Import a Custom Threat Signature from Snort and Suricata Rules
Table of Contents
Import a Custom Threat Signature from Snort and Suricata Rules
Strata Cloud Manager supports importation of Snort and Suricata rules to create
custom signatures usable by the Palo Alto Networks NGFWs.
You can use Strata Cloud Manager to translate Snort and Suricata rules into custom
Palo Alto Networks threat signatures. You
can then register the custom signatures on Palo Alto Networks NGFWs that belong to
the current scope, and all sub-folders contained within it. that you specify and use
these customer signatures in your Vulnerability Protection and Anti-Spyware Security
Profiles.
If you use Panorama to manage your NGFWs, you can also use the IPS Signature Converter Plugin for
Panorama to convert Snort and Suricata rules into custom Palo Alto Networks threat
signatures.
- Log in to the Strata Cloud Manager.Select and then select Anti-Spyware or Vulnerability Protection, depending on the signature type.From the Custom Signatures tab, select Add Custom Signature and then Import Signature.You can import signatures contained in a text-based file or manually by submitting the signature details. IPS rules, regardless of the import format, should be structured according to the IPS rule type (Snort or Suricata) that is being imported. At a minimum, each IPS rule must be separated by a new line and without any empty lines.Binary file types, such as a .pdf or .docx, cannot be imported.
- Upload Signatures-Select Choose File to specify the text file+ containing the IPS signatures to be converted.
![]()
- Enter Signatures Manually-Copy and paste or type in the IPS signature contents into the text editor.
![]()
Select Next to continue with the conversion preview.The IPS signature conversion results are shown with various statuses for each of the detected entries found in the imported file. Each status type, at a minimum, displays the signature location in the file (based on the line number), as well as an option to View details. You can select valid signature entries for conversion and importation to Strata Cloud Manager.![]()
- Succeeded—Signatures that have been successfully converted. The detected signature name is also shown, with the prefix Converted_.
- Succeeded with Warnings—Signatures containing rules with unsupported contents. The detected signature name with the prefix Converted_ is shown, as well as any warnings generated during conversion.
- Failed—Signatures that failed the conversion process.
- Duplicates—Signatures that have duplicates contained in the same file. The location of the signature duplicate(s) are shown.
- Existing Coverage—Signatures that match against a predefined, Palo Alto Networks generated threat signature. The signatures with existing coverage are shown.
Click Next after selecting the signature(s) that you want to import.For each signature that you selected, you can update the Type, Severity level, and Action. These define how signatures are defined and applied when used within security policies.The default Severity level and Action for a converted signature is inherited from the Snort or Suricata signature; while the Type is set to Vulnerability by default.![]()
- Type—Select either Vulnerability or Spyware, depending on how the signature should be categorized. This is set to Vulnerability by default.
- Severity level—Select from Critical, High, Medium, Informational, or Low. For details on severity levels, refer to: Log Types and Severity Levels.
- Action—Select from Alert, Drop, Reset-Client, Reset-Server, Reset-Both, and Allow. For details on actions, refer to: Actions in Security Profiles.
Click Import when finished.The newly added custom signatures and the current configuration are displayed under the associated security service type, either Vulnerability or Anti-Spyware.![]()
Push your configuration changes to the NGFWs contained within the scope.
