Custom Application IDs and Signatures
    : Convert Rules Using the Panorama CLI
    Focus
    Download PDF
    Focus
    1. Home
    2. PAN-OS
    3. Custom Application IDs and Signatures
    4. IPS Signature Converter Plugin for Panorama
    5. Convert Rules Using the Panorama CLI
    Download PDF

    Custom Application IDs and Signatures

    Convert Rules Using the Panorama CLI

    Table of Contents

    Convert Rules Using the Panorama CLI

    Use the Panorama CLI to convert IPS rules in custom PAN-OS® threat signatures.
    In addition to the web interface, you can use the command-line interface (CLI) to convert Snort and Suricata rules into custom PAN-OS® threat signatures. This example uses the following Snort rule:
    alert tcp $HOME_NET 2589 -> $EXTERNAL_NET any ( msg:"MALWARE-BACKDOOR - Dagger_1.4.0"; flow:to_client,established; content:"2|00 00 00 06 00 00 00|Drives|24 00|",depth 16; metadata:ruleset community; classtype:misc-activity; sid:105; rev:14; )
    You can not convert rule files through the CLI. If you want to convert a file with multiple rules in it, use the Panorama web interface.
    The CLI Quick Start contains additional CLI commands.
    1. Encode the rule in Base64 format.
      You can do this using a free, browser-based tool (example).
      Before encoding the rule, ensure there are no line breaks. Otherwise, the line breaks are encoded and cause the rule conversion in the subsequent step to fail.
    2. Convert the encoded rule:
      admin@demo-panorama-vm> request plugins ips-signature-converter convert b64-encode <base64_encoded_rule>

LINE# TITLE                    RESULT     TYPE        CONVERTER_MSG
1     Converted_MALWARE-       Succeed    Plain       None
      BACKDOOR -
      Dagger_1.4.0_105

Summary: Total:1, Succeed:1, Warnings:0, Existing Coverage:0, Duplicated:0, Failed:0
    3. (Optional) Change the signature type.
      If your signature is for protection against spyware, you can set the type as spyware so that Panorama imports it as an Anti-Spyware signature. Otherwise, rules convert as vulnerability by default.
      admin@demo-panorama-vm> request plugins ips-signature-converter set-properties signature-type <vulnerability/spyware> lines <line_number>

LINE# TITLE                               SIG_TYPE      ACTION     SEVERITY
1     Converted_MALWARE-BACKDOOR -        spyware       alert      low
      Dagger_1.4.0_105
    4. Import the signature to Panorama:
      admin@demo-panorama-vm> request plugins ips-signature-converter import-custom-signatures device-group <device_group> lines <line_number>

LINE# TITLE                           THREAT_ID STATUS  DETAIL
1     Converted_MALWARE-BACKDOOR -    16002     Success Import Succeeded
      Dagger_1.4.0_105
      If you do not specify a device-group, Panorama imports the signature to the Shared location.
    5. Commit your changes to Panorama:
      admin@demo-panorama-vm# commit

Commit job 707 is in progress. Use Ctrl+C to return to command prompt
...23%.59%80%.......90%.....100%
Configuration committed successfully
    6. Push the signatures to a device group:
      @demo-panorama-vm> commit-all shared-policy device-group <device_group> 

Job enqueued with jobid 709
709
    7. Log in to a firewall in the device group that you specified in the previous step to verify that the push succeeded:
      admin@PA-3220# show threats <vulnerability/spyware> <threat_id>
~
spyware {
  16002 {
    signature {
      standard {
        ips_converted_pattern {
          and-condition {
            "And Condition 1" {
              or-condition {
                "Or Condition 1" {
                  operator {
                    pattern-match {
                      pattern "2\x00 00 00 06 00 00 00\xDrives\x24 00\x";
                      context tcp-context-free;
                      negate no;
                    }
                  }
                }
              }
            }
          }
          order-free no;
          scope session;

    © 2025 Palo Alto Networks, Inc. All rights reserved.