Custom Vulnerability Signature. Is this limitation correct or is a fail?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Custom Vulnerability Signature. Is this limitation correct or is a fail?

L4 Transporter

Hello

I've been trying to create a custom vulnerability and I have encountered this limitation:

vulnerability 41003.jpg

Currently in Threat Database Vault 529 version there are 50 signatures for PHP.

 I'm trying to add all PHP signatures and this message appears when it exceeds 17 signatures. 

 

😞

Is this limitation correct or is a fail? 

😞

 

A few days ago we suffer multiple PHP vulnerability scanning in our web servers:

 

SIEM scan vulnerability.jpg

The source IP 188.78.195.67 is in many blacklists.

  

I would like to create a custom signature for IP auto-block attacker for 1 hour, if 10 times in 10 seconds any PHP Scan Vulnerability.

 

 

Thanks and regards,

dicu

5 REPLIES 5

Cyber Elite
Cyber Elite

Hello,

I'm not sure on the custom Vulnerabilities issue, perhaps a support case is in order? However if the IP is on many lists, have you considered Dynamic Block Lists?

 

https://isc.sans.edu/forums/diary/Subscribing+to+the+DShield+Top+20+on+a+Palo+Alto+Networks+Firewall...

 

https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Configure-Dynamic-Block-List-DBL-...

 

Just a thought.

 

L4 Transporter

Hello

 

To address the limit of 16 patterns you just need to add another signature as shown below:

 

 Capture-Signature-Details.PNG

 

Each signature can have 16 "or"  values.   I have signatures that have +50 string patterns

Hope this helps.

 

Phil

Hello

 

First of all thanks for your answer Otakar.Klier.

About "Dynamic Block List" I already knew and I already had put to work this in any of our clients.

I think it is a correct answer.

But first I would like to try every option that gives the IPS Palo Alto and one of these are the "Custom Vulnerability Signature".

It is a way to demonstrate the potential of Palo Alto firewalls.

 

Regards,

 

dicu

 

 

Hello HITSSEC

 

I don't understand. 

I think you mean to use patterns instead of signatures.

I think it might work but what are the patterns of each firm? or where can I find them?

 

https://threatvault.paloaltonetworks.com/

Note that currently in Threat Database Vault 529 version there are 50 signatures for PHP.

 

Thanks and regards,

 

dicu

The signature can have multiple sets of patterns.  Each set of patterns (max 16) can be "or" conditions.  The pattern string can be for specific purposes such as misuse of access to PHP related resources.

 

Does this add any clarity or am I missing something.

 

Phil 

  • 6573 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!