Create a Custom Threat Signature from a Snort Signature
Convert a third-party signature a custom PAN-OS threat
The following steps illustrate the process
for converting a Snort signature into a custom spyware signature
compatible with Palo Alto Networks firewalls. The use case below
uses a Snort rule for a North Korean Trojan malware variant as identified
by the Department of Homeland Security, the Federal Bureau of Investigation,
and other US government partners.
With Panorama version 10.0
or later, you can use the IPS Signature Converter plugin to automatically
convert Snort and Suricata rules into custom Palo Networks threat
signatures instead of manually performing the following procedure.
alert tcp any any -> any any (msg:"Malformed_UA"; content:"User-Agent: Mozillar/"; depth:500; sid:99999999;)