This website uses cookies essential to its operation, for analytics, and for personalized content. By continuing to browse this site, you acknowledge the use of cookies.
For details on cookie usage on our site, read our Privacy Policy
For details on cookie usage on our site, read our Privacy Policy
About rcole
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- LIVEcommunity
- About rcole
06-10-2016
100Posts
20Likes
23Solutions
Jun 10, 2016Last Visited
User
Activity
User
Profile
Latest posts by rcole
| Subject | Views | Posted |
|---|---|---|
| 5418 | 06-02-2016 08:02 AM | |
| 5613 | 06-01-2016 01:28 PM | |
| 5427 | 06-01-2016 11:03 AM | |
| 7112 | 05-23-2016 01:47 PM | |
| 7117 | 05-23-2016 01:43 PM | |
| 7253 | 05-23-2016 01:35 PM | |
| 7258 | 05-23-2016 01:22 PM | |
| 9416 | 05-23-2016 09:06 AM | |
| 8312 | 05-19-2016 10:56 AM | |
| 8324 | 05-19-2016 08:23 AM |
My Liked Posts
| Subject | Likes | Posted |
|---|---|---|
| 1 Like | 06-01-2016 01:28 PM | |
| 1 Like | 03-07-2016 04:44 AM | |
| 2 Likes | 03-02-2016 02:40 PM | |
| 3 Likes | 02-18-2016 07:03 AM | |
| 4 Likes | 02-02-2016 04:38 AM |
Posts I Liked
| Subject | Likes | Author | Latest Post |
|---|---|---|---|
| 2 Likes | |||
| 2 Likes | |||
| 3 Likes | |||
| 1 Like | |||
| 3 Likes |
User Badges
Community Statistics
| Member Since | 08-03-2015 11:44 AM |
| Date Last Visited | 06-10-2016 10:14 AM |
| Posts | 100 |
| Total Likes Received | 20 |
06-02-2016
08:02 AM
Hi clewis.
I tested this signature in a lab with every variant of the domain you provided, and it triggered in each instance.
Do you have a packet capture of the offending traffic?
... View more
06-01-2016
01:28 PM
1 Kudo
One attack avenue for an organization that the US-CERT is currently alerting on is the abuse of Web Proxy Auto-Discovery in order to hijack traffic by directing a web browser to a proxy they own.
The technical details are available at: https://www.us-cert.gov/ncas/alerts/TA16-144A
There are three avenues of detection I am aware of:
1) Detecting a DNS query with "wpad." in the content. This does not appear possible with the current custom signature engine, as there is not a 7 byte static anchor to signature off of.
2) Detecting an HTTP transaction in which the content of the "Host" header starts with "wpad."
3) Detecting an HTTP transaction in which the URI contains "wpad.dat"
I've written a custom signature that covers points 2 and 3 to illustrate what is possible.
This signature was written as an example to illustrate what the custom signature engine can do. It has minimal testing in a production environment, and is meant as a pivot point for creating your own custom protections.
It's also imperative to remember that this signature will be very noisy if it is applied to internal environments, and makes the most sense only applied to traffic destined for the untrust zone.
Have fun, signature enthusiasts!
... View more
06-01-2016
11:03 AM
Good afternoon!
I would try:
scanner@[a-z]+\.domain\.com
This operates under the assumption that the child domain under domain.com consists of any number of the characters a-z.
... View more
05-23-2016
01:47 PM
Juan:
No problem, sir. Thank you for your patience and for providing the data you did.
... View more
05-23-2016
01:43 PM
Juan:
As far as I am aware, no. This is due to the fact that we don't have a context for SMB hostname publicly available to customers to write signatures on, and would require a feature request be filed.
... View more
05-23-2016
01:35 PM
Juan:
Thank you for the packet capture.
I can confirm that we currently do not have a context available in the custom signature engine for the SMB hostname. If this is something you'd like to have added, you should reach out to your account team representative and file a feature request for inclusion in a future version.
... View more
05-23-2016
01:22 PM
Good afternoon.
For requests of this nature, please try to provide a packet capture if it is possible, highlighting the traffic you wish to create a signature on. It will greatly improve our ability to help you.
It sounds like you want to trigger off something specific in SMB traffic, though based on your post above I'm not 100% certain what the actual offending traffic is. Would you mind elaborating slightly?
As far as SMB based signatures go, we currently have one context for SMB, which is "ms-ds-smb-req-share-name" detailed on page 27 of the creating custom signatures document referenced in the sticky of this forum.
Leveraging "unknown-req-tcp-payload" will not function as the traffic you reference will likely be caught by the SMB decoder. This would mean a custom signature is not possible with our current engine. "Unknown-req-tcp-payload" is for applications identified as "unknown-tcp" only, meaning we have no decoder for them.
... View more
05-23-2016
09:06 AM
Good morning!
It appears that this may be a limitation of the current custom signature engine. I've confirmed with some peers that unknown-xxx applications require a specific amount of traffic in order to begin matching against custom signatures.
This knowledge base article will assist:
https://live.paloaltonetworks.com/t5/Management-Articles/Not-Applicable-Incomplete-Insufficient-Data-in-the-Application/ta-p/65711
The issue here appears to be that there is not enough data occurring in the session for the custom signature engine to begin matching against unknown-tcp.
... View more
05-19-2016
10:56 AM
Thank you for the complete packet capture! However, what I'm hoping for is the actual signature you've written. Can you export it from the firewall and upload it here? Additionally, .RAR and .PCAP formats should no longer require you to obfuscate them to upload.
... View more
05-19-2016
08:23 AM
Good morning! 🙂
Would it be possible for you to export and attach the signature you've created so far so I can inspect it?
... View more
05-17-2016
08:55 AM
Thank you. That was a creative work around.
One thing I've noticed is that the data pattern you are matching on is not present in the packet capture (or the excerpt from your initial post).
Your pattern is:
\x 55 43 50 72 6f 76 69 64 65 72 20 31 2e 30 \x
However, the pattern in the packet capture and your excerpt is as follows:
\x 55 43 50 72 6f 76 69 64 65 72 00 31 2e 30 \x
Note that the 11th byte in your pattern is 20 (a space). The actual byte is a null byte (00).
This may be a good place to start troubleshooting, if I have not overlooked anything.
Respectfully,
- rcole
... View more
05-17-2016
07:35 AM
Good morning.
My skillset is more around writing threat signatures (vulnerability and anti-spyware) rather than application signatures. However, if you provide a packet capture of some sample traffic you'd like to identify, this would likely be helpful, as many folks with varying skillsets frequent this forum. In order to test any of our ideas, having a packet capture of some sample traffic to replay in our lab environments would help to lead towards resolution.
Is this possible?
... View more
05-13-2016
05:46 AM
Hello, Chuck, and good morning to you sir!
First, this appears to be a question better suited for the general discussion forum as it doesn't appear to pertain to custom signatures.
However, I would like to point out that if you click on a value populating the "NAME" column in the threat monitor, the metadata for that threat name should appear like so:
The CVE associated is part of this metadata. I don't believe a separate column can be created.
Respectfully,
rcole
... View more
03-17-2016
03:51 AM
Good morning, jpeters.
As abjain stated, http-req-uri-path and http-req-params contain some distinctions that will help you match in this case.
See page 24 on this document: https://live.paloaltonetworks.com/t5/Documentation-Articles/Creating-Custom-Threat-Signatures/ta-p/58569
... View more
03-15-2016
11:38 AM
Hello, ttanzi!
According to page 38 of the creating custom signature document, case sensitivity will depend on the context you are pattern matching within, with some innately being case sensitive, and others not. requiring you define potential patterns of varying case manually.
Reference: https://live.paloaltonetworks.com/t5/Documentation-Articles/Creating-Custom-Threat-Signatures/ta-p/58569?attachment-id=1097
... View more
LEGAL NOTICES
Copyright 2007 - 2023 - Palo Alto Networks