Custom application signatures reduce unknown traffic, provide application visibility, and give you more granular control over applications on your network. For example, you may believe office productivity has decreased since the FIFA Women’s World Cup began. You can create custom signatures for the FIFA landing and live streaming pages and view FIFA activity in the ACC and Traffic logs (as long as current security policies allow the traffic). From there, you can create a report, configure a QoS policy, or block the application by adding it to security policy.

An application signature identifies a pattern located within packets from an application or application function. This pattern uniquely identifies the application or function of interest. The App-ID™ traffic classification system relies on application signatures to accurately identify applications in your network. Palo Alto Networks has developed App-ID signatures for many well-known applications. (See Applipedia for a complete list). However, the volume of commercial applications and the nature of internal applications means that some applications do not have a signature. Such traffic receives “unknown” classification in the ACC and Traffic logs alongside potential threats. To properly classify this traffic and enforce security policy rules, you can create a custom application signature.

Custom application signatures enable you to:

• Minimize “unknown” traffic on your network
  • Identify internal applications or special interest applications, such as a custom payroll application or sports live streaming
• Monitor application usage in the ACC and Traffic logs
• Explicitly define allowed applications and application functions (for example, allowing Slack for instant messaging, but blocking file transfer)
• Perform QoS for a specific application
• Identify nested applications, such as Words with Friends in Facebook

Palo Alto Networks NGFWs allow you to create custom threat signatures to monitor malicious activity or integrate third-party signatures. Much like standard threat signatures, these custom entries enable you to detect, monitor, and prevent network-based attacks by examining packet captures for regular expression patterns that uniquely identify spyware activity and vulnerability exploits. Once configured, the NGFW scans network traffic for these patterns and performs a specified action upon detection. To effectively manage command-and-control (C2) activity and system flaws, these signatures should be utilized as part of anti-spyware and vulnerability protection profiles.

For more complex security scenarios, you can create combination signatures. A combination signature is a security object used to detect attack patterns based on the frequency and aggregation of existing threat events. While standard signatures trigger on a single regular expression match, combination signatures allow you to define a threshold-over-time logic, making them essential for identifying distributed or repetitive attacks like brute force, port scanning, and credential stuffing. In this hierarchy, the combination signature acts as a parent signature that assigns a time attribute to an existing child signature. This attribute specifies the number of pattern matches, or hits, that must occur within a specific timeframe (in seconds) for the parent signature to trigger. If a pattern matches the child signature but does not meet the parent's threshold, only the default action for the child signature occurs.

To further refine these triggers, you can include aggregation criteria to define exactly what the parent signature counts as a hit. Selecting source allows you to count all hits originating from a particular source, while destination counts hits directed toward a specific destination IP address. Alternatively, the source-and-destination criteria instantiates multiple time-windows to count instances when a single source specifically targets a specific destination. By combining these time attributes and aggregation settings, you can define a high-fidelity signature for brute force attacks that only triggers when traffic matches a pattern a specific number of times in a given interval.