07-03-2013 09:40 PM
Hi guys,
Our company don't want employee to post anything on internet so we're trying to create custom application that block method POST on http-request-message. But when we're trying to write a pattern. It's always pop up an alert to say that at least 7 bytes require. we've tried it so many ways such as [a-zA-Z0-9] but it still won't working.
Can anybody advice us to write a pattern that will be match any message?
Best Regards,
Piyapol
07-03-2013 09:54 PM
Helpful References
TechNote : Custom Application Signatures
07-03-2013 10:02 PM
Similar discussion can be found here https://live.paloaltonetworks.com/message/14234#14234
07-03-2013 10:05 PM
You can also refer page 156 of https://live.paloaltonetworks.com/docs/DOC-2029 under the heading Example - Detect a post to a specified blog
07-04-2013 11:15 AM
In this case would it be best to create a custom app or a custom signature?
I (currently) think that creating a custom signature would be better that acts on all http traffic and by that set an default action of block (or alert).
07-04-2013 07:11 PM
Thankyou for all answer.
But I can't block path /imgs , /files because palo alto alert " The minimum length for this field is 7 ".
I test insert /imgs{7}. It not work.
Refer :
{ } Min/Max number of bytes.
Example: {10,20} matches any string that is between 10 and 20 bytes. This must be directly in front of fixed string, and only supports “.”.
Please share any idea to fix It.
07-04-2013 09:42 PM
We found the same problem here. I've try create an pattern like [a-zA-Z0-9] which should match everything already (tested on Regex Tester). And also use Byte Counter to count this pattern which it said 11 bytes. But On Paloalto, when we tried to add. Same errors pop up like this
-> signature -> PostMethod -> and-condition -> And Condition 1 -> or-condition -> Or Condition 1 -> operator -> pattern-match -> pattern '[a-zA-Z0-9]' is invalid. pattern must be at least 7 byte
07-05-2013 01:17 AM
Context: http-req-header
Qualifier: http-method
Value: POST
and yet it complains that there is no pattern... hmpf... so damn close 😞
Is there some kind of bogus wildcard one can use to make the GUI happy, like ******* (seven * in a row) or such?
There is this example in the manual which is sort of what is needed, except that this signature (which this thread is needing) should trigger on ANY site (no matter if its ipv4, ipv6 or fqdn) and that this example is an appid instead of a vuln signature which would be a better choice:
set application specifiedblog_posting category collaboration subcategory web-posting technology browser-based signature s1 and-condition a1 or-condition o1 operator pattern-match context http-req-host-header pattern specifiedblog.com qualifier http-method value POST
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
