IPS Signatures

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

IPS Signatures

L0 Member

Hello friends,

 

I have some signatures with fortigate names and I neet to know the equivalence in Palo Alto, by the CVE Palo Alto dont indentify it, could anyone help me?

 

web_app3: Narcissus.Image.Configuration.Remote.Command.Execution
CVE-2015-1579 CVE-2014-9734

applications3: Ektron.XSLT.Transform.Remote.Code.Execution
CVE-2012-5357

applications3: OpenVAS.Web.Scanner

 

 

 

Thankss


1 accepted solution

Accepted Solutions

In short: yes

 

The longer version is: To ensure we are able to scan traffic quickly it is efficient to kjeep the threat database small in size: To be able to provide the best possible coverage we investigate which signatures are active 'in the wild', which ones are dangerous and which ones are still relevant

 

If a vulnerability is widely patched, it is safe to assume the threat level becomes lower, and if the signature is not picked up in the wild much any more, that means the signature has become obsolete and it is safe to dselete from the repository,, thus ensuring only the important signatures are used to scan your traffic

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

View solution in original post

4 REPLIES 4

Cyber Elite
Cyber Elite

Are these CVE still active in the wild?

 

If CVE's are no longer active in the wild, or have long been patched, they are removed from the PANW threat vault to make way for more current signatures

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

Cyber Elite
Cyber Elite

@Manuben88,

All of these CVEs you've identified, as @reaper made note to, have been addressed by software updates for a while. If you are still running software that this actually covers I would HIGHLY recommend that you update them to something current. 

Ektron has been packed for literally years, the first two threats that you mention are only on select themes and only two of the affected themes are under active developement with patched versions. 

I would say that this is mostly a 'non-issue' for the most part. You shouldn't actually need these signatures anymore.

Sorry but, If I understood:

 

This CVEs were active for a while but Palo Alto erase it from its signatures because with updating the host application made it-self non exploitable by this methods?

 

Thanks and regards.

In short: yes

 

The longer version is: To ensure we are able to scan traffic quickly it is efficient to kjeep the threat database small in size: To be able to provide the best possible coverage we investigate which signatures are active 'in the wild', which ones are dangerous and which ones are still relevant

 

If a vulnerability is widely patched, it is safe to assume the threat level becomes lower, and if the signature is not picked up in the wild much any more, that means the signature has become obsolete and it is safe to dselete from the repository,, thus ensuring only the important signatures are used to scan your traffic

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization
  • 1 accepted solution
  • 3187 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!