You can write a custom app to detect .mp3 extension in HTTP. Enclosed is a custom appID to look for .jpg images written for PAN-OS verison 3.1.x. The signature is looking in the URI path and matching on the string ‘\.jpg HTTP’ without the quote. Typically the web request would look like this:
GET /images/twitter_corp.jpg HTTP/1.1\r\n
GET /images/logo.jpg HTTP/1.1\r\n
Please import this appID into the PA device and test. Once verified, you can clone the app and change the app to match .mp3.
The custom signature is looking for pattern '.jpg HTTP' in the URI. If you changed the pattern to '.mp3 HTTP', then we are looking for this pattern and it must be an exact match. Your example has URI '...dh-wahshny.html HTTP/1.1' which does not contain '.mp3 HTTP'.
My suggestion will not catch all .mp3 files if the downloaded content does not end in .mp3 extension. You may want to contact your local Palo Alto account team and submit a feature request.
Maybe you try to make a data-filtering profile for the file-type mp3 ?
- Edit - seems indeed that mp3 is not amongst the supported file-types.
You could enter a feature request to add this file-type...
Message was edited by: Bart.Jocque
Is it possible for you to attach your signature that works?
I think you must act on both fileextension aswell as mimetype if you write your own signature, something like:
mime-type: audio/mp3 (or whatever its called)
however this can be evaded by using octet-stream as mime-type and then the client app will detect what this file is based on magic bytes.
If im not mistaken the file function in PA (when you select filetypes) will to both fileext, mimetype and magic bytes to detect files however the file detection in PA currently only works for http, ftp, smtp, pop3 and imap streams (if im not mistaken).
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!