1. Home
    2. PAN-OS
    3. Custom Application IDs and Signatures
    4. Custom Application and Threat Signatures
    5. Create a Custom Threat Signature

    Create a Custom Threat Signature

    Learn how to create custom anti-spyware and vulnerability threat signatures.
    To create a custom threat signature, you must do the following:
    • Research the application using packet capture and analyzer tools
    • Identify patterns in the packet captures
    • Build your signature
    • Validate your signature
    Be sure to Set Up Antivirus, Anti-Spyware, and Vulnerability Protection to specify how the firewall responds when it detects a threat.
    To create a threat signature with time attributes, see create a combination signature.
    1. Add a custom threat.
      1. Click
        Objects
        Custom Objects
        Spyware/Vulnerability
         and then click
        Add
        .
      2. Under
        Configuration
        , fill out the following required fields in the General and Properties sections.
        • Threat ID
          • For a vulnerability signature, enter a numeric ID between 41000 and 45000. If the firewall runs PAN-OS 10.0 or later, the ID can also be between 6800001 and 6900000.
          • For a spyware signature, the ID should be between 15000 and 18000. If the firewall runs PAN-OS 10.0 or later, the ID can also be between 6900001 and 7000000.
        • Name
          —Specify the threat name.
        • Severity
          —Select the severity of the threat.
    2. Define your signature.
      1. Under
        Signatures
        , leave
        Standard
         selected unless you wish to Create a Combination Signature.
        Add
         a new signature.
      2. Specify the following information:
        • Standard
          —Enter a name to identify the signature.
        • Comment
          —Enter an optional description.
        • Ordered Condition Match
          —If the order in which the firewall attempts to match the signature definitions is important, make sure the check box is selected.
        • Scope
          —Indicate whether this signature applies to a full
          Session
           or a single
          Transaction
          .
      3. Specify the matching conditions by clicking
        Add And Condition
         or
        Add Or Condition
        .
      4. Select an
        Operator
         to define the conditions that must be true for a signature to match traffic.
        • If you select
          Pattern Match
          , specify the following:
          • Context
            —Select from available custom signature contexts.
          • Pattern
            —Use a regular expression to define this attribute.
          • Optionally,
            Add
             a qualifier/value pair.
            Qualifiers are context-dependent and limit the match condition for the given context.
          • Select
            Negate
             to signal a condition under which the custom signature does not trigger. The custom signature matches to traffic only when this condition is false.
            • A custom signature cannot be created with only Negate conditions. You must include at least one positive condition in your definition.
            • If the signature’s scope is set to Session, a negative condition cannot be configured as the last condition to match to traffic.
        You can define exceptions for custom vulnerability or spyware signatures using the new option to negate signature generation when traffic matches both a signature and the exception to the signature. Use this option to allow certain traffic in your network that might otherwise be classified as spyware or a vulnerability exploit. In this case, the signature is generated for traffic that matches the pattern; traffic that matches the pattern but also matches the exception to the pattern is excluded from signature generation and any associated policy action (such as being blocked or dropped). For example, you can define a signature to be generated for redirected URLs; however, you can now also create an exception where the signature is not generated for URLs that redirect to a trusted domain.
        • If you select an
          Equal To
          ,
          Less Than
          , or
          Greater Than
           operator, specify a
          Context
           and a
          Value
          .
      5. Repeat sub-steps 3 and 4 for each matching condition.
        If you leave
        Ordered Condition Match
         selected, make sure the condition or group of conditions is in the desired order. The most specific conditions should come first. To order the conditions: Select a condition or a group and click
        Move Up
         or
        Move Down
        .
        You cannot move conditions from one group to another.
    3. Save the custom threat.
      1. Click
        OK
         to save the custom threat.
    4. Enable your custom signature.
      1. Go to
        Security Profiles
        Anti-Spyware/Vulnerability Protection
         and select an existing profile.
      2. Under
        Exceptions
        ,
        Show All Signatures
        , enter the Threat ID you created, and
        Enable
         it.
      3. Click
        OK
        .
    5. Commit
       your changes.

    Recommended For You

    Recommended Videos

    Recommended videos not found.

    © 2023 Palo Alto Networks, Inc. All rights reserved.

    Techdocs Logo