Create a Custom Threat Signature

Learn how to create custom anti-spyware and vulnerability threat signatures.
To create a custom threat signature, you must do the following:
  • Research the application using packet capture and analyzer tools
  • Identify patterns in the packet captures
  • Build your signature
  • Validate your signature
Be sure to Set Up Antivirus, Anti-Spyware, and Vulnerability Protection to specify how the firewall responds when it detects a threat.
To create a threat signature with time attributes, see create a combination signature.
  1. Add a custom threat.
    1. Click
      Custom Objects
      and then click
    2. Under
      , fill out the following required fields in the General and Properties sections.
      • Threat ID
        • For a vulnerability signature, enter a numeric ID between 41000 and 45000. If the firewall runs PAN-OS 10.0 or later, the ID can also be between 6800001 and 6900000.
        • For a spyware signature, the ID should be between 15000 and 18000. If the firewall runs PAN-OS 10.0 or later, the ID can also be between 6900001 and 7000000.
      • Name
        —Specify the threat name.
      • Severity
        —Select the severity of the threat.
  2. Define your signature.
    1. Under
      , leave
      selected unless you wish to Create a Combination Signature.
      a new signature.
    2. Specify the following information:
      • Standard
        —Enter a name to identify the signature.
      • Comment
        —Enter an optional description.
      • Ordered Condition Match
        —If the order in which the firewall attempts to match the signature definitions is important, make sure the check box is selected.
      • Scope
        —Indicate whether this signature applies to a full
        or a single
    3. Specify the matching conditions by clicking
      Add And Condition
      Add Or Condition
    4. Select an
      to define the conditions that must be true for a signature to match traffic.
      • If you select
        Pattern Match
        , specify the following:
        • Context
          —Select from available custom signature contexts.
        • Pattern
          —Use a regular expression to define this attribute.
        • Optionally,
          a qualifier/value pair.
          Qualifiers are context-dependent and limit the match condition for the given context.
        • Select
          to signal a condition under which the custom signature does not trigger. The custom signature matches to traffic only when this condition is false.
          • A custom signature cannot be created with only Negate conditions. You must include at least one positive condition in your definition.
          • If the signature’s scope is set to Session, a negative condition cannot be configured as the last condition to match to traffic.
      You can define exceptions for custom vulnerability or spyware signatures using the new option to negate signature generation when traffic matches both a signature and the exception to the signature. Use this option to allow certain traffic in your network that might otherwise be classified as spyware or a vulnerability exploit. In this case, the signature is generated for traffic that matches the pattern; traffic that matches the pattern but also matches the exception to the pattern is excluded from signature generation and any associated policy action (such as being blocked or dropped). For example, you can define a signature to be generated for redirected URLs; however, you can now also create an exception where the signature is not generated for URLs that redirect to a trusted domain.
      • If you select an
        Equal To
        Less Than
        , or
        Greater Than
        operator, specify a
        and a
    5. Repeat sub-steps 3 and 4 for each matching condition.
      If you leave
      Ordered Condition Match
      selected, make sure the condition or group of conditions is in the desired order. The most specific conditions should come first. To order the conditions: Select a condition or a group and click
      Move Up
      Move Down
      You cannot move conditions from one group to another.
  3. Save the custom threat.
    1. Click
      to save the custom threat.
  4. Enable your custom signature.
    1. Go to
      Security Profiles
      Anti-Spyware/Vulnerability Protection
      and select an existing profile.
    2. Under
      Show All Signatures
      , enter the Threat ID you created, and
    3. Click
  5. Commit
    your changes.

Recommended For You