How to Create, Log, and Deny a Custom Signature App

How to Create, Log, and Deny a Custom Signature App

19608
Created On 09/25/18 18:01 PM - Last Modified 02/01/25 01:21 AM


Procedure


Details

For this example, the rule created blocks downloading the file "wrar39b4.exe"

  • Use a packet capture tool to identify a signature for the custom application
  • Create custom application in Objects > Application > New
  • Define specifics in the custom application, specifically the transport layer (TCP/80) and signature (screenshot for details)
  • Create a security policy that denies the custom defined application
  • Commit
  • Review traffic to log to confirm denial for the application

 

Wireshark Packet Capture

custom_signature_App1.jpg

 

  1. To create a Custom Application from the WebGUI, go to Objects > Applications > New.
  2. Give the application a name and a description.
  3. Edit the properties of the object and assign it an appropriate category, subcategory, technology, risk class and any characteristics that may apply.
    custom_signature_App2.png
     
  4. Choose the correct port (tcp/80 for this example):
    custom_signature_App3.png
     
  5. In the Signatures tab, create a new signature:
    custom_signature_App4.png

    and add an OR condition:
    custom_signature_App5.png
     
  6. Define the signature context (http-req-uri-path for this example), with a pattern of "wrar39b4.exe", and a qualifier of "http-method" "GET".
    custom_signature_App6.png
     
  7. Create a security rule to block the application.
    custom_signature_App7.png
     
  8. Monitor the new rule in the traffic log.
    custom_signature_App8.png
     

owner: panagent
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClMvCAK&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language