Creating Custom Signatures Tech Note - Palo Alto Networks

© 2013–2017 Palo Alto Networks, Inc. 1 www.paloaltonetworks.com

Creating Custom Signatures Tech Note

Revision E

Revision Date: August 22, 2017

Creating Custom Signatures Tech Note Revision D


Table of Contents

Table of Contents ...................................................................................................................................................................................................... 2

Overview ..................................................................................................................................................................................................................... 5

Integer Contexts (Greater than, Less than, Equal to) .................................................................................................................................. 5

dnp3-req-func-code ...................................................................................................................................................................................................................... 5 dnp3-req-object-type ................................................................................................................................................................................................................... 6 dns-rsp-tcp-over-dns ................................................................................................................................................................................................................... 6 dns-rsp-txt-found ........................................................................................................................................................................................................................... 7 ftp-req-params-len ........................................................................................................................................................................................................................ 7 http-req-content-length .............................................................................................................................................................................................................. 8 http-req-cookie-length ................................................................................................................................................................................................................ 8 http-req-header-length ............................................................................................................................................................................................................... 9 http-req-param-length ................................................................................................................................................................................................................ 9 http-req-uri-path-length .......................................................................................................................................................................................................... 11 http-req-uri-tilde-count-num ................................................................................................................................................................................................ 11 http-rsp-code ................................................................................................................................................................................................................................ 12 http-rsp-content-length ........................................................................................................................................................................................................... 12 http-rsp-total-headers-len ...................................................................................................................................................................................................... 13 iccp-req-func-code ...................................................................................................................................................................................................................... 13 imap-req-cmd-param-len ........................................................................................................................................................................................................ 14 imap-req-first-param-len ........................................................................................................................................................................................................ 14 imap-req-param-len-from-second ...................................................................................................................................................................................... 14 smtp-req-helo-argument-length .......................................................................................................................................................................................... 15 smtp-req-mail-argument-length .......................................................................................................................................................................................... 15 smtp-req-rcpt-argument-length ........................................................................................................................................................................................... 15 sctp-req-ppid ................................................................................................................................................................................................................................ 16 ssl-rsp-version .............................................................................................................................................................................................................................. 16 stun-req-attr-type ....................................................................................................................................................................................................................... 17 panav-rsp-zip-compression-ratio ........................................................................................................................................................................................ 17

String Contexts (Pattern Match) ....................................................................................................................................................................... 18

dns-req-addition-section ......................................................................................................................................................................................................... 18 dns-req-answer-section ........................................................................................................................................................................................................... 18 dns-req-authority-section ....................................................................................................................................................................................................... 19 dns-req-header ............................................................................................................................................................................................................................ 19 dns-req-section ............................................................................................................................................................................................................................ 20 dns-rsp-addition-section ......................................................................................................................................................................................................... 21 dns-rsp-answer-section ........................................................................................................................................................................................................... 21 dns-rsp-authority-section ....................................................................................................................................................................................................... 22 dns-rsp-header ............................................................................................................................................................................................................................. 22 dns-rsp-ptr-answer-data ......................................................................................................................................................................................................... 23 dns-rsp-queries-section ........................................................................................................................................................................................................... 23 email-headers ............................................................................................................................................................................................................................... 24 file- ..................................................................................................................................................................................................................................................... 24 elf-body ............................................................................................................................................................................................................................................ 25 file-flv-body ................................................................................................................................................................................................................................... 25 file-html-body ............................................................................................................................................................................................................................... 26 file-java-body ................................................................................................................................................................................................................................ 26 file-mov-body................................................................................................................................................................................................................................ 27



file-office-content ........................................................................................................................................................................................................................ 27 file-pdf-body .................................................................................................................................................................................................................................. 27 file- ..................................................................................................................................................................................................................................................... 27 riff-body........................................................................................................................................................................................................................................... 28 file-swf-body ................................................................................................................................................................................................................................. 28 file-tiff-body ................................................................................................................................................................................................................................... 29 file-unknown-body ..................................................................................................................................................................................................................... 29 ftp-...................................................................................................................................................................................................................................................... 29 req-params..................................................................................................................................................................................................................................... 30 ftp-rsp-banner .............................................................................................................................................................................................................................. 30 ftp-rsp-message ........................................................................................................................................................................................................................... 30 gdbremote-req-context ............................................................................................................................................................................................................ 31 gdbremote-rsp-context ............................................................................................................................................................................................................ 32 giop-req-message-body............................................................................................................................................................................................................ 32 giop-rsp-message-body ............................................................................................................................................................................................................ 33 h225-payload ................................................................................................................................................................................................................................ 33 http-req-cookie ............................................................................................................................................................................................................................ 34 http-req-headers ......................................................................................................................................................................................................................... 34 http-req-host-header ................................................................................................................................................................................................................. 35 http-req-message-body ............................................................................................................................................................................................................ 35 http-req-mime-form-data ....................................................................................................................................................................................................... 36 http-req-params .......................................................................................................................................................................................................................... 36 http-req-uri-path ......................................................................................................................................................................................................................... 37 http-rsp-headers ......................................................................................................................................................................................................................... 37 http-rsp-non-2xx-response-body ........................................................................................................................................................................................ 38 imap-req-cmd-line ...................................................................................................................................................................................................................... 38 imap-req-first-param ................................................................................................................................................................................................................ 39 imap-req-params-after-first-param ................................................................................................................................................................................... 39 irc-req-params ............................................................................................................................................................................................................................. 39 irc-req-prefix ................................................................................................................................................................................................................................. 40 jpeg-file-scan-data ...................................................................................................................................................................................................................... 40 jpeg-file-segment-data .............................................................................................................................................................................................................. 40 jpeg-file-segment-header ........................................................................................................................................................................................................ 40 ms-ds-smb-req-share-name ................................................................................................................................................................................................... 41 msrpc-req-bind-data ................................................................................................................................................................................................................. 41 mssql-db-req-body ..................................................................................................................................................................................................................... 42 nettcp-req-context ...................................................................................................................................................................................................................... 42 oracle-req-data-text ................................................................................................................................................................................................................... 42 pe-dos-headers ............................................................................................................................................................................................................................ 43 pe-file-header ............................................................................................................................................................................................................................... 43 pe-optional-header ..................................................................................................................................................................................................................... 43 pe-section-header ....................................................................................................................................................................................................................... 44 pe-body-data ................................................................................................................................................................................................................................. 44 rtmp-req-message-body .......................................................................................................................................................................................................... 45 rtsp-req-headers ......................................................................................................................................................................................................................... 45 rtsp-req-uri-path ......................................................................................................................................................................................................................... 46 snmp-req-community-text ..................................................................................................................................................................................................... 46 smtp-req-argument .................................................................................................................................................................................................................... 47 smtp-rsp-content ........................................................................................................................................................................................................................ 47 ssh-req-banner ............................................................................................................................................................................................................................. 48 ssh-rsp-banner ............................................................................................................................................................................................................................. 48 ssl-req-certificate ........................................................................................................................................................................................................................ 48 ssl-req-client-hello ..................................................................................................................................................................................................................... 49 ssl-req-random-bytes ................................................................................................................................................................................................................ 49



ssl-rsp-cert-subjectpublickey ................................................................................................................................................................................................ 50 ssl-rsp-certificate ........................................................................................................................................................................................................................ 50 ssl-rsp-server-hello .................................................................................................................................................................................................................... 51 telnet-req-client-data ................................................................................................................................................................................................................ 51 telnet-rsp-server-data............................................................................................................................................................................................................... 51 unknown-req-tcp-payload ...................................................................................................................................................................................................... 52 unknown-rsp-tcp-payload ...................................................................................................................................................................................................... 52 unknown-req-udp-payload .................................................................................................................................................................................................... 52 unknown-rsp-udp-payload ..................................................................................................................................................................................................... 53

Regex Syntax with Examples .............................................................................................................................................................................. 54

Table of PAN-OS Regex Characters ..................................................................................................................................................................................... 54 Simple Examples of Patterns Using Each Supported Character ............................................................................................................................. 54 Common Regex Syntax Errors ............................................................................................................................................................................................... 55

Custom Signature Examples ............................................................................................................................................................................... 58

Signature Terminology Refresher ....................................................................................................................................................................................... 58 Example 1 – Integer-based Context .................................................................................................................................................................................... 59 Example 2 – Matching Hexadecimal Values .................................................................................................................................................................... 61 Example 3 – Custom Signature Using a Qualifier .......................................................................................................................................................... 63 Example 4 – Combination Signature .................................................................................................................................................................................. 65

Context Qualifiers .................................................................................................................................................................................................. 66

Table 1: FTP Command Qualifiers ....................................................................................................................................................................................... 66 Table 2: FTP Vendor ID Qualifiers ....................................................................................................................................................................................... 66 Table 3: HTTP Header Field Qualifiers .............................................................................................................................................................................. 66 Table 4: HTTP Method Qualifiers ......................................................................................................................................................................................... 66 Table 5: IMAP Command Qualifiers .................................................................................................................................................................................... 67 Table 6: RTSP Method Qualifiers ......................................................................................................................................................................................... 67 Table 7: SMTP Method Qualifiers ........................................................................................................................................................................................ 67

Revision History ..................................................................................................................................................................................................... 67



Overview

The following information was written based on a firewall running PAN-OS 5.0, but the information is also applicable to later versions. The first section describes all integer contexts, which apply to the greater- than, less-than, and equal-to operators. These contexts are available for custom IPS signatures, but are not available for custom application signatures. The second section describes all string contexts, which apply to the pattern-matching operator. The third section details the PAN-OS regex library of characters, regex examples, and common regex-specific mistakes you may run into when creating patterns for custom signatures. The fourth section contains step-by-step procedures for creating custom signatures of all types. The final section provides tables of all qualifiers available to various contexts. Qualifiers can be used to further refine and limit the scope of a custom signature, and are context-dependent.

When creating a custom signature, you will start by taking a packet-capture of the traffic of interest. To analyze the packet captures, we used the Wireshark application to help provide a simple reference when trying to understand what each context provides.

Integer Contexts (Greater than, Less than, Equal to)

dnp3-req-func-code Description: DNP3 Application Layer request and response headers contains function codes. For example, some of the function codes are read, write, select, operate, and direct_operate. The dnp3-req-func-code context identifies these function codes. The DNP3 function codes are 1 byte in length. In this example, the function code ‘Select’ has hex value 0x03 and in the custom app, a decimal equivalent of 3 will have to be defined. Example:



dnp3-req-object-type Description: Objects in the DNP3 library are divided into Groups and Variations. This context can be used to identify the groups and variations. The dnp3-req-object-type context is 2 bytes hex value. In this case, the hex is 0x0c01 and the custom app will take a decimal value of 3073. Example:

dns-rsp-tcp-over-dns Description: Checks multiple conditions of a DNS response to detect TCP-over-DNS (for example, tools like Iodine can tunnel IPv4 data through a DNS server). If conditions that indicate TCP-over-DNS are detected, the dns-rsp-tcp-over-dns field is set to 1. Example:



dns-rsp-txt-found Description: Checks the Answer section of a DNS response, and checks if the Type field is set to TXT. In this case, set the dns-rsp-text-found to 1 if TXT has to be identified as the DNS Type field. Example:

ftp-req-params-len Description: Length of the arguments to an FTP command, not including the command itself Example: This context provides the length of the text highlighted.

Qualifiers: This context can use FTP command (Table 1) and FTP vendor ID (Table 2) qualifiers to limit signatures to specific FTP commands and known FTP clients.



http-req-content-length Description: Content length of a HTTP request Example: This context provides the integer highlighted in yellow.

http-req-cookie-length Description: Identifies the Cookie header in an HTTP request header, and detects the number of bytes in the cookie string. Example:



http-req-header-length Description: Length of a HTTP request header, excluding method, path, and HTTP version Example: This context provides the length of the text highlighted in yellow.

Qualifiers: This context can use HTTP header field (Table 3) and HTTP method (Table 4) qualifiers to limit signatures to HTTP headers with specific values for select header fields and for specific HTTP methods.

http-req-param-length Description: Length of the URL query string Example: This context provides the length of the text highlighted in yellow (everything after the ‘?’).



http-req-no-version-string-small-pkt Description: If this field is set to 1, an HTTP request that is less than 50 bytes and is missing the HTTP version string “HTTP/x.y” has been found. Here’s an example of the detected request:

You can compare the example above to a normal request:



http-req-uri-path-length Description: Length of the URI path, not including query string (up to and including the ‘?’). Example: This context provides the length of the text highlighted in yellow.

Qualifiers: This context can use the HTTP method (Table 4) qualifier to limit signatures to HTTP headers with specific HTTP methods.

http-req-uri-tilde-count-num Description: Number of “~” characters in the path (same path that http-req-uri-path provides). The following encoded characters are included in this context:

• %3A

• %u003A

• %u0589

• %u2236

• %u007E

• %u0303

• %u223C

• %uFF5E




http-rsp-code Description: The number corresponding to the HTTP response code Example: This context provides the integer highlighted in yellow.

http-rsp-content-length Description: Content length of a HTTP response Example: This context provides the integer highlighted in yellow.



http-rsp-total-headers-len Description: Length of the HTTP response headers, not including the HTTP status banner Example: This context provides the length of the text highlighted in yellow.

iccp-req-func-code Description: ICCP function codes such as read, write, identify, and rename can be identified using the iccp-req-func-code context. This context identifies the 1 byte function code value. In this case, the read function code has a hex value of 0xa4 and the corresponding decimal value is 164 which has to be entered while creating the custom app. Example:



imap-req-cmd-param-len Description: Total length of all parameters of an IMAP command Example: This context provides the length of the text highlighted in yellow.

Qualifiers: This context can use the IMAP command (Table 5) qualifier to limit signatures to specific IMAP commands.

imap-req-first-param-len Description: Length of the first parameter of an IMAP command Example: This context provides the length of the text highlighted in yellow.


imap-req-param-len-from-second Description: Total length of all parameters of an IMAP command, not including the first Example: This context provides the length of the text highlighted in yellow.




smtp-req-helo-argument-length Description: Length of the argument to the SMTP “HELO” command Example: This context provides the length of the text highlighted in yellow.

smtp-req-mail-argument-length Description: Length of the argument to the SMTP “MAIL FROM” command Example: This context provides the length of the text highlighted in yellow.

smtp-req-rcpt-argument-length Description: Length of the argument to the SMTP “RCPT TO” command Example: This context provides the length of the text highlighted in yellow.



sctp-req-ppid Description: Payload Protocol Identifier (PPID) is a 32 bit unsigned integer value which represents an application (upper layer) specified protocol identifier. It identifies the type of information being carried in a SCTP DATA chunk. Example:

ssl-rsp-version Description: Detects the SSL version listed in the SSL server hello handshake. Example:



stun-req-attr-type Description: STUN server requests and responses contain message attributes. This context identifies the 2 byte attribute type value. In this case, the hex is 0x0003 and the custom app will take a decimal equivalent value of 3. Example:

panav-rsp-zip-compression-ratio Description: The data compression ration compares the uncompressed size and the compressed size of a file. This context detects the zip compression ratio of files downloaded over HTTP and can be used to identify a zip bomb or files with large data compression ratios. Example:



String Contexts (Pattern Match)

dns-req-addition-section Description: Additional records section if found in a DNS request (normal DNS requests should not have an additional records section). Example: This context provides the text highlighted in yellow.

dns-req-answer-section Description: Answer section if found in a DNS request (normal DNS requests should not have an answer section). Example: This context provides the text highlighted in yellow.



dns-req-authority-section Description: Authority section if found in a DNS request (normal DNS requests should not have an authority section). Example: This context provides the text highlighted in yellow.

dns-req-header Description: Full DNS request header (12 bytes), which includes the transaction ID, query flags, number of questions, and the Resource Record (RR) values in a DNS request. Example: This context provides the text highlighted in yellow.



dns-req-section Description: This context matches against the DNS questions of a DNS query, so that patterns can be written against one or more domains in a given DNS query. It is a direct pattern match against the format of a DNS query, so patterns must adhere to the DNS question structure. A recommended approach to create a DNS pattern is to capture the DNS request with Wireshark and copy the DNS Request field (make sure to remove the ending period in the request). Example 1: The following example illustrates how to build a signature for a DNS query for the domain www.bayareagamers.com.

The signature pattern is: \x 03 77 77 77 10 74 68 65 62 61 79 61 72 65 61 67 61 6d 65 72 73 03 63 6f 6d\x

Pattern Description \x Indicates this pattern is a hex pattern match 03 Indicates that the next 3 bytes are to be matched 77 77 77 "www" [The period in the domain name is omitted.] 10 Indicates that the next 16 bytes (10 hex) are to be

matched 74 68 65 62 61 79 61 72 65 61 67 61 6d 65 72 73 "thebayareagamers" 03 Indicates that the next 3 bytes are to be matched 63 6f 6d "com" \x Ends hex pattern match

Example-2: Here you can see the Wireshark representation of this table. Everything highlighted yellow and blue is provided by this context. The blue section is where the hexadecimal string is pulled from for the above table.



dns-rsp-addition-section Description: Additional records sections of a DNS response Example: This context provides the text highlighted in yellow.

dns-rsp-answer-section Description: All of the DNS Answers section with the exception of PTR records. PTR records are matched in a separate context. Example: This context provides the text highlighted in yellow.



dns-rsp-authority-section Description: The complete authority section of a DNS response Example: This context provides the text highlighted in yellow.

dns-rsp-header Description: Full DNS response header, which includes the transaction ID, query flags, the number of questions, and the Resource Record (RR) values. Example: This context provides the text highlighted in yellow.



dns-rsp-ptr-answer-data Description: FQDN for a type PTR DNS response Example: This context provides the text highlighted in yellow.

dns-rsp-queries-section Description: Name, type, and class of the queries section in a DNS response Example: This context provides the text highlighted in yellow.



email-headers Description: All email headers and the plain text email body. Attachments are not included in this context as they are provided elsewhere. Example: This context provides the text in bold.

file-

Microsoft Mail Internet Headers Version 2.0 Received: from mail.litwareinc.com ([10.54.108.101]) by mail.proseware.com with Microsoft SMTPSVC(6.0.3790.0); Wed, 12 Dec 2007 13:39:22 -0800 Received: from mail ([10.54.108.23] RDNS failed) by mail.litware.com with Microsoft SMTPSVC(6.0.3790.0); Wed, 12 Dec 2007 13:38:49 -0800 From: "Kelly J. Weadock" <[email protected]> To: <[email protected]> Cc: <[email protected]> Subject: Review of staff assignments Date: Wed, 12 Dec 2007 13:38:31 -0800 Message-ID: <[email protected]> X-OriginalArrivalTime: 12 Dec 2007 21:38:50.0145 (UTC) Hey, Check out this picture. Kelly Content-Type: image/gif; name="world1.gif" Content-Description: world1.gif Content-Disposition: attachment; filename="world1.gif"; size=292; creation-date="Wed, 12 DEC 2007 07:29:14 GMT"; modification-date=" Wed, 12 DEC 2007 07:29:14 GMT" Content-ID: <[email protected]> Content-Transfer-Encoding: base64 R0lGODlhFAAWAKEAAP///8z//wCZMwAAACH+TlRoaXMgYXJ0IGlzIGluIHRoZSBwdWJsaWMgZG9t YWluLiBLZXZpbiBIdWdoZXMsIGtldmluaEBlaXQuY29tLCBTZXB0ZW1iZXIgMTk5NQAh+QQBAAAB ACwAAAAAFAAWAAACY4yPqTrtm5qYtMEGBNiaWzRMHEVlwgBm5lieR7hqsiqjQSjG3I7C9LgznXw5 nUwjAaqEIiSs2Vl2nKWglIfbsHJTV3bJJNkGLG10arspwZ20mlYVum++8PBCBn8gBseDD7hQAAA7



elf-body Description: Identifies an executable and linkable formatted (ELF) file type contained in a protocol or application response and checks the ELF file body. Example:

file-flv-body Description: Full body of a flash video file, minus the first 9 bytes as they’re reserved for the header. Here is a screenshot from Wikipedia detailing the 9-byte header:

Example: Using a cli hex-editor named xxd, we can view the header of the flash file.

Every byte after the 9th is provided by this context. Only the first 50 bytes were printed here as an example.

Macbook:~ noob$ xxd -l 9 flash_video.flv 0000000: 464c 5601 0500 0000 09 FLV......

Macbook:~ noob$ xxd -l 50 flash_video.flv 0000000: 464c 5601 0500 0000 0900 0000 0012 0003 FLV............. 0000010: 4b00 0000 0000 0000 0200 0a6f 6e4d 6574 K..........onMet 0000020: 6144 6174 6108 0000 000f 0008 6475 7261 aData.......dura 0000030: 7469



file-html-body Description: Full body of a HTML file, minus the first 8 bytes as they’re reserved for the header Example: xxd is a cli-based hex editor; every byte after the 8th is provided by this context. Only the first 50 bytes were printed here as an example.

file-java-body Description: Full body of a java file, minus the first 4 bytes as they’re reserved for java’s ‘magic number’ Example: Using a cli based hex editor named xxd, we can view the first 4 bytes of the java file:

Every byte after the 4th is provided by this context. Only the first 25 bytes were printed here as an example.

Macbook:~ noob$ xxd -l 50 The_legend_of_random.html 0000000: 3c21 444f 4354 5950 4520 6874 6d6c 2050 <!DOCTYPE html P 0000010: 5542 4c49 4320 222d 2f2f 5733 432f 2f44 UBLIC "-//W3C//D 0000020: 5444 2058 4854 4d4c 2031 2e30 2054 7261 TD XHTML 1.0 Tra 0000030: 6e73 ns

Macbook:~ noob$ xxd -l 4 java_file.class 0000000: cafe babe ....

Macbook:~ noob$ xxd -l 25 java_file.class 0000000: cafe babe 0000 0033 0047 0a00 1300 2107 .......3.G....!. 0000010: 0022 0a00 0200 210a 00



file-mov-body Description: Full body of a MOV file, minus the first 8 bytes as they’re reserved for the header Example: xxd is a cli-based hex editor; every byte after the 8th is provided by this context. Only the first 50 bytes were printed here as an example.

file-office-content Description: Full body of a Microsoft Office Document file, minus the first 8 bytes as they’re reserved for the header Example: xxd is a cli-based hex editor, every byte after the 8th is provided by this context. Only the first 50 bytes were printed here as an example.

file-pdf-body Description: This context provides the full body of a PDF file, minus the first 8 bytes as they’re reserved for the header. Compressed data is provided as decompressed data by the decoder. Example: xxd is a cli-based hex editor, every byte after the 8th is provided by this context. Only the first 50 bytes were printed here as an example.

file-

Macbook:~ noob$ xxd -l 50 /System/Library/Compositions/Yosemite.mov 0000000: 0000 0020 6674 7970 7174 2020 2005 0300 ... ftypqt ... 0000010: 7174 2020 0000 0000 0000 0000 0000 0000 qt ............ 0000020: 0000 10ae 6d6f 6f76 0000 006c 6d76 6864 ....moov...lmvhd 0000030: 0000

Macbook:~ noob$ xxd -l 50 Word_Document.doc 0000000: d0cf 11e0 a1b1 1ae1 0000 0000 0000 0000 ................ 0000010: 0000 0000 0000 0000 3e00 0300 feff 0900 ........>....... 0000020: 0600 0000 0000 0000 0000 0000 2000 0000 ............ ... 0000030: b20f

Macbook:~ noob$ xxd -l 50 WildFire_Administrators_Guide-5.1.pdf 0000000: 2550 4446 2d31 2e36 0d25 e2e3 cfd3 0d0a %PDF-1.6.%...... 0000010: 3431 3332 2030 206f 626a 0d3c 3c2f 4c69 4132 0 obj.<</Li 0000020: 6e65 6172 697a 6564 2031 2f4c 2031 3237 nearized 1/L 127 0000030: 3834 84



riff-body Description: Full body of a RIFF file, minus the first 8 bytes as they’re reserved for the header Example: xxd is a cli-based hex editor; every byte after the 8th is provided by this context. Only the first 50 bytes were printed here as an example.

file-swf-body Description: Full body of a SWF file, minus the first 8 bytes as they’re reserved for the header Example: xxd is a cli-based hex editor; every byte after the 8th is provided by this context. Only the first 50 bytes were printed here as an example.

Macbook:~ noob$ xxd -l 50 Cinema.swf 0000000: 4357 530a bef9 3c00 78da c4bd 0778 1bc7 CWS...<.x....x.. 0000010: d52e 8c99 c562 b128 043b 2952 9229 773b .....b.(.;)R.)w; 0000020: b624 cb89 132b 8e1d 8aa4 2426 5431 49c9 .$...+....$&T1I. 0000030: f697 ..

Macbook:~ noob$ xxd -l 50 /pentest/misc/exiftool/t/images/RIFF.avi 0000000: 5249 4646 b63b 2a00 4156 4920 4c49 5354 RIFF.;*.AVI LIST 0000010: 4601 0000 6864 726c 6176 6968 3800 0000 F...hdrlavih8... 0000020: 6a04 0100 c824 0300 0000 0000 1000 0100 j....$.......... 0000030: e900 ..



file-tiff-body Description: When the firewall detects a tagged image file format (TIFF) file, this context returns data contained within the body of the file. Example:

file-unknown-body Description: If a file isn’t matched to one of our other contexts, you can use this context to match the file. This context provides data after the first 8 bytes and up to 7 packets of an unknown file we couldn’t otherwise identify. Example: xxd is a cli-based hex editor; every byte after the 8th is provided up until 7 bytes is seen. In the below example the first 8 bytes are numbered to easily show what wouldn’t be matched. Next are “A”s followed by “shellcode” in hex. We could for instance block this file by adding ‘\x7368656c6c636f6465\x’ in the “Pattern” field of the custom signature.

ftp-

Macbook:~ noob$ xxd file.bin 0000000: 1122 3344 5566 7788 4141 4141 4141 4141 ."3DUfw.AAAAAAAA 0000010: 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA 0000020: 7368 656c 6c63 6f64 65 shellcode



req-params Description: Parameters following an FTP command Example: The context provides the text highlighted in yellow.

Qualifiers: This context can use FTP command (Table 1) and FTP vendor ID (Table 2) qualifiers to limit signatures to specific FTP commands and known FTP clients.

ftp-rsp-banner Description: FTP welcome banner shown before authentication Example: This context provides the text highlighted in yellow.

ftp-rsp-message Description: FTP server response code and the code itself. Note, that the code and the space can be used as part of the required 7-byte anchor. Example: This context matches the text highlighted in yellow.



gdbremote-req-context Description: GDB is a process debugger that has the ability to debug across the network. This context provides the request data. Example: After capturing the GDB network data, follow the TCP stream to view the data. In this instance, everything in red is the request data, and that is what this context provides.



gdbremote-rsp-context Description: GDB is a process debugger that has the ability to debug across the network. This context provides the response data. Example: After capturing the GDB network data, I followed the TCP stream to view the data. In this instance, everything in blue is what this context provides.

giop-req-message-body Description: Everything in the GIOP request Example: This context provides the text highlighted in yellow.



giop-rsp-message-body Description: Data after the GIOP header in a GIOP response Example: This context provides the text highlighted in yellow.

h225-payload Description: Extracts any data contained in an H.225.0 (App-ID: h.225) request. Example:



http-req-cookie Description: Returns the Cookie header value contained in an HTTP request header. Example:

http-req-headers Description: HTTP request header, not including the method, path, HTTP version, or host as those are provided elsewhere. Example: This context provides the text highlighted in yellow.




http-req-host-header Description: Host field in a HTTP request header Example: This context provides the text highlighted in yellow.


http-req-message-body Description: Body content of a HTTP request when the body content cannot be recognized as URL encoded or MIME type data using the Content-type field. Example: This context provides the full body. I followed the TCP stream in Wireshark and only chose a portion of the body for the signature to match.




http-req-mime-form-data Description: MIME header data in the body of an HTTP request, not including embedded file contents Example: This context provides the data highlighted in yellow.

http-req-params Description: Query string as well as parameters in the HTTP body for a POST method (after the ‘?’). Example: This context provides the text highlighted in yellow.




http-req-uri-path Description: Path in a HTTP request header (up to and including the ‘?’). Example: This context provides the text highlighted in yellow.


http-rsp-headers Description: Full HTTP response header, not including the HTTP banner Example: This context provides the text highlighted in yellow.



http-rsp-non-2xx-response-body Description: Body of non-2xx HTTP responses, excluding HTTP 406 (Not Acceptable) responses. Example: This context provides the text highlighted in yellow.

imap-req-cmd-line Description: IMAP command used. Example: This context provides the text highlighted in yellow.



imap-req-first-param Description: First parameter to an IMAP command Example: This context provides the text highlighted in yellow.


imap-req-params-after-first-param Description: Every parameter to an IMAP command, not including the first parameter Example: This context provides the text highlighted in yellow.

irc-req-params Description: Argument after the actual IRC command and space Example: This context provides the text highlighted in yellow.



irc-req-prefix Description: Data before an IRC command, typically used to indicate the true origin of a message Example: You can see by following the TCP stream in Wireshark that there is data in between the IRC commands. It appears this message was Proxied.

jpeg-file-scan-data Description: This context provides all of the scan data within a jpeg file.

jpeg-file-segment-data Description: This context provides all of the segment data within a jpeg file.

jpeg-file-segment-header Description: This context provides the segment header data within a jpeg file.



ms-ds-smb-req-share-name Description: Full path to a file that is read or written using SMB Example: This context provides the text highlighted in yellow.

msrpc-req-bind-data Description: Data payload of a MS RPC Bind request Example: This context provides the text highlighted in yellow. The easiest way to find a pattern to match is to look at the hex representation of the payload and pick at least 7 bytes to match on as seen below.



mssql-db-req-body Description: Request to a Microsoft SQL server, excluding the request header Example: This context provides the text highlighted in yellow.

nettcp-req-context Description: Checks the RequestContext field in Net.TCP (App-ID: net.tcp) requests.

oracle-req-data-text Description: When the firewall detects an Oracle request, and the request type is DATA, this context returns the data contained in the request. Example:



pe-dos-headers Description: This context provides the DOS MZ header and the DOS stub. These are located in the first 64 bytes of the PE file. Example: This context provides the data in bold.

PE File Structure

DOS MZ Header + DOS Stub – first 64 bytes

PE File Header – next 20 bytes

PE Optional Header – next 224 bytes

PE Section Header – next 40 bytes each

PE Body Data – Rest of the file

pe-file-header Description: This context provides the PE file header. This is 20 bytes long and starts at the 65th byte of the PE file. Example: This context provides the data in bold.

PE File Structure






pe-optional-header Description: This context provides the optional header of a PE file. This is typically 224 bytes long and starts at the 86th byte of the PE file. Example: This context provides the data in bold.

PE File Structure








pe-section-header Description: This context provides the section headers for a PE file. These are 40 bytes each. Some typical sections with headers are “idata”, “rsrc”, “data”, “text”, and “src”. However, each PE file may not include each section and they’re not guaranteed to be in any specific order. Example: This context provides the data in bold.

PE File Structure






pe-body-data Description: This context provides the body data of a PE file. This includes everything inside the file sections themselves. The body data is located after the headers mentioned above. Example: This context provides the data in bold.

PE File Structure








rtmp-req-message-body Description: RTMP body up until twenty packets have been sent Example: This context provides the text highlighted in yellow.

rtsp-req-headers Description: Full RTSP request headers, not including the command line Example: This context provides the text highlighted in yellow.

Qualifiers: This context can use the RTSP method (Table 6) qualifier to limit signatures to specific RTSP methods.



rtsp-req-uri-path Description: Path of an RTSP request, not including the command line Example: This context provides the text highlighted in yellow.

Qualifiers: This context can use the RTSP method (Table 6) qualifier to limit signatures to specific RTSP methods.

snmp-req-community-text Description: When the firewall detects an SNMP request, there is a variable field called community in text in the SNMP request header. The context snmp-req-community-text is used track the value of the community field. Example:



smtp-req-argument Description: Argument of a SMTP command Example: This context provides the text highlighted in yellow.

Qualifiers: This context can use the SMTP method (Table 7) qualifier to limit signatures to specific SMTP methods.

smtp-rsp-content Description: SMTP server response content Example: This context provides the text highlighted in yellow.



ssh-req-banner Description: SSH banner of the client, not including comments Example: This context provides the text highlighted in yellow.

ssh-rsp-banner Description: SSH banner of the server, not including comments Example: This context provides the text highlighted in yellow.

ssl-req-certificate Description: Certificate request message of a SSL negotiation when initiated from the client Example: This context provides the text highlighted in yellow.



ssl-req-client-hello Description: Client hello message of a SSL negotiation Example: This context provides the text highlighted in yellow.

ssl-req-random-bytes Description: Random bytes field in the SSL client hello Example: This value is already hexadecimal; you’ll need to write the pattern in your signature as such (enclosed in \x).



ssl-rsp-cert-subjectpublickey Description: Certificate subject public key that’s part of an SSL server hello handshake Example: This context matches the text highlighted in yellow.

ssl-rsp-certificate Description: Certificate response message of a SSL negotiation from the server Example: This context matches the text highlighted in yellow.



ssl-rsp-server-hello Description: Server hello message of a SSL negotiation Example: This context provides the text highlighted in yellow.

telnet-req-client-data Description: All telnet data for traffic originating from the client Example: This context matches the text highlighted in yellow.

telnet-rsp-server-data Description: All telnet data for traffic originating from the server Example: This context matches the text highlighted in yellow.



unknown-req-tcp-payload Description: Full TCP payload for unknown TCP traffic originating from the client Example: This context matches the text highlighted in yellow.

unknown-rsp-tcp-payload Description: Full TCP payload for unknown TCP traffic originating from the server Example: This context matches the text highlighted in yellow.

unknown-req-udp-payload Description: Full UDP payload for unknown UDP traffic originating from the “client”, which is the initiator of UDP communications Example: This context matches the text highlighted in yellow.



unknown-rsp-udp-payload Description: Full UDP payload for unknown UDP traffic originating from the “server”, which is opposite the “client” Example: This context matches the text highlighted in yellow.



Regex Syntax with Examples Regex, short for “regular expression” is a very important tool for the more complex custom signatures. A regular expression is nothing more than a sequence of characters that form a search pattern that is then used to match strings. Using the regex library allows you to create signatures that match dynamic strings held to some sort of pattern instead of only matching a never-changing static string. Hopefully the examples below will help formulate a basic understanding of regex and how to use it with PAN-OS.

Table of PAN-OS Regex Characters This table contains the fundamental characters that are used to create a search pattern.

Syntax Description

. Match any single character

? Match the preceding character or expression 0 or 1 time; the general expression MUST be inside a pair of parentheses, e.g. (abc)?

* Match the preceding character or expression 0 or more times; the general expression MUST be inside a pair of parentheses, e.g. (abc)*

+

Match the preceding character or regular expression 1 or more times; the general expression MUST be inside a pair of parentheses, e.g.

(abc)+

|

Equivalent to "or" as in this example: ((bif)|(scr)|(exe)): match “bif”, “scr” or “exe”. Note that the alternative substrings MUST be in

parentheses

- Used to create range expressions as in this example: [c-z]: match any character between c and z INCLUSIVE

[ ] Match any, as in this example: [abz]: match any of the character a, b, or z

^ Match any except, as in this example: [^abz]: match any character but a, b, or z

{ }

Min/Max number of bytes, as in this example: .{10,20}: match any string that is between 10 and 20 bytes. Note: Must be directly in front of

fixed string of at least 7 bytes, and only supports “.”.

\ To perform a literal match on any one of the special characters above, it MUST be escaped by preceding them with a ‘\’ (backslash)

&amp & is a special character, so to look for the "&" in a string you must use "&amp" instead

Simple Examples of Patterns Using Each Supported Character This table gives a simple regex pattern, possible strings the pattern would match, and a short explanation of why it matched for each character in our regex library. Regex patterns can get quite a bit more lengthy and complicated, but the basics must first be understood. Hopefully this table will help enforce the basic usage for each character. Once you’re comfortable with the table below, you can begin to add complexity by utilizing multiple regex characters in combination.

Syntax Pattern Example Possible Matches Explanation . Malware. Malwares, Malware1 The ‘.’ Matches any character except for a newline ‘\n’

? Copyrights? Copyright, Copyrights Matches singular and plural Copyright

* PayloadA* Payload, PayloadAAAAA Matches without the ‘A’, with the ‘A’, and with multiple ‘A’s

+ Networks+ Networks, Networksssss Matches with a single ‘s’ and with multiple ‘s’s

| Copyright(s)|(ed) Copyrights, Copyrighted Matches plural and ‘ed’ suffix

- Shellcode[a-d] Shellcodea, Shellcodec Matches Shellcode followed by the letters ‘a’ through ‘d’

[ ] Customer[12] Customer1, Customer2 7-byte anchor is ‘Customer’ – Matches Customer if ‘1’or ‘2’ follows

^ Network[^ABC] NetworkD, Networkz Matches Network followed by any character except for ‘A’, ‘B’, or ‘C’

{ } Anchors.{2,5} AnchorsAB, Anchorscdefg Matches Anchors followed by anything as long as it’s 2-5 bytes in length

\ www\.paloaltonetworks\.com www.paloaltonetworks.com The dots are escaped since they’re a reserved regex character

&amp Username&ampPassword Username&Password Potentially used to block clear-text authentication attempts



Common Regex Syntax Errors 1. Every pattern you create must contain at least a 7-byte string with fixed values.

o The 7-byte fixed string can be anywhere in your pattern. o The 7 values must be fixed, this means no ‘.’ (dot), no ‘*’ (star), no ‘+’ (plus), or other wildcard characters

within the 7 bytes. 2. Incorrect character case when defining pattern matches in the application signature.

When defining the traffic pattern to match on when writing a custom application signature, the application decoder may or may not be case-sensitive for a given field, depending on the decoder that the firewall uses. Because of this, you may need to define variations of the pattern. For example, if you match on the pattern .\.cnn\.com, the same application may also use the pattern .\CNN\.com. In this case, you will need to define both versions in the signature to ensure that the signature functions properly. The following lists the current string contexts that ignore case: Note: This information is based on PAN-OS 6.1 and may differ in other releases. For JavaScript, the name is file-html-body and it is not case sensitive.

entry alias="rtmp-req-body" name="rtmp-req-message-body" entry name="http-req-headers" entry name="http-req-host-header" entry name="http-req-params" entry name="http-req-uri-path" entry name="http-req-message-body" entry name="imap-req-cmd-line" entry name="giop-req-message-body" alias="corba-req-field" entry name="giop-rsp-message-body" alias="corba-rsp-field" entry name="imap-req-first-param" entry name="email-headers" alias="panav-rsp-email-headers" entry name="ssl-req-random-bytes" entry name="ssl-req-certificate" entry name="imap-req-params-after-first-param" entry name="smtp-req-argument" entry name="smtp-rsp-content" entry name="rtsp-req-uri-path" entry name="rtsp-req-headers" entry name="telnet-req-client-data" entry name="telnet-rsp-server-data" entry alias="unknown-req-text" name="unknown-req-udp-payload" entry alias="unknown-rsp-text" name="unknown-rsp-udp-payload" entry name="unknown-req-tcp-payload" entry name="unknown-rsp-tcp-payload" entry name="ms-ds-smb-req-share-name" entry name="ssh-req-banner" entry name="ssh-rsp-banner" entry name="msrpc-req-bind-data" entry name="mssql-db-req-body"



3. The “Pattern” field in the condition window has a limit of 127 characters, but what if your pattern is longer?

o The solution is to ‘AND’ them together as shown in figure 5. You can even leave “Ordered Condition Match” selected, so it must see them in order to perform a closer match to the full string.

Figure 4 – Too many characters in the “Pattern” field Figure 5 – String split in half with ‘AND’

4. Error – “can’t support repetition without string pattern behind it in pattern”

o This error indicates that we need 7 bytes after each repetition element. If we were to add three more ‘B’ letters to the end, there would be 7 bytes instead of 4, and the signature would be valid.

o Another work-around that is possible in some patterns is to just write out the ‘.’ (dot) characters instead of using the repetition. ‘{4}’ would become ‘….’ and there is no repetition requirement.

Figure 4.1 – Invalid because only 4 bytes, ‘BBBB’ follow the repetition ‘.{4}’

Figure 4.2 – Valid because 7 bytes ‘BBBBBBB’ now follow the repetition element



5. Error - “can't handle two dfas next to each other in pattern”

o This error indicates the pattern entered contains two strings that are both less than 7 bytes and are separated by a regex wildcard element. An example of this is like the one seen in Figure 5.1. “pan” and “net” are both less than 7 bytes each and are separated by the repetition variables, ‘.{4}’ which is considered a wildcard element along with ‘*’ start, ‘.’ dot, and so on.

o To fix this, you need to increase the size of at least one of the strings to 7 bytes or more. Figure 5.2 shows a fixed signature by changing “net” to “networks” which is at least 7 bytes.

Figure 5.1 – Invalid because there are two strings less than 7 bytes separated by a DFA

Figure 5.2 –Valid because there is only 1 string less than 7 bytes now surround the repetition element



Custom Signature Examples Given the amount of flexibility and specific terminology related to custom signatures, it’s easy to feel lost or not quite know how to apply your knowledge to actually creating a signature that performs the exact task you’d like it to. For that reason, four examples with detailed screenshots are included in this section. However, it’s best to familiarize yourself with a few keywords before going through the examples so you don’t get lost in the signature-specific terminology.

Signature Terminology Refresher Scope – The scope defines how your signature is applied to the traffic. You have two options when choosing your scope: transaction and session. An example of a transaction is a HTTP request and response. You can have many of these transactions in one single session. You’ll need to write your signature conditions accordingly. If, for example, you wanted to match a single POST request, transaction would be best. If you wanted to match only when two different POST requests were both seen in the same session, session would be required. Qualifier - Qualifiers can be used to further refine and limit the scope of a custom signature, and are context-dependent. They often limit the scope to an individual command or header type.

Aggregation Criteria – This is a setting found in combination signatures used to granularly aggregate the number of hits per second. If for example you wanted to alert only after 25 POSTs have been seen in 60 seconds and only when going to a certain destination IP, you would set the aggregation criteria to “destination”. Only a POST to that destination would count towards your limit of 25 POSTs. You can also choose “source” or “source-and-destination” to aggregate the number of hits differently. Context – After the decoder decodes the protocol or file, it separates each portion into a context. Each context provides certain portions of that file or protocol. We then specify the context where we expect our pattern to be. Ordered Condition Match – If your signature has multiple conditions and the order of which the conditions are seen is important, you can enable this setting. (The list of conditions uses the top-down approach, meaning it matches in order from top to bottom.) And / Or Conditions – Just like any other Boolean conditions, “And” matches the first condition and the second condition and so on. “Or” matches the first condition or the second condition. “Or” conditions broaden the search, while “and” conditions narrow the search. Direction – Found in the configuration tab of a custom signature. This indicates whether the threat is assessed from the client to server, server to client, or both. Affected System – Found in the configuration tab of a custom signature. Indicates whether the threat involves the client, server, either, or both. This applies to vulnerability signatures, but not spyware signatures.



Example 1 – Integer-based Context Integer-based contexts only have the ability of looking at a numerical value within the given context and determining if the value it sees is less-than, equal-to, or greater-than the value you define. Here is a step-by-step example on how to create one of these types of signatures. We will use the http-rsp-code context, which looks for the numerical HTTP server response code. The signature is set to alert if the response code equals “404”.

1. First, you’ll need to go to the Objects tab -> click Vulnerability under the Custom Signatures section -> and click “Add”.

2. The only required fields are Threat ID, Name, Severity, and Direction. Ensure the Threat ID is between 41000-

45000.

Figure 1 – Configuration Tab Figure 2 – Completed Configuration Tab

3. Next, you’ll need to click the “Signatures” tab. We will cover combination signatures in a later example. For now, leave it at standard. Click “Add” at the bottom of the window to bring up the “Standard” window.



4. We start by giving this signature a name. This example will only have one condition; therefore we can ignore the Ordered Condition Match setting. Also, we only want to alert on a single transaction and not the full session, so we will leave the scope at “Transaction”. Finally, click “Add And Condition”.

Figure 3 – Signatures Tab Figure 4 – Standard Window

5. Since we’re looking for the exact value of “404”, choose “Equal To” from the “Operator” drop-down menu. You’ll notice that the entries in the “Context” drop-down depend on your “Operator” selection. If for example you were to choose the operator “Pattern Match”, it would contain contexts based on a pattern, not an integer. Knowing this, select the “http-rsp-code” context from the “Context” drop-down menu. Next, enter “404” in the “Value” field.



6. The completed condition should look like “figure 6”. Click “OK” on each of the signature windows, commit, and test your new signature.

Figure 5 - New Condition Window Figure 6 – Completed Condition Window

Example 2 – Matching Hexadecimal Values Any signatures requiring hexadecimal matching must have the hexadecimal values enclosed in ‘\x’. This tells the signature engine to start matching hex and also when to stop matching hex and go back to ASCII if needed. For this example, let’s create a signature using only hexadecimal values from the flash video context mentioned above named “file-flv-body”. You can use any hex-editor to view the hex contents of the file. I chose to go with xxd, a cli-based editor. By reading the “file-flv-body” context example in the contexts section above, we know that this context provides every byte after the header. Everything in bold is within the context, so we can write a pattern using those bytes.

We pick ‘0a6f 6e4d 6574 61’ as our value to match on. Keep in mind that every two alphanumeric values represent one byte, so this pattern just meets our 7-byte requirement. Let’s pretend we’ve identified these bytes as malicious shell-code that we don’t want passing through our firewall. Let’s now walk through the process of creating the signature from start to finish:

1. Add a new custom vulnerability signature and fill out the mandatory fields.

Macbook:~ noob$ xxd -l 50 flash_video.flv 0000000: 464c 5601 0500 0000 0900 0000 0012 0003 FLV............. 0000010: 4b00 0000 0000 0000 0200 0a6f 6e4d 6574 K..........onMet 0000020: 6144 6174 6108 0000 000f 0008 6475 7261 aData.......dura 0000030: 7469



2. Click the signatures tab and click “Add” to bring up the “Standard” window.

Figure 1 – Completed Configuration Tab Figure 2 – Default Signatures Tab

3. Fill in the “Signature Name” field and leave the scope as transaction. We only have one condition, so we can

leave “Ordered Condition Match” alone. Click “Add And Condition”.

4. Choose “Pattern Match” as the operator, then find “file-flv-body” from the “Context” drop-down, and enter the pattern we found earlier with ‘\x’ before and after the pattern to indicate we’re matching hexadecimal. (See Figure 4

below)

Figure 3 – Standard Window Figure 4 – Condition Window

5. Click “OK” on each of the signature windows, commit, and test your new signature.



Example 3 – Custom Signature Using a Qualifier Some contexts have the ability to also use a qualifier. Qualifiers limit the match condition for the given context so that the signature will only trigger if the pattern is seen in the defined qualifier. This example will use the “http-req-uri-path” context, which as the name implies provides the path in the HTTP header of a request. The goal of this example is to alert on any WordPress blog logins. When testing the login and taking a packet-capture, we can see the following HTTP POST. (In bold

is the portion of the POST that is relevant to the context we chose.)

1. Create a new Custom Vulnerability Signature and fill out the needed fields in the “Configuration” tab.

2. Go to the “Signatures” tab, leave “Standard” selected and click “Add” to bring up the “Standard” window.

Figure 1 – Configuration Tab Figure 2 – Signatures Tab

3. Enter a signature name, leave the scope as “Transaction”; again we only have one condition so the “Ordered Match Setting” can be ignored.

POST /blog/wp-login.php HTTP/1.1

Host: www.example.comUser-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.5)

Gecko/ Keep-Alive: 300Connection: keep-aliveContent-Type: application/x-www-form-urlencoded



4. Click “Add And Condition” for the condition window to open. Here, choose “Pattern Match” from the “Operator” drop-down menu since we’re matching on a string. Select “http-req-uri-path” from the “Context” drop-down menu and enter the pattern “wp\-login\.php” (without the quotes as seen in figure 4). We escape the ‘–‘ and ‘.’ characters with backslashes since they’re part of the regex library and we want a literal match on those characters.

Figure 3 – Standard Window Figure 4 – Condition Window

5. Last, we’re going to click “Add” on the condition window from step 4 to add a qualifier to the signature. Choose “http-method” as the qualifier and set the value to “POST”. This way, our pattern only matches if it’s found inside of a HTTP POST message.

Figure 5 – Completed Qualifier Window

6. Click “OK” on each signature window, commit, and test the signature.



Example 4 – Combination Signature A combination signature allows you to use an existing signature in combination with a time attribute. The time attribute allows the signature to only trigger when the pattern is matched x number of times within y number of seconds. You can narrow this down further by using the aggregation criteria. In this example, we’ll use the signature we created in example 3, but convert it to a combination signature. With this, we’ll be able to alert or drop if we detect a WordPress login brute-force attack occurring. (Note, only a standard signature can be converted into a combination signature. You cannot combine two

combination signatures.)

1. Create a new custom signature and fill out the needed fields in the “Configuration” tab. 2. Click the signature tab, choose “Combination” and click “Add And Condition”.

Figure 1 – Configuration Tab Figure 2 – Signatures Tab with Combination Selected

3. In the condition window, you first name the condition. Then choose the threat ID that will be used. Here we chose

Threat ID “42100” which is the WordPress login signature we created in the last example.

4. Click the “Time Attribute” tab. These settings are what make this a combination signature. We can monitor the matches on this signature and only alert or drop if the number of hits reaches our maximum value within our defined amount of seconds. You’ll also want to choose your “Aggregation Criteria”.

Figure 3 – Condition Tab for Combination Figure 4 – Time Attribute Tab

5. Click “OK” on each of the signature windows, commit, and test the signature.



Context Qualifiers

Table 1: FTP Command Qualifiers

FTP command qualifiers can be added to custom signatures that use FTP-related contexts to limit a match condition to specific FTP commands.

ABOR ACCT ALLO APPE AUTH CDUP CWD

DELE EHLO ERPT HELO LIST MDTM MKD

MODE NLIST OPTS PASS PASV PBSZ PORT

PWD QUIT REIN REST RETR RMD RNFR

RNTO SITE SIZE SMNT STAT STOR STOU

STRU SYST TEST TYPE UNKNOWN_COMMAND UNLOCK USER

XCRC XMD5 XSHA1

Table 2: FTP Vendor ID Qualifiers

FTP vendor ID qualifiers can be added to custom signatures that use FTP-related contexts to limit a match condition to specific FTP clients.

CEASERFTP EASY_FILE_SHARING_FTP FILE_COPA_FTP FREEFTPD MICROSOFTFTP NETTERM

PROFTPD SERV_U UNKNOWN_FTP_SERVER VSFTPD WARFTPD WS_FTP

WUFTP

Table 3: HTTP Header Field Qualifiers

HTTP header field qualifiers can be added to custom signatures that use HTTP-related contexts to limit a match condition to HTTP headers that have specific values for select header fields.

ACCEPT_LANGUAGE AUTHORIZATION CONTENT_ENCODING CONTENT_LENGTH CONTENT_TYPE HOST

IF_MOD_SINCE SUBSCRIBE_HDR TRANSFER_ENCODING UNKNOWN_HDR X_FORWARD_FOR

Table 4: HTTP Method Qualifiers

HTTP method qualifiers can be added to custom signatures that use HTTP-related contexts to limit a match condition to HTTP headers that use specific HTTP methods.

BCOPY BDELETE BITS_POST BMOVE BPROPFIND BPROPPATCH CCM_POST

CONNECT COPY DELETE GET HEAD LINK LOCK

MKCOL MOVE NOTIFY OPTIONS POLL POST PROPFIND

PROPPATCH PROXY_SUCCESS PUT RPC_CONNECT SEARCH SMS_POST SOURCE

SUBSCRIBE TRACE TRACK UNKNOWN_METHOD UNLINK UNLOCK UNSUBSCRIBE



Table 5: IMAP Command Qualifiers

IMAP command qualifiers can be added to custom signatures that use IMAP-related contexts to limit a match condition to specific IMAP commands.

APPEND AUTHENTICATE CAPABILITY CHECK CLOSE COPY CREATE

DELETE EXAMINE EXPUNGE FETCH FIND IDLE LIST

LOGIN LSUB NOOP RENAME SEARCH SELECT STARTTLS

STATUS SUBSCRIBE UNKNOWN_COMMAND UNSUBSCRIBE

Table 6: RTSP Method Qualifiers

RTSP method qualifiers can be added to custom signatures that use RTSP-related contexts to limit a match condition to specific RTSP methods.

ANNOUNCES DESCRIBE GET_PARAMETER OPTIONS PAUSE

PLAY RECORD REDIRECT SET_PARAMETER SETUP

SETUP_PARAMETER TEAR_DOWN UNKNOWN_METHOD

Table 7: SMTP Method Qualifiers

SMTP method qualifiers can be added to custom signatures that use SMTP-related contexts to limit a match condition to specific SMTP methods.

AUTH BDAT DATA EHLO HELO MAIL QUIT

RCPT RSET SAML SEND SOML STARTTLS UNKNOWN_CMD

USER VRFY XEXCH50 XEXPS XLINK2STATE XTELLMAIL

Revision History Date Revision Comment

August 22, 2017 E Added the context http-req-no-version-string-small-pkt to the String section.

March 31, 2017 D Added the http-rsp-non-2xx-response-body field to the String section; reformatted title page, header/footer, and page breaks for smoother flow of text.

April 22, 2015 B Added information in the “Common Regex Syntax Errors” section that states that when writing a custom application signature, the application decoder may or may not be case-sensitive for a given field, depending on the decoder that the firewall uses.

July 26, 2013 A The first release of this document.

Creating Custom Signatures Tech Note - Palo Alto Networks

Documents

Transcript of Creating Custom Signatures Tech Note - Palo Alto Networks