Exceptions aggregation criteria

Showing results for 
Show  only  | Search instead for 
Did you mean: 

Exceptions aggregation criteria

L4 Transporter

What does these options for aggregation criteria actually mean when creating exceptions in vulerabilit profile - sourcedestination or by source and destination.


And also track by IP source and IP source destination


L7 Applicator

You are referring to the options that pop up when you click on select Vulnerability signatures that do have a 'Pencil and Paper' icon at the left of the Threat Name entry.


These are special 'Combination' signatures, the way they work is you have a parent and a child signature. Some people refer to them as a witness (for the parent) and event (for the child) signatures.


The idea is that the event(child) based signature is tracking events that by themselves (as isolated events), are not malicious in nature - i.e., login attempts to an SSH server, however, if you see a big number of these events in a very short time, it can be an indication of a brute force attempt. The key concept is the time component. The witness(parent) signature is tracking the n-ocurrences of the event(child) in a specified time window.


Event(Child) signatures do not need to write entries to the Threat logs to be counted by Witness(Parent) signatures. This means that the Parent signature will count ocurrences of the Child signature, even if it is not logging to the Threat Logs (action allow).


The source or source-and-destination aggregation criteria refers to definition of what the witness is counting as events in a given time-window. Going back to our example, if the same source is attempting to log-in using SSH to multiple different destination IP's within the specified time window, and your aggregation criteria is only source, then these events will all count toward the trigger condition of the witness signature, however, if you define it as source-and-destination, you define additional granularity and you'd be instantiating multiple time-windows where the trigger condition that is counted is the n-number of instances where a single source goes to a *specific* destination.


You can read additional details in our "Creating custom application and threat signatures" document available at https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClOFCA0 (See Combination Signatures in Page 65).


There is also additional information on Brute Force signatures available at https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClmpCAC

@mivaldi That's a nice explanation. So isn't chosing by source only better than selecting source and destination. As doing by source & destiantion it will miss out on the threat if it trying to ssh multiple destinations within that short period and can remain hidden.


And what about destinantion only, which source IP would firewall choose to block.


  • 2 replies
  • 63 Subscriptions
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!