Create a Custom Threat Signature
Learn how to create custom anti-spyware and vulnerability threat signatures.
To create a custom threat signature, you must do the following:
- Research the application using packet capture and analyzer tools
- Identify patterns in the packet captures
- Build your signature
- Validate your signature
Be sure to Set Up Antivirus, Anti-Spyware, and Vulnerability Protection to specify how the firewall responds when it detects a threat.
Refer to the list of Custom Signature Contexts, Threat Details and Syntax for Regular Expression Data Patterns while building your signature.
To create a threat signature with time attributes, see create a combination signature.
- Add a custom threat.
- Clickand then clickObjectsCustom ObjectsSpyware/VulnerabilityAdd.
- UnderConfiguration, fill out the following required fields in the General and Properties sections.
- Threat ID
- For a vulnerability signature, enter a numeric ID between 41000 and 45000. If the firewall runs PAN-OS 10.0 or later, the ID can also be between 6800001 and 6900000.
- For a spyware signature, the ID should be between 15000 and 18000. If the firewall runs PAN-OS 10.0 or later, the ID can also be between 6900001 and 7000000.
- Name—Specify the threat name.
- Severity—Select the severity of the threat.
- Define your signature.
- UnderSignatures, leaveStandardselected unless you wish to Create a Combination Signature.Adda new signature.
- Specify the following information:
- Standard—Enter a name to identify the signature.
- Comment—Enter an optional description.
- Ordered Condition Match—If the order in which the firewall attempts to match the signature definitions is important, make sure the check box is selected.
- Scope—Indicate whether this signature applies to a fullSessionor a singleTransaction.
- Specify the matching conditions by clickingAdd And ConditionorAdd Or Condition.
- Select anOperatorto define the conditions that must be true for a signature to match traffic.
You can define exceptions for custom vulnerability or spyware signatures using the new option to negate signature generation when traffic matches both a signature and the exception to the signature. Use this option to allow certain traffic in your network that might otherwise be classified as spyware or a vulnerability exploit. In this case, the signature is generated for traffic that matches the pattern; traffic that matches the pattern but also matches the exception to the pattern is excluded from signature generation and any associated policy action (such as being blocked or dropped). For example, you can define a signature to be generated for redirected URLs; however, you can now also create an exception where the signature is not generated for URLs that redirect to a trusted domain.
- If you selectPattern Match, specify the following:
- Pattern—Use a regular expression to define this attribute.
- Optionally,Adda qualifier/value pair.Qualifiers are context-dependent and limit the match condition for the given context.
- SelectNegateto signal a condition under which the custom signature does not trigger. The custom signature matches to traffic only when this condition is false.
- A custom signature cannot be created with only Negate conditions. You must include at least one positive condition in your definition.
- If the signature’s scope is set to Session, a negative condition cannot be configured as the last condition to match to traffic.
- If you select anEqual To,Less Than, orGreater Thanoperator, specify aContextand aValue.
- Repeat sub-steps 3 and 4 for each matching condition.If you leaveOrdered Condition Matchselected, make sure the condition or group of conditions is in the desired order. The most specific conditions should come first. To order the conditions: Select a condition or a group and clickMove UporMove Down.You cannot move conditions from one group to another.
- Save the custom threat.
- ClickOKto save the custom threat.
- Enable your custom signature.
- Go toand select an existing profile.Security ProfilesAnti-Spyware/Vulnerability Protection
- UnderExceptions,Show All Signatures, enter the Threat ID you created, andEnableit.
- Commityour changes.
Recommended For You
Recommended videos not found.