Convert Rules Using the Panorama XML API
Table of Contents
Convert Rules Using the Panorama XML API
How to use the IPS Signature Plugin XML API to convert
Snort and Suricata rules to Anti-Spyware or Vulnerability Protection
profiles.
The Panorama XML API enables you to convert
Snort and Suricata, open-source intrusion prevention system (IPS)
rules to custom Palo Alto Networks threat signatures. You can then
use the XML API to import the custom rules as Vulnerability Protection
and Anti-Spyware Security profiles.
Because the PAN-OS
®
XML
API uses a tree of XML nodes, you must specify the correct type
and action in your API request along with the XPath Node Selection.
See Explore the API to learn
how to construct XML requests.You can not convert
rule files through the CLI. If you want to convert a file with multiple
rules in it, use the Panorama web interface.
- Convert Snort or Suricata policy rules to Base64 URL encoded format.You can use a free, browser-based tool (example.This example uses the following Snort rule:alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CHAT Yahoo IM conference message"; flow: to_server,established; content:"YMSG"; nocase; depth: 4; content:"|00 1D|"; offset: 10; depth: 2; reference:url,doc.emergingthreats.net/2001258; classtype:policy-violation; sid:2001258; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
- Make a request to convert the rule to a custom PAN-OS threat signature.curl -X POST ’https://<firewall>/api/?key=key&type=op&cmd=<request><plugins><ips-signature-converter><convert><b64-encode>YWxlcnQgdGNwICRIT01FX05FVCBhbnkgLT4gJEVYVEVSTkF MX05FVCBhbnkgKG1zZzoiRVQgQ0hBVCBZYWh vbyBJTSBjb25mZXJlbmNlIG1lc3NhZ2UiOyBmbG93OiB0b19zZXJ2ZXIs ZXN0YWJsaXNoZWQ7IGNvbnRlbnQ6IllNU0ciOyBub2Nhc2U7IGRlcHRoO iA0OyBjb250ZW50OiJ8MDAgMUR8Ijsgb2Zmc2V0OiAxMDsgZGVwdGg 6IDI7IHJlZmVyZW5jZTp1cmwsZG9jLmVtZXJnaW5ndGhyZWF0cy5uZXQvMjAwM TI1ODsgY2xhc3N0eXBlOnBvbGljeS12aW9sYXRpb247IHNpZDoyMDAx MjU4OyByZXY6NzsgbWV0YWRhdGE6Y3JlYXRlZF9hdCAyMDEwXzA3XzMwLCB1cGRh dGVkX2F0IDIwMTBfMDdfMzA7KQ==</b64-encode></convert></ips-signature-converter></plugins></request>’The response contains details about the rules (see previous details for more information):<response status="success"> <result> <result> <status>pass</status> <msg> <convert-result> <extra-msg></extra-msg> <failed-count>0/1</failed-count> <failed></failed> <duplicated-count>0/1</duplicated-count> <duplicated></duplicated> <skipped-count>0/1</skipped-count> <skipped></skipped> <warned-count>1/1</warned-count> <warned> <entry name="1"> <type>plain</type> <sig_type>vulnerability</sig_type> <line>1</line> <title>Converted_ET CHAT Yahoo IM conference message_2001258</title> <action>alert</action> <severity>low</severity> <info> <entry name="0"> <msg>[performance_impact] use of tcp-context-free (YMSG)</msg> <start_offset>127</start_offset> <end_offset>131</end_offset> </entry> </info> </entry> </warned> <succeed-count>0/1</succeed-count> <succeed></succeed> </convert-result> </msg> </result> </result> </response>Set the properties for rules that you converted.Use the line number of a converted rule and set the properties. For example:
- Type set tospyware.
- Action when detected set toalert.
- Severity set tolow.
curl -X POST 'https://<firewall>/api/?type=op&key=LUFRPT0&cmd=<request><plugins><ips-signature-converter><set-properties><default-action>alert</default-action><lines>1</lines><severity>low</severity><signature-type>spyware</signature-type></set-properties></ips-signature-converter></plugins></request>'The resulting success message:<response status="success"> <result> <result> <status>pass</status> <msg> <set-properties-result> <entry name="1"> <line>1</line> <sig_type>spyware</sig_type> <action>alert</action> <severity>low</severity> <status>success</status> </entry> </set-properties-result> </msg> </result> </result> </response>(Optional) View the results of the converted rules.The following request results in output that displays all successfully converted rules and the properties associated with each.curl-X GET ‘https://<firewall>/api/?type=op&key=apikey&cmd=<show><plugins><ips-signature-converter><results></results></ips-signature-converter></plugins></show>The resulting success message:<response status="success"> <result> <result> <status>pass</status> <msg> <line>1</line> <status>warned</status> <rule>alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CHAT Yahoo IM conference message"; flow: to_server,established; content:"YMSG"; nocase; depth: 4; content:"|00 1D|"; offset: 10; depth: 2; reference:url,doc.emergingthreats.net/2001258; classtype:policy-violation; sid:2001258; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)</rule> <type>plain</type> <sig_type>spyware</sig_type> <title>Converted_ET CHAT Yahoo IM conference message_2001258</title> <action>alert</action> <severity>low</severity> <perf_score>10</perf_score> <perf_level>high</perf_level> <info> <entry name="0"> <msg>[performance_impact] use of tcp-context-free (YMSG)</msg> <start_offset>127</start_offset> <end_offset>131</end_offset> </entry> </info> <signatures> <entry name="0"> <context> <