Type threat signatures, threat-ID range, logs, exception and delivered methods.
50804
Created On 07/20/20 01:03 AM - Last Modified 03/01/24 20:18 PM
Question
- Here are the common questions about signatures:
- How many types of signatures are provided by PaloAltoNetworks when it does the layer 7 inspections?
- Where are the logs for every type of layer-7 alert?
- How can we add an exception for threats?
- How the signature package was delivered?
- What time the signature packets are delivered?
- Can we identify a threat type by the threat range?
- What is the range of MLAV signatures?
Environment
-
Any Palo Alto Firewall.
- Any PAN-OS.
Answer
AntiVirus Signature
This type of signature detects viruses and malware found in executable, malicious software in the files.
AntiVirus signatures have three categories.
- AntiVirus signature :
- Threat-ID range:
- 1000000 - 1015000: Android File Format (APK)
- 1050000 - 1055000: PKG
- 1060000 - 1062000: MACH-0
- 1070000 - 1071000: APP
- 1100000 - 1102000: PDF
- 1110000 - 1140000: Office/RTF
- 1210000 - 1225000: OpenOffice
- 1250000 - 1253000: JAVA Class
- 1270000 - 1273000: Flash
- 2000000 - 2900000: PE
- 4000000 - 4100000: DNS
- 6000000 - 6000500: SWFZWS
- 6010000 - 6015000: DMZ
- Profile to edit: Anti-Virus
- Log location: threat logs
- The AV exception process is explained here.
- Threat-ID range:
- WildFire Public Cloud Signatures :
- WildFire Private Cloud (WF-500) Signatures :
- Threat-ID range: 5000000-6000000, 6300000-670000
-
Anti-Spyware Signature
- Anti-Spyware profiles block spyware on compromised hosts from trying to phone-home or beacon out to external command-and-control (C2) servers, allowing you to detect malicious traffic leaving the network from infected clients. You can apply various levels of protection between zones.
- Palo Alto Networks delivered the Anti-Spyware in threat and app content update. These signatures are also delivered into the Anti-Virus package.
- Categories in spyware: Adware, Backdoor, Botnet, Browser, Browser-hijack, Data-Theft, Keylogger, Net-Worm, p2p-communication, phishing-kit, web shell, post-exploitation, crypto miner, downloader, fraud, hack tool, command and control, and more
-
Threat-ID range:
-
10000- 29999: Threat ID range
-
80001 - 89999: Additional Threat ID range added for PAN-OS 7.1 and newer:
-
15000 - 18000: Custom threat ID range before PAN-OS 10.00
-
12000000: Generic threat ID to identify domains learned through an EDL (External Dynamic List)
-
- Profile to edit Anti-spyware
- Log location: threat logs
- A threat exception can be added like this.
- Custom threat ID range:
- The customer threat ID range is 6900001-7000000 for PAN-OS 10.00 or later
-
DNS Signatures
Starting PAN-OS 9.0, three new spyware signatures can be detected with the DNS security subscription.
-
Data Filtering
- Prevent sensitive, confidential, and proprietary information from leaving your network by using predefined patterns, built-in settings, and customizable options. You can protect files that contain credit card numbers, regulated information from different countries and third-party data loss prevention (DLP) labels.
- Threat-ID range:
- 60000 – 69999: Data filtering detection
- Profile to edit Data-filtering
- Log location: Data-filtering
-
FileType Threat ID
-
Vulnerability Signatures
- Vulnerability Protection profiles stop attempts to exploit system flaws or gain unauthorized access to systems.
- Vulnerability Protection profiles protect against threats entering the network.
- These types of signatures against buffer overflows, illegal code execution, and other attempts to exploit system vulnerabilities. The default Vulnerability Protection profile protects clients and servers from all known critical, high, and medium-severity threats
- Threat-ID range:
- 41000 - 45000: Custom threat ID range before PAN-OS 10.00
- 6800001 - 6900000: Custom threat ID range for PAN-OS 10.00 or later
- 54000 - 59999: Threat ID range
- 90000 - 99999: Threat ID range
- Profile to edit: Vulnerability
- Log location: threat logs
- A threat exception can be added like this.
- Custom vulnerability signature:
- Custom threat ID range 6800001 - 6900000 for PAN-OS 10.00 or later
-
Wildfire inline ML related threat ID
- For PAN-OS 10.0 or later
- Machine Learning found virus
- The range is 599800 to 599999
- These types cover Malicious Windows Executable, PowerShell Script 1, PowerShell Script 2, Excutable Link Formatt and more
-
Flood and Scan
- Reconnaissance is when attackers attempt to gain information about your network’s vulnerabilities by secretly probing the network to find weaknesses
- Threat-ID range
- 8000-8499: Scan Detection
- 8500-8599: Flood detection
-
URL filtering
-
DNS-Security
- The type of signature in DNS Cloud Security covers DGA, Tunnel detection, and other C2C, malware connections.
- The way to distinguish between spyware signature and DNS-signature analysis on the threat logs.
- Here is a document that explains basic debug steps in DNS-Security.
- Threat-ID range
- 109000001: DGA Domain Detection
- 109001001-109001002: DNS Tunnel Detection
- 109001003: DNS Infiltration
- 109002001: Wildcard abuse
- 109002002: Strategically-aged domains
- 109002003: Cybersquatting/Typosquatting domains
- 109002004: subdomain reputation
- 109002005: Stockpile Domain Detection
- 109003001: Malware Compromised DNS
- 109003002: Ransomware Domains
- 109004000: Ad Tracking Domains
- 109004001: CNAME Cloaking
- 109010001: Phishing Domains
- 109010002: Grayware Domains
- 109010003: Parked Domains
- 109010004: Proxy Avoidance and Anonymizers
- 109010005: fast-flux detection
- 109010006: (malicious NRD
- 109010007: NXNSAttack
- 109010008: dangling DNS
- 109010009: DNS Rebinding
- 109020001: Newly Registered Domains
- 109020002: Dynamic DNS Hosted Domains
- The AppThreat version will be 0, and the threat ID is supplied from the cloud. Here is an example:
Additional Information
Custom spyware and threat signature