How to import snort or suricata signature automatically into Panorama by Web interface
41501
Created On 09/26/20 15:48 PM - Last Modified 12/21/20 17:39 PM
Objective
Automatically import snort or Suricata IPS signature into PaloAlto device.
Environment
PAN-OS 10.0 or higher
Procedure
A third party(Snort/Suricata) signature conversion into the PaloAlto Networks' custom signature depends on the PAN-OS version.
Note: For the PAN-OS version lower than 10.00, you can create a set of customer signatures. This knowledge base articles explain in detail.
For PAN-OS version 10.0 or higher, The IPS Signature Converter plugin for Panorama can automatically convert Snort/Suricata's rules into a custom Palo Alto Networks threat signature. Once this signature is converted, you can import them into your device group. Here is the summary of the three steps and a detailed description follows.
- Install the IPS Signature Converter plugin on Panorama.
- Upload rules in the Panorama for conversion and import rules to your device groups.
- Push the vulnerability rules to the Firewall using Panorama.
- Requirements:
- Plugin version: 1.0.1 or higher
- Minimum Panorama and Firewall version: 10.0.0
- Latest application and threat content updates
- The only text file can be used for signature upload, pdf and doc are not allowed.
- Only 100 signatures per file.
- Steps:
- Select Panorama-> Plugins and enter ips_signature_converter
in the search bar. - Select the highest version, select download the plugin, and install. Please select the latest version.
- Once the plugin is installed you will see
- Select Panorama-> Plugins and enter ips_signature_converter
Step-2: Upload rules in the Panorama for conversion.
1. You can select two methods to upload the snort signature, either using the Web interface or CLI.
2. On Web interface -> select Panorama tab-> select IPS Signature Converter on left pane -> Manage
3. A window will pop up as shown in the following screen capture.
2. On Web interface -> select Panorama tab-> select IPS Signature Converter on left pane -> Manage
3. A window will pop up as shown in the following screen capture.
4. You can select either a file or copy/paste the signature. Remember the restriction, (a) only text file can be used and (b) only 100 signatures per file.
5. Click on convert, it will take a few minutes and the signature will be converted with a status message.
7. The signature import status message can be as following.
| Success | Successfully converted |
| Success with Warnings | Successfully converted with warnings |
| Failed | Syntax issue or other issues, no conversion |
| Duplicate | No conversion |
| Existing coverage | Converted successfully with a signature that already exists |
6. Now select the rule, click on import signature, and click on import the signature.
8. You can see these imported rules in the custom vulnerabilities or spyware depending on the signature.
10. Exporting those third-party signatures are purely based on the static IP addresses, IP range, domain, or URL in a text-based file; that text-based file can be added to an External Dynamic List (EDL). This kind of signature does not contain keywords such as "content" or "PCRE".
11. The name of such rule contains the word "IOC .."
12. You need to convert such rules too.
Step-3: Push the vulnerability objects into your device group and push them to the Firewall.