File Blocking Cant recognize .txt files

Reply
Highlighted
L1 Bithead

File Blocking Cant recognize .txt files

Hello to all,

 

I am trying to find a way for Palo Alto to recognize some how *.txt files so I can be alert when it pass my Firewall.

 

Any ideas how I can make this happen?

 

I have search on the extension list but the .txt is not included some where.

 

Thank you.

Highlighted
L7 Applicator

hi

 

file blocking does not contain .txt files as there is no reliable way to identify these besides relying only on the file extention which can too easily be changed. a workaround would be to create a custom threat (or custom app) that identifies when a .txt extention is included in the payload of a session

 

Video Tutorial: Custom Vulnerability

Tom Piens - PANgurus.com
Find my book at amazon.com/dp/1789956374
Highlighted
L1 Bithead

Capture.PNGCapture2.PNG

 

Im getting this. How can I bypass it?

 

I change the pattern to "[\S]+.txt" and I still having the same error.

Highlighted
L7 Applicator

you'll need to be a bit creative (packetcaptures of the intended traffic flow where you'd want to block exe could be helpful here) as you'll need to have at least a 7bytes continuous string in a regex signature

 

 

Examples

foo.*bar.*foobarfoo   (invalid) (contains 2 fixed strings less than 7 bytes devided by a wildcard)

foo.*foobarfoo        (valid)              

foobarfoo.*foo        (valid)  

foo.{3}bar.{3}foobars (invalid)

foo.{3}foobarfoo      (valid)

foo.?bar.?foobarfoo   (invalid)

foo.?foobarfoo        (valid)

Tom Piens - PANgurus.com
Find my book at amazon.com/dp/1789956374
Highlighted
L1 Bithead

Yes but with 7 bytes it can be an very long list of files and names.
I need to have something like this *.txt (1.txt, test.txt, SD@#.txt and so on and so forth..)

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!