Palo Alto Networks Knowledgebase: Tips & Tricks: Custom Vulnerability

Tips & Tricks: Custom Vulnerability

10398
Created On 02/07/19 23:49 PM - Last Updated 02/07/19 23:50 PM
Resolution

See also: Video Tutorial: Custom Vulnerability

 

Want to block some very specific traffic? Custom vulnerabilities can help!

 

The Palo Alto Networks firewall supports custom vulnerability signatures using the firewall's threat engine. You can write custom regular expression patterns to identify vulnerability exploits. The resulting vulnerability patterns become available for use in vulnerability security profiles. The firewall looks for the custom-defined patterns in network traffic and takes the specified action for the vulnerability exploit.

 

Using the Custom Vulnerability Signature page, you can define signatures for Vulnerability Protection profiles.

 

First, add the Custom Vulnerability Object at the Objects tab > Custom Objects > Vulnerability as shown in the example:

Custom Vulnerability Object

 

Fill out the Configuration tab, like below. In this use case, I'll show you how to match on a specific browser version.

 

Mandatory fields are:

 

Threat ID: A numeric identifier. For vulnerability signatures, the range is 41000-45000.

Name: Specify the threat name.

Severity: Assign a level that indicates the seriousness of the threat.

Direction: Indicate whether the threat is assessed from the client to server, server to client, or both.

 

Custom Vulnerability Signature

 

  1. Go to the Signatures tab to add a signature.  
  2. Select the Standard radio button and click Add:

 

custom vulnerability signature

 

In the Standard window, complete the following:

 

  1. Standard: Fill in the desired name to identify the signature.
  2. Comment: Here you can add an optional description.
  3. Scope: Here you can select whether to apply this signature only to the current transaction or to the full user session.  In this example, we'll go with Transaction.
  4. Ordered Condition Match:  Select if the order in which the signature conditions are defined is important.
  5. Add Or Condition: Add and specify conditions to define signatures.

 

standard

 

In the next window ,we'll specify your signature match.

 

Operator: Defines the type of condition that must be true for the custom signature to match to traffic. Choose from Less Than, Equal To, Greater Than, or Pattern Match operators.

 

When choosing a Pattern Match operator, specify for the following to be true for the signature to match to traffic:

  • ContextSelect from the available contexts.
  • Pattern : Specify a regular expression
  • Qualifier and ValueOptionally, add qualifier/value pairs
  • NegateSelect the Negate check box so that the custom signature matches to traffic only when the defined Pattern Match condition is not true. This allows you to ensure that the custom signature is not triggered under certain conditions

In this example, we'll look for the pattern match 'Chrome/' in the Context field 'http-req-headers' as shown in the example below:

 

Or Condition

 

Why match on Chrome/?

 

If you take a packet capture while browsing using a Chrome browser, you will find the following pattern match in the capture:

 

 

pcap

 

Click OK to create your custom vulnerability:

 

custom vulnerability profile

 

Note that the custom signature will not be enabled by default!

 

To enable your custom signature, goto the Vulnerability Protection Security Profile.  Edit your profile and on the 'Exceptions' tab, search for the Threat ID and enable it:

 

enable custom signature

 

Don't forget to apply this Security Profile to your Security Policy:

 

security policy

 

After committing this change, you will get Alert messages in your Threat Log when you are browsing using a Chrome browser.  Of course, the traffic can be blocked if you select to do so in your Action:

 

threat log

 

Be sure to take a look at the Video Tutorial on Custom Vulnerability at https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClS5CAK

 

Below are some additional links with other use cases and useful information:

 

Custom vulnerability signature to detect FTP active mode

Custom vulnerability signature for identifying WindowsXP

List of different User-Agent strings

 

Thanks,

Kim



Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClSOCA0&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments
Choose Language