Convert Rules Using the Panorama CLI

alert tcp $HOME_NET 2589 -> $EXTERNAL_NET any ( msg:"MALWARE-BACKDOOR - Dagger_1.4.0"; flow:to_client,established; content:"2|00 00 00 06 00 00 00|Drives|24 00|",depth 16; metadata:ruleset community; classtype:misc-activity; sid:105; rev:14; )

1. Encode the rule in Base64 format.

   You can do this using a free, browser-based tool (example).

   Before encoding the rule, ensure there are no line breaks. Otherwise, the line breaks are encoded and cause the rule conversion in the subsequent step to fail.
2. Convert the encoded rule:

   admin@demo-panorama-vm> request plugins ips-signature-converter convert b64-encode <base64_encoded_rule>
   
   LINE# TITLE                    RESULT     TYPE        CONVERTER_MSG
   1     Converted_MALWARE-       Succeed    Plain       None
         BACKDOOR -
         Dagger_1.4.0_105
   
   Summary: Total:1, Succeed:1, Warnings:0, Existing Coverage:0, Duplicated:0, Failed:0

3. (Optional) Change the signature type.

   If your signature is for protection against spyware, you can set the type as spyware so that Panorama imports it as an Anti-Spyware signature. Otherwise, rules convert as vulnerability by default.

   admin@demo-panorama-vm> request plugins ips-signature-converter set-properties signature-type <vulnerability/spyware> lines <line_number>
   
   LINE# TITLE                               SIG_TYPE      ACTION     SEVERITY
   1     Converted_MALWARE-BACKDOOR -        spyware       alert      low
         Dagger_1.4.0_105

4. Import the signature to Panorama:

   admin@demo-panorama-vm> request plugins ips-signature-converter import-custom-signatures device-group <device_group> lines <line_number>
   
   LINE# TITLE                           THREAT_ID STATUS  DETAIL
   1     Converted_MALWARE-BACKDOOR -    16002     Success Import Succeeded
         Dagger_1.4.0_105	

   If you do not specify a device-group, Panorama imports the signature to the Shared location.
5. Commit your changes to Panorama:

   admin@demo-panorama-vm# commit
   
   Commit job 707 is in progress. Use Ctrl+C to return to command prompt
   ...23%.59%80%.......90%.....100%
   Configuration committed successfully
   

6. Push the signatures to a device group:

   @demo-panorama-vm> commit-all shared-policy device-group <device_group> 
   
   Job enqueued with jobid 709
   709

7. Log in to a firewall in the device group that you specified in the previous step to verify that the push succeeded:

   admin@PA-3220# show threats <vulnerability/spyware> <threat_id>
   ~
   spyware {
     16002 {
       signature {
         standard {
           ips_converted_pattern {
             and-condition {
               "And Condition 1" {
                 or-condition {
                   "Or Condition 1" {
                     operator {
                       pattern-match {
                         pattern "2\x00 00 00 06 00 00 00\xDrives\x24 00\x";
                         context tcp-context-free;
                         negate no;
                       }
                     }
                   }
                 }
               }
             }
             order-free no;
             scope session;