- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
10-07-2020 12:16 AM
creating a custom snort signature on Palo alto Firewall but didn’t found the concern context operator for match pattern.
Shall we create a context operator or how it can add the pattern if the context operator is not available?
For example:
alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"[CIS] Emotet C2 Traffic Using Form Data to Send Passwords"; content:"POST"; http_method; content:"Content-Type|3a 20|multipart/form-data|3b 20|boundary="; http_header; fast_pattern; content:"Content-Disposition|3a 20|form-data|3b 20|name=|22|"; http_client_body; content:!"------WebKitFormBoundary"; http_client_body; content:!"Cookie|3a|"; pcre:"/:?(chrome|firefox|safari|opera|ie|edge) passwords/i"; reference:url,cofense.com/flash-bulletin-emotet-epoch-1-changes-c2-communication/; sid:1; rev:2;)
Not available
http_method
http_client_body