I am looking for autofocus artifact miner, and in minemeld app, I found "autofocus.artifactsMiner".
But when I check my vm ubuntu, I could not find it.
How Can I copy and re-use this " autofocus.artifactsMiner" to my ubuntu minemeld ?
... View more
Users in enterprise often use web based file hosting to upload big files. This creates concerns in the usage of networks bandwidth and server storage capacity, as the file can be bigger than 1GB. Below steps are usefull to control file size uploaded to a web server using HTTP Request Content-Length parameter.
PAN-OS version: 6.1.0-b43
Create a custom signature vulnerability
Go to Objects Tab > Custom Objects > Vulnerability, then click “Add”,
Fill-in required fields as shown below:
Click “Signatures” Tab, then click “Add”. In Standard window, type in the Signature Name:
At the bottom of “Standard” window, click “Add And Condition”:
Inside “Or Condition” window, choose Operator to “Greater Than”, choose Context to “http-req-content-length”. To limit file size up to 10 MB, we need to fill-in the Value in bytes, 10MB equals to “10485760”
Then click “OK”, click “OK” again.
Or, you can just save below text as BLOCK-FILE-10MB.xml file and click “Import” in Objects Tab > Custom Objects > Vulnerability.
<entry name="And Condition 1">
<entry name="Or Condition 1">
Create a Vulnerability Protection profile
Go to Objects Tab > Security Profiles > Vulnerability Protection, then click “Add”,
You can name the profile as “VP-FILE-UPLOAD”:
Then click “Add”, and fill-in Rule Name, Theat Name, and others similarly as below picture:
After finish, then click “OK”, click “OK”.
Create Security Policy
Go to Policies Tab > Security, then create security policy similarly as below:
Don’t forget to assign vulnerability protection profile “VP-FILE-UPLOAD” under “Actions” tab:
Click “OK”, then click “Commit”.
File Upload Testing
Open the browser, and type www.filehosting.org
Click “Choose File”, then find any file larger than 10MB:
When uploading a file with size more than 10MB (10485760 bytes), the firewall block and reset the connection.
Below is the capture of the packet that show “Content-Length” value is more than 10MB:
And the browser shows blank page:
Check Firewall Threat Logs
Threat Logs shows the firewall catch “Content-Length” parameter which is greater than allowable size.
... View more
I would like know if anyone has succesfull creating a custom signature either Custom spyware object or custom vulnerability signature to detect random sub-domain in DNS query.
We don't want to block www.yahoo.com or yahoo.com domain query.
But if there are query something like abcd1234.yahoo.com, we should detect and alert using Anti-spyware profile.
Can you recommend any solutions on how to solve this issue ?
This is particularly happened in ISP where they need to block this kind of sub-domain query which is not exist actually and consume DNS resources.
... View more