07-08-2016 02:45 AM
Hello to all,
I am trying to find a way for Palo Alto to recognize some how *.txt files so I can be alert when it pass my Firewall.
Any ideas how I can make this happen?
I have search on the extension list but the .txt is not included some where.
Thank you.
07-08-2016 02:53 AM - edited 07-08-2016 02:54 AM
hi
file blocking does not contain .txt files as there is no reliable way to identify these besides relying only on the file extention which can too easily be changed. a workaround would be to create a custom threat (or custom app) that identifies when a .txt extention is included in the payload of a session
Video Tutorial: Custom Vulnerability
07-08-2016 04:10 AM - edited 07-08-2016 04:27 AM
Im getting this. How can I bypass it?
I change the pattern to "[\S]+.txt" and I still having the same error.
07-08-2016 04:47 AM
you'll need to be a bit creative (packetcaptures of the intended traffic flow where you'd want to block exe could be helpful here) as you'll need to have at least a 7bytes continuous string in a regex signature
Examples
foo.*bar.*foobarfoo (invalid) (contains 2 fixed strings less than 7 bytes devided by a wildcard)
foo.*foobarfoo (valid)
foobarfoo.*foo (valid)
foo.{3}bar.{3}foobars (invalid)
foo.{3}foobarfoo (valid)
foo.?bar.?foobarfoo (invalid)
foo.?foobarfoo (valid)
07-08-2016 05:09 AM
Yes but with 7 bytes it can be an very long list of files and names.
I need to have something like this *.txt (1.txt, test.txt, SD@#.txt and so on and so forth..)
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
