks and regards,
dicu
10-15-2015 07:48 AM
The signature can have multiple sets of patterns. Each set of patterns (max 16) can be "or" conditions. The pattern string can be for specific purposes such as misuse of access to PHP related resources.
Does this add any clarity or am I missing something.
Phil
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!