Create a Combination Signature

Learn how to use a time attribute in combination with an existing threat signature.
You can create a combination signature to monitor the frequency and rate of matches to a signature on your network. You’ll need to know the Threat ID of an existing threat signature or create a custom threat signature that detects a particular event such as a Wordpress login attempt. When you configure your combination signature, you’ll have to specify the time conditions for matches to the threat—x number of hits in y number of seconds. You can adjust the time attribute according to needs and experience.
  1. Add a custom threat.
    1. Click
      Objects
      Custom Objects
      Spyware/Vulnerability
      and then click
      Add
      .
    2. Under
      Configuration
      , fill out the following required fields in the General and Properties sections.
      • Threat ID
        • For a vulnerability signature, enter a numeric ID between 41000 and 45000. If the firewall runs PAN-OS 10.0 or later, the ID can also be between 6800001 and 6900000.
        • For a spyware signature, the ID should be between 15000 and 18000. If the firewall runs PAN-OS 10.0 or later, the ID can also be between 6900001 and 7000000.
      • Name
        —Specify the threat name.
      • Severity
        —Select the severity of the threat.
  2. Define your signature.
    1. Click
      Signatures
      and select
      Combination
      .
    2. Under
      Combination Signatures
      , click
      Add And Condition
      or
      Add Or Condition
      .
      • To add a condition within a group, select the group and click
        Add Condition
        .
      • To move a condition within a group, select the condition and click
        Move Up
        or
        Move Down
        .
        You cannot move conditions from one group to another.
      • To move a group, select the group and click
        Move Up
        or
        Move Down
        .
    3. Choose the
      Threat ID
      for the signature you’d like to use. You may also edit the condition name.
    4. Under
      Time Attribute
      specify the following:
      • Number of Hits
        —Specify the threshold that will trigger any policy-based action as a number of hits (1-1000) in a specified number of seconds (1-3600).
      • Aggregation Criteria
        —Specify whether the hits are tracked by source IP address, destination IP address, or a combination of source and destination IP addresses.
      • To move a condition within a group, select the condition and click
        Move Up
        or
        Move Down
        .
        You cannot move conditions from one group to another.
      • To move a group, select the group and click
        Move Up
        or
        Move Down
        .
    5. Repeat sub-steps 2, 3, and 4 for each matching condition.
      If you leave
      Ordered Condition Match
      selected, make sure the condition or group of conditions is in the desired order. The most specific conditions should come first. To order the conditions: Select a condition or a group and click
      Move Up
      or
      Move Down
      .
      You cannot move conditions from one group to another.
  3. Save the custom threat.
    1. Click
      OK
      to save the custom threat.
    2. Commit
      your signature(s).

Recommended For You