How to create a custom threat signature

How to create a custom threat signature

12166
Created On 07/08/22 18:15 PM - Last Modified 10/25/22 15:24 PM


Objective


Provide guidance on how to create custom threat signatures.

Environment


Palo Alto Firewall

Procedure


1. Capture the traffic you want to create a signature for 
  •   This can be done through the firewall via a custom packet capture or third-party traffic capture/analyzer software
2. Identify type of context you will be using for the signature: Integer or String
 Integer context: used for equality operators that compare less than, greater than, and equal to 
  • Examples include: parameter lengths, code, response, and type values
  • full list of integer contexts and use can be found here
 String Context: used for pattern comparison
  • Examples include: payloads, headers, and banner patterns
  • pattern requirements for custom signatures can be found here
  • full list of string contexts and use can be found here
(Optional) Also may want to incorporate context qualifiers. Qualifiers reduce the chance of false positives by allowing a siganture trigger only when the firewall detects the pattern or value inside a specific qualifier, which corresponds to a specific context (such as HTTP GET versus POST or FTP MODE, LIST, TEST)
  • full list of context qualifiers can be found here

3. Create your new signature via a Custom Vulnerability or Antispyware object
From the firewall, go to Object tab > Custom Object > Vulnerability or Antispyware, then select Add at the bottom of the firewall GUI 

image.png
The Custom (Vulnerability or AntiSpyware) Signature screen will appear where you will be on the Configuration tab by default. 

image.png

Required fields to be completed:

  • Threat ID
    • For a vulnerability signature, enter a numeric ID between 41000 and 45000. If the firewall runs PAN-OS 10.0 or later, the ID can also be between 6800001 and 6900000.
    • For a spyware signature, the ID should be between 15000 and 18000. If the firewall runs PAN-OS 10.0 or later, the ID can also be between 6900001 and 7000000.
  • Name - specify the threat name.
  • Severity - Select the severity of the threat.
  • Direction  - client to server, server to client, both

Moving to the Signature Tab, leave the signature option set to standard (unless you are creating a combination/brute force signature). Add a signature by the Add button at the bottom of this window.
image.png
This will pull up the Standard window

image.png

Fields to complete on this window:
  • Standard - Enter a name to identify the signature in the field.
  • Comment - Enter an optional description.
  • Ordered Condition Match - If the order in which the firewall attempts to match the signature definitions is important, keep selected.
  • Scope - indicate whether this signature applies to a full Session or a single Transaction.

Add a condition by clicking Add And Condition or Add Or Condition at the bottom of the window. This will pull pull a New Condition window:

image.png

Select an Operator from the drop-down menu to define the conditions that must be true for the signature to match traffic.
  • If you are using a string context select Pattern Match, then provide a regular expression Pattern. Optionally, you can also add a context qualifier/value pair
    • You can also select Negate to specify conditions under which the custom signature does not trigger.
  • If you are using an integer context select Equal To, Less Than, or Greater Than, and then enter the desired match value.

Click OK to finish

4. Add an exception for this signature to enable, then commit your signature
Click your existing Vulnerability (or Antispyware) security profile, then under the Exceptions tab, search for your signature’s Threat ID and Enable it.

image.png
Commit your changes

5. Test your signature 

  • Recreate the traffic you are trying to trigger with the signature
  • Check the Monitor tab > Logs > Threat to verify traffic matching on the custom threat signature.
image.png
  • If necessary, fine-tune your signature by adding additional patterns or conditions to the signature 
  • repeat
   
Note: Custom Signature will be enabled by default on all Vulnerability Protection profiles.

To apply the custom signature to a single profile, define its severity as 'informational', and default action in the signature definition as 'allow'.
Then create a Threat Exception in the Vulnerability Protection profile where you want to activate it, mark the 'enable' checkbox in the Exception, and change the signature's action to override the default 'allow'.
The rationale behind setting a signature's severity to informational, is that otherwise it will match on all Vulnerability Profile rules, which are likely defined with actions by vulnerability severity, and will end up overriding the default allow action defined in the custom vulnerability signature.
This solution will work if the rule for informational severity vulnerabilities in all Vulnerability Protection rules is either missing, or set to execute the signature's default action.

Additional Information
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000CqQ1CAK&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language