Palo Alto Networks Knowledgebase: Custom vulnerability signature for identifying Windows XP clients

Custom vulnerability signature for identifying Windows XP clients

(361 Views)
Created On 09/25/18 17:39 PM - Last Updated 09/25/18 23:11 PM
Categories: 

Issue:


Solution:


Effective April 8, 2014, Microsoft formally dropped support for the Windows XP operating system.  This support moratorium means Microsoft will no longer provide software updates for Windows XP.  These software updates frequently fix security vulnerabilities that could lead to a system compromise if left unaddressed.  While most enterprises have standardized on newer versions of Windows, there often remains a sizable installed base of Windows XP.   Many enterprises may not be aware of how many remnant Windows XP devices are in their network environment.

This custom signature may be used to identify Windows XP hosts based on their web application activity.  It looks in HTTP request headers for a User-Agent field that contains the Windows platform identifier string.  The default action of this signature is to alert.  However, this can easily be overridden to using the "drop" or "reset-client" action in order to block Windows XP hosts from using web applications through the Palo Alto Networks security platform.


Step 1:  Create a custom vulnerability object in Objects > Custom Objects > Vulnerability

2014-04-18_10-12-09.png


Step 2:  Add a Standard signature type

2014-04-18_10-16-11.png


Step 3:  Choose the Transaction scope and add an And Condition

2014-04-18_10-18-19.png


Step 4:  Select the Pattern Match operator, the http-req-headers context, and define the following match pattern:

String

User-Agent:.+Windows NT 5\.[12]|User-Agent:.+Windows XP


2014-05-13_21-25-09.png

Step 5:  Done!

This signature can then be included in a Vulnerability Protection profile and applied to rule in your security policy.  If Windows XP hosts initiate any web applications through the firewall, informational alerts will be displayed in the Threat logs.  A custom report can then be created that will summarize the unique source addresses that have triggered this vulnerability signature.

2014-04-18_10-29-23.png

2014-04-18_13-33-15.png

Note:  Microsoft utilizes the "Windows NT 5.2" platform identifier in the User-Agent header for both Windows XP x64 Edition and Windows Server 2003.  There is no way to differentiate between these two platforms using this method of identification.  If you wish to exempt both platforms from identification, change the pattern match string to the following:

String
User-Agent:.+Windows NT 5\.1|User-Agent:.+Windows XP


References:

Credit:  Special thanks to Arthur Chilipweli of Solutionary for devising this method of identification and sharing his regex pattern.

Attachments:

Actions:
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClHeCAK&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Change Language: