- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
10-30-2015 04:20 PM
Here is an example to alert when a server responds with SMTP 550 (mailbox does not exist). The context used is 'smtp-rsp-content' and the pattern to be matched is '550\ 5\.1\.1'.
<pattern>550\ 5\.1\.1</pattern>
<context>smtp-rsp-content</context>
Full example signature(7.0) attached 'sample_smtp_vulnerability_41002.xml'
Next, assume we would like to detect 10 triggers for this in a 60 second interval, we can create a combination brute force signature that looks for the signature created earlier:
<combination>
<time-attribute>
<interval>60</interval>
<threshold>10</threshold>
</time-attribute>
<and-condition>
<entry name="And Condition 1">
<or-condition>
<entry name="Or Condition 1">
<threat-id>41002</threat-id>
Full signature attached as 'sample_brute_vulnerability_41003.xml'.
For further information on custom signatures, please refer to the document at:
https://live.paloaltonetworks.com/t5/Documentation-Articles/Creating-Custom-Threat-Signatures/ta-p/5...