How to create a custom threat signature
Objective
Provide guidance on how to create custom threat signatures.
Environment
Palo Alto Firewall
Procedure
1. Capture the traffic you want to create a signature for
- This can be done through the firewall via a custom packet capture or third-party traffic capture/analyzer software
Integer context: used for equality operators that compare less than, greater than, and equal to
- Examples include: parameter lengths, code, response, and type values
- full list of integer contexts and use can be found here
- Examples include: payloads, headers, and banner patterns
- pattern requirements for custom signatures can be found here
- full list of string contexts and use can be found here
- full list of context qualifiers can be found here
3. Create your new signature via a Custom Vulnerability or Antispyware object
From the firewall, go to Object tab > Custom Object > Vulnerability or Antispyware, then select Add at the bottom of the firewall GUI
The Custom (Vulnerability or AntiSpyware) Signature screen will appear where you will be on the Configuration tab by default.
Required fields to be completed:
- Threat ID
- For a vulnerability signature, enter a numeric ID between 41000 and 45000. If the firewall runs PAN-OS 10.0 or later, the ID can also be between 6800001 and 6900000.
- For a spyware signature, the ID should be between 15000 and 18000. If the firewall runs PAN-OS 10.0 or later, the ID can also be between 6900001 and 7000000.
- Name - specify the threat name.
- Severity - Select the severity of the threat.
- Direction - client to server, server to client, both
Moving to the Signature Tab, leave the signature option set to standard (unless you are creating a combination/brute force signature). Add a signature by the Add button at the bottom of this window.
This will pull up the Standard window
- Standard - Enter a name to identify the signature in the field.
- Comment - Enter an optional description.
- Ordered Condition Match - If the order in which the firewall attempts to match the signature definitions is important, keep selected.
- Scope - indicate whether this signature applies to a full Session or a single Transaction.
Add a condition by clicking Add And Condition or Add Or Condition at the bottom of the window. This will pull pull a New Condition window:
Select an Operator from the drop-down menu to define the conditions that must be true for the signature to match traffic.- If you are using a string context select Pattern Match, then provide a regular expression Pattern. Optionally, you can also add a context qualifier/value pair
- You can also select Negate to specify conditions under which the custom signature does not trigger.
- If you are using an integer context select Equal To, Less Than, or Greater Than, and then enter the desired match value.
Click OK to finish
4. Add an exception for this signature to enable, then commit your signature
Click your existing Vulnerability (or Antispyware) security profile, then under the Exceptions tab, search for your signature’s Threat ID and Enable it.
Commit your changes
5. Test your signature
- Recreate the traffic you are trying to trigger with the signature
- Check the Monitor tab > Logs > Threat to verify traffic matching on the custom threat signature.
- If necessary, fine-tune your signature by adding additional patterns or conditions to the signature
- repeat
To apply the custom signature to a single profile, define its severity as 'informational', and default action in the signature definition as 'allow'.
Then create a Threat Exception in the Vulnerability Protection profile where you want to activate it, mark the 'enable' checkbox in the Exception, and change the signature's action to override the default 'allow'.
The rationale behind setting a signature's severity to informational, is that otherwise it will match on all Vulnerability Profile rules, which are likely defined with actions by vulnerability severity, and will end up overriding the default allow action defined in the custom vulnerability signature.
This solution will work if the rule for informational severity vulnerabilities in all Vulnerability Protection rules is either missing, or set to execute the signature's default action.