: Known Issues in the IPS Signature Converter Plugin 2.0.2
Focus
Focus

Known Issues in the IPS Signature Converter Plugin 2.0.2

Table of Contents

Known Issues in the IPS Signature Converter Plugin 2.0.2

Known issues in the Panorama intrusion prevention system (IPS) Signature Converter plugin 2.0.2.
The following list describes known issues in the Panorama intrusion prevention system (IPS) Signature Converter plugin 2.0.1.

CON-47699

You can only upload entire rule files for conversion through the Panorama web interface.

CON-47902

Some Snort rule options are not supported. Valid rule options are either supported and convert into custom PAN-OS threat signatures or they are ignored because they do not have an equivalent in the PAN-OS signature format. Rule options that are neither supported nor ignored will cause conversion to fail and display a warning message. See below for all valid rule options:
Supported
Ignored
  • msg
  • flow
  • reference
  • pcre
  • content
  • threshold
  • detection_filter
  • service
  • modifier
  • metadata
  • sid
  • distance
  • within
distance
and
within
are only supported with unnegated
content
patterns. With
pcre
or negated
content
patterns, they are ignored.
  • flowbits
  • classtype
  • rev
  • dsize
  • gid
  • flags
  • isdataat
  • urilen
  • bufferlen
  • priority
  • offset
  • depth

CON-47904

Rules will not convert if they contain the following regex constructs:

CON-47905

Rules will not convert if they contain the following modifiers:
  • rawbytes
  • http_raw_cookie
  • http_raw_header
  • http_raw_host
  • http_raw_uri

CON-47907

A rule will not convert if the only condition in it is negated with the
!
operator.
Example:
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.RisingSun variant outbound connection"; flow:to_server,established; http_uri; content:"/ProductImage/index.asp",fast_pattern,nocase; http_header; content:!"Referer:"; metadata:impact_flag red,policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop; service:http; classtype:trojan-activity; sid:49467; rev:1; )
Also, if the final condition of a rule is negated, it will convert with the following warning:
[FP risk] The order of the conditions are swapped since the last condition is negate
Example:
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Sakula/Mivast RAT CnC Beacon 2"; flow:to_server,established; content:"GET"; http_method; content:".jpg?resid="; http_uri; fast_pattern:only; content:!"Accept-"; http_header; content:!"Referer|3a|"; http_header; reference:md5,3cd598e8e2fd033134d8784251eff59e; classtype:trojan-activity; sid:2021200; rev:1; metadata:created_at 2015_06_08, updated_at 2015_06_08;)

CON-47908

A rule that contains more than 16 conditions strung together using semicolons (
;
) will not convert.
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer CStr internal string use-after-free attempt"; flow:to_server,established; file_data; content:"window.location.href"; nocase; content:"="; within:10; content:"window.location.href"; within:40; nocase; content:"<script"; distance:0; nocase; content:"src"; within:40; nocase; content:"<script"; within:100; nocase; content:"src"; within:40; nocase; content:"<script"; within:100; nocase; content:"src"; within:40; nocase; content:"<script"; within:100; nocase; content:"src"; within:40; nocase; content:"<script"; within:100; nocase; content:"src"; within:40; nocase; content:"<script"; within:100; nocase; content:"src"; within:40; nocase; content:"<script"; within:100; nocase; content:"src"; within:40; nocase; content:"<script"; within:100; nocase; content:"src"; within:40; nocase; content:"<script"; within:100; nocase; content:"src"; within:40; nocase; content:"<script"; within:100; nocase; content:"src"; within:40; nocase; content:"<script"; within:100; nocase; content:"src"; within:40; nocase; content:"<script"; within:100; nocase; content:"src"; within:40; nocase; content:"<script"; within:100; nocase; content:"src"; within:40; nocase; content:"<script"; within:100; nocase; content:"src"; within:40; nocase; content:"<script"; within:100; nocase; content:"src"; within:40; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-3326; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-095; classtype:attempted-user; sid:39827; rev:4;)

CON-47909

If a rule uses any of these content modifiers—
depth
,
within
,
offset
, or
distance
—they must use integer values or the rule will not convert.

CON-47910

A rule that contains a regular expression longer than 127 characters will not convert.

CON-47911

The converter accepts only Snort rules with headers that contain one of the following actions:
  • alert
  • drop
  • log
  • pass
  • reject
  • sdrop

CON-47914

When you
Upload Signatures
, the size of your submission can’t exceed 8MB.

PAN-142770

Patterns using unsupported regex constructs might convert and import successfully but will cause a commit failure when you try to
Commit and Push
these patterns to your firewalls.
Example:
A rule that uses atomic grouping, an unsupported construct, will convert but will cause a commit failure:
alert tcp any any -> any any (msg:"Atomic Grouping test rule"; flow:to_server; pcre:"/a(?>bc|b)c/iU";)

CON-48803

Rules with the
threshold
keyword set to
type threshold
or
type both
will convert as brute force signatures. However, if you convert a rule with the
threshold
keyword set to
type limit
, the rule will convert into a regular custom signature that will match when the conditions in the signature are true. For details about these keywords, see the Suricata documentation.

CON-48921

A brute force rule using the
threshold
keyword with
seconds
greater than 3600 will not convert.
Example:
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER Jorgee Scan"; flow:established,to_server; content:"HEAD"; http_method; content:"User-Agent|3a 20|Mozilla/5.0 Jorgee|0d 0a|"; http_header; fast_pattern:12,20; threshold: type limit, track by_dst, count 3, seconds 3601; metadata: former_category WEB_SERVER; reference:url,www.skepticism.us/2015/05/new-malware-user-agent-value-jorgee/; classtype:trojan-activity; sid:2024265; rev:2; metadata:created_at 2015_06_26, updated_at 2017_05_01

PAN-144773

Two signatures that contain similar patterns for the same context may cause a commit failure when you push them to firewalls.
Example: Two signatures contain the following patterns, both written for the
file-data
context:
*\/2\.0\/method *\/2\.0\/method\/(checkConnection|config|delay|error|get|info|setOnline|update)

CON-48472

There is a maximum of 63 characters allowed for a URL in the
reference
option of a rule. The converter ignores URLs that exceed the 63-character limit.
Example: This URL is ignored
reference:url,www.exploit-db.com/moaub-17-firefox-plugin-parameter-ensurecachedattrparamarrays-remote-code-execution/
when you convert the following rule:
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Firefox Plugin Parameter EnsureCachedAttrParamArrays Remote Code Execution Attempt"; flow:established,to_client; content:"appletComponentArch.DynamicTreeApplet"; nocase; content:"PARAM"; nocase; distance:0; content:"PARAM"; nocase; distance:0; content:"PARAM"; nocase; distance:0; content:"PARAM"; nocase; distance:0; content:"PARAM"; nocase; distance:0; content:"PARAM"; nocase; distance:0; content:"PARAM"; nocase; distance:0; content:"PARAM"; nocase; distance:0; content:"PARAM"; nocase; distance:0; content:"PARAM"; nocase; distance:0; reference:url,www.exploit-db.com/moaub-17-firefox-plugin-parameter-ensurecachedattrparamarrays-remote-code-execution/; reference:url,www.mozilla.org/security/announce/2010/mfsa2010-37.html; reference:bugtraq,41842; reference:cve,2010-1214; classtype:attempted-user; sid:2011538; rev:2; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2010_09_27, updated_at 2016_07_01

CON-47906

A rule to prevent brute force attacks by using the
threshold
element must have a
count
between 1 and 255 to convert successfully.

PLUG-5153

The
depth
and
offset
rule modifiers are ignored.

PLUG-5405

A rule fails conversion when it includes a
pcre
pattern that would convert to use the
tcp-context-free
,
udp-context-free
, or
file-data
custom signature context.

PLUG-5343

A rule with multiple
content
patterns that use the
distance
or
within
modifiers converts differently depending on whether any of the patterns are negated.
If none, the converter concatenates the patterns. If one or more are negated with
!
, then the converter does not concatenate them.
Example:
A rule that contains
distance
and
within
but no negated patterns:
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-CNC Ios.Backdoor.SYNful inbound connection"; flow:to_server,established; content:"text"; depth:4; offset:78; content:"|00 00 00|"; within:3; distance:1; content:"|45 25 6D|"; within:3; distance:1; fast_pattern; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,attack.mitre.org/techniques/T1205; reference:url,blogs.cisco.com/security/synful-knock; reference:url,tools.cisco.com/security/center/viewAlert.x?alertId=40411; classtype:trojan-activity; sid:36054; rev:5;)
converts into:
<vulnerability-threat version="10.0.0"> <entry name="6800001"> <signature> <standard> <entry name="ips_converted_pattern"> <and-condition> <entry name="And Condition 1"> <or-condition> <entry name="Or Condition 1"> <operator> <pattern-match> <pattern>text.{1,1}\x00 00 00\x.{1,1}E%m</pattern> <context>tcp-context-free</context> <negate>no</negate> </pattern-match> </operator> </entry> </or-condition> </entry> </and-condition> <order-free>no</order-free> <scope>session</scope> </entry> </standard> </signature> <default-action> <alert/> </default-action> <reference> <member>attack.mitre.org/techniques/T1205</member> <member>blogs.cisco.com/security/synful-knock</member> <member>tools.cisco.com/security/center/viewAlert.x?alertId=40411</member> </reference> <threatname>Converted_MALWARE-CNC Ios.Backdoor.SYNful inbound connection_36054</threatname> <severity>low</severity> <direction>client2server</direction> <affected-host> <server>yes</server> </affected-host> </entry> </vulnerability-threat>
However, a rule with negated patterns:
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Kelihos.F Checkin"; flow:established,to_server; content:"GET"; http_method; urilen:<13; content:".htm" ; fast_pattern:only; http_uri; pcre:"/^\/[^\x2f]+?\.htm$/U" ; content:!"BridgitAgent" ; http_header; content:!"Accept" ; http_header; content:!"Referer" ; http_header; content:!"Content-Type" ; http_header; content:"Content-Length|3a 20|" ; content:!"0|0d 0a|" ; within:3; content:"|0d 0a|" ; distance:0; reference:md5,00db349caf2eefc3be5ee30b8b8947a2; classtype:trojan-activity; sid:2017191; rev:2; metadata:created_at 2013_07_24, updated_at 2013_07_24;))
converts into:
<vulnerability-threat version="10.0.0"> <entry name="6800001"> <signature> <standard> <entry name="ips_converted_pattern"> <and-condition> <entry name="And Condition 1"> <or-condition> <entry name="Or Condition 1"> <operator> <pattern-match> <qualifier> <entry name="http-method"> <value>GET</value> </entry> </qualifier> <pattern>\.htm</pattern> <context>http-req-uri</context> <negate>no</negate> </pattern-match> </operator> </entry> </or-condition> </entry> <entry name="And Condition 2"> <or-condition> <entry name="Or Condition 1"> <operator> <pattern-match> <qualifier> <entry name="http-method"> <value>GET</value> </entry> </qualifier> <pattern>\/[^\x2f\x]+?\.htm</pattern> <context>http-req-uri</context> <negate>no</negate> </pattern-match> </operator> </entry> </or-condition> </entry> <entry name="And Condition 3"> <or-condition> <entry name="Or Condition 1"> <operator> <pattern-match> <qualifier> <entry name="http-method"> <value>GET</value> </entry> </qualifier> <pattern>BridgitAgent</pattern> <context>http-req-headers</context> <negate>yes</negate> </pattern-match> </operator> </entry> </or-condition> </entry> <entry name="And Condition 4"> <or-condition> <entry name="Or Condition 1"> <operator> <pattern-match> <qualifier> <entry name="http-method"> <value>GET</value> </entry> </qualifier> <pattern>Accept</pattern> <context>http-req-headers</context> <negate>yes</negate> </pattern-match> </operator> </entry> </or-condition> </entry> <entry name="And Condition 5"> <or-condition> <entry name="Or Condition 1"> <operator> <pattern-match> <qualifier> <entry name="http-method"> <value>GET</value> </entry> </qualifier> <pattern>Referer</pattern> <context>http-req-headers</context> <negate>yes</negate> </pattern-match> </operator> </entry> </or-condition> </entry> <entry name="And Condition 6"> <or-condition> <entry name="Or Condition 1"> <operator> <pattern-match> <qualifier> <entry name="http-method"> <value>GET</value> </entry> </qualifier> <pattern>Content-Type</pattern> <context>http-req-headers</context> <negate>yes</negate> </pattern-match> </operator> </entry> </or-condition> </entry> <entry name="And Condition 7"> <or-condition> <entry name="Or Condition 1"> <operator> <pattern-match> <pattern>Content-Length: </pattern> <context>tcp-context-free</context> <negate>no</negate> </pattern-match> </operator> </entry> </or-condition> </entry> <entry name="And Condition 8"> <or-condition> <entry name="Or Condition 1"> <operator> <pattern-match> <pattern>0\x0d 0a\x</pattern> <context>tcp-context-free</context> <negate>yes</negate> </pattern-match> </operator> </entry> </or-condition> </entry> <entry name="And Condition 9"> <or-condition> <entry name="Or Condition 1"> <operator> <pattern-match> <pattern>\x0d 0a\x</pattern> <context>tcp-context-free</context> <negate>no</negate> </pattern-match> </operator> </entry> </or-condition> </entry> </and-condition> <order-free>no</order-free> <scope>session</scope> </entry> </standard> </signature> <default-action><alert/></default-action> <threatname>Converted_ET TROJAN Win32 Kelihos.F Checkin_2017191</threatname> <severity>low</severity> <direction>client2server</direction> <affected-host> <server>yes</server> </affected-host> </entry> </vulnerability-threat>

Recommended For You