cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Who Me Too'd this topic

Example to detect SMTP 550 (destination email address does not exist)

L7 Applicator

Here is an example to alert when a server responds with SMTP 550 (mailbox does not exist). The context used is 'smtp-rsp-content' and the pattern to be matched is '550\ 5\.1\.1'.
<pattern>550\ 5\.1\.1</pattern>
<context>smtp-rsp-content</context>

 

Full example signature(7.0) attached 'sample_smtp_vulnerability_41002.xml'

 

Next, assume we would like to detect 10 triggers for this in a 60 second interval, we can create a combination brute force signature that looks for the signature created earlier:
<combination>
<time-attribute>
<interval>60</interval>
<threshold>10</threshold>
</time-attribute>
<and-condition>
<entry name="And Condition 1">
<or-condition>
<entry name="Or Condition 1">
<threat-id>41002</threat-id>

 

Full signature attached as 'sample_brute_vulnerability_41003.xml'.

 

For further information on custom signatures, please refer to the document at:
https://live.paloaltonetworks.com/t5/Documentation-Articles/Creating-Custom-Threat-Signatures/ta-p/5...

Who Me Too'd this topic