Hi everyone, and thanks for joining this video on how to create a custom vulnerability.
In this video, I'll cover how to create a specific custom vulnerability, show the tools I use to create it, and also show you in a live demonstration about how this behaves on the Palo Alto Networks firewall.
If you've played around with creating custom App-ID, you will see some similarities in this video. If not, then I recommend that you watch that video as well, because it discusses a different use case scenario that you might find of benefit in your specific environment.
Similar to custom App-ID, custom vulnerabilities are created using pattern-based signatures for traffic that does not match any of our existing vulnerabilities.
In order to figure out the pattern match, I'll use a packet capture tool like WireShark.
In my example, let's say you would like to create a custom vulnerability for users that are browsing using the 'Chrome' browser.
Using WireShark, you can capture this traffic and search for a specific pattern to correctly identify this traffic. In the example, you will notice that the following pattern can be used:
You can configure this on your firewall under the Object tab > Custom Objects > Vulnerability.
After adding your custom vulnerability, don't forget to enable it in your Vulnerability profile. Finally, add your vulnerability profile to your security policy and make sure to commit.
Depending on the action you have configured, you will see its corresponding behaviour.
In the example, we've selected the 'Alert' action. So after browsing using the Chrome browser, we saw vulnerability logs in the Threat logs.
Below are some links to related articles you might find useful: