This website uses cookies essential to its operation, for analytics, and for personalized content. By continuing to browse this site, you acknowledge the use of cookies.
For details on cookie usage on our site, read our Privacy Policy
For details on cookie usage on our site, read our Privacy Policy
About noc_soc
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- LIVEcommunity
- About noc_soc
03-05-2023
3Posts
0Likes
0Solutions
Mar 05, 2023Last Visited
User
Activity
User
Profile
Latest posts by noc_soc
| Subject | Views | Posted |
|---|---|---|
| 2372 | 07-17-2013 02:51 AM | |
| 3758 | 12-17-2012 03:22 AM | |
| 3842 | 12-13-2012 03:39 AM |
User Badges
Community Statistics
| Member Since | 08-05-2011 10:21 AM |
| Date Last Visited | 03-05-2023 12:34 PM |
| Posts | 3 |
07-17-2013
02:51 AM
http://dnsamplificationattacks.blogspot.com.es/ http://dnsamplificationattacks.blogspot.nl/2013/05/nl-188954825-as57172.html, In relation to this attack , which is performed a high volume of requests against the DNS , it detects PaloAlto under the signatures : DNS Queries ANY TWO Brute -force Attack Microsoft SMTP Service and Exchange Routing Engine Buffer Overflow Vulnerability This signature function through which we have modified thresholds . Yet we see that the size of requests is usually greater than 4000 bytes. So we are trying to create a rule that detects UDP requests to port 53 to a size greater than 4000 bytes to lock . But we do not see how you can create a similar rule or at least detected by the packet size . Is there any way to create a similar rule . thanks Sorry for the google translation
... View more
Labels:
- Labels:
-
Troubleshooting
12-13-2012
03:39 AM
Hi All, We are making the creation of a "Custom Signature" to detect an XSS vulnerability identified in the player JWPLAYER The vulnerability occurs in / media / players / jwplayer / player.swf and HDSMediaProvider.swf. Model: PA-4050 Software Version: 4.0.11 For this we register accesses can be made to the player JWPLAYER with parameters in the URL. Examples: http://www.xxxx.xx/media/players/jwplayer/player.swf?abouttext=xxxxxx&aboutlink=http://www.xxxx.xxx http://www.xxxxx.xx/media/players/jwplayer/player.swf?file=http://xxxxx.xxx&image=http://xxxx.xxxx http://www.xxxxx.xx/media/players/jwplayer/player.swf?file=http://xxxxxx.xxx&logo.file=http://xxxxx.xxx&logo.link=xxxxxxx To create it first was used in an attempt to record all requests containing .swf? and indicating the call with parameters: OPERATOR: Pattern Match CONTEXT: REQ-HTTP-HEADERS PATTERN: .*jwplayer /. *swf \? (.*) Also with ".*jwplayer /. *swf \?" This rule did not detect the parameters Then we used 2 conditions with the following configuration: And Condition 1: OPERATOR: PATTERN-MATCH CONTEXT: HTTP-REQ-URI-PATH PATTERN: .*jwplayer /.*swf And Condition 2 OPERATOR: PATTERN-MATCH CONTEXT: HTTP-REQ-PARAMS PATTERN: .*((file)|(abouttext)|(image)) While it should detect any url parameter, these are the ones who were using for testing. But it happened that not all parameters are detected. Therefore, the pattern will change to ((.+)|(abouttext)), since the minimum length is 7, but still does not detect any parameter. The purpose of the rule is to detect any url with parameters Sorry for the google translation
... View more
- Tags:
- custom_signatures
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
03-05-2023
12:34 PM
|
Latest Tags
No tags yet
LEGAL NOTICES
Copyright 2007 - 2023 - Palo Alto Networks