Convert Rules Using the Panorama CLI

Use the Panorama CLI to convert IPS rules in custom PAN-OS
®
threat signatures.
In addition to the web interface, you can use the command-line interface (CLI) to convert Snort and Suricata rules into custom PAN-OS
®
threat signatures. This example uses the following Snort rule:
alert tcp $HOME_NET 2589 -> $EXTERNAL_NET any ( msg:"MALWARE-BACKDOOR - Dagger_1.4.0"; flow:to_client,established; content:"2|00 00 00 06 00 00 00|Drives|24 00|",depth 16; metadata:ruleset community; classtype:misc-activity; sid:105; rev:14; )
You can not convert rule files through the CLI. If you want to convert a file with multiple rules in it, use the Panorama web interface.
The CLI Quick Start contains additional CLI commands.
  1. Encode the rule in Base64 format.
    You can do this using a free, browser-based tool (example).
    Before encoding the rule, ensure there are no line breaks. Otherwise, the line breaks are encoded and cause the rule conversion in the subsequent step to fail.
  2. Convert the encoded rule:
    admin@demo-panorama-vm>
    request plugins ips-signature-converter convert b64-encode
    <base64_encoded_rule>
    LINE# TITLE RESULT TYPE CONVERTER_MSG 1 Converted_MALWARE- Succeed Plain None BACKDOOR - Dagger_1.4.0_105 Summary: Total:1, Succeed:1, Warnings:0, Existing Coverage:0, Duplicated:0, Failed:0
  3. (
    Optional
    ) Change the signature type.
    If your signature is for protection against spyware, you can set the type as
    spyware
    so that Panorama imports it as an Anti-Spyware signature. Otherwise, rules convert as
    vulnerability
    by default.
    admin@demo-panorama-vm>
    request plugins ips-signature-converter set-properties signature-type
    <vulnerability/spyware>
    lines
    <line_number>
    LINE# TITLE SIG_TYPE ACTION SEVERITY 1 Converted_MALWARE-BACKDOOR - spyware alert low Dagger_1.4.0_105
  4. Import the signature to Panorama:
    admin@demo-panorama-vm>
    request plugins ips-signature-converter import-custom-signatures device-group
    <device_group>
    lines
    <line_number>
    LINE# TITLE THREAT_ID STATUS DETAIL 1 Converted_MALWARE-BACKDOOR - 16002 Success Import Succeeded Dagger_1.4.0_105
    If you do not specify a
    device-group
    , Panorama imports the signature to the Shared location.
  5. Commit your changes to Panorama:
    admin@demo-panorama-vm#
    commit
    Commit job 707 is in progress. Use Ctrl+C to return to command prompt ...23%.59%80%.......90%.....100% Configuration committed successfully
  6. Push the signatures to a device group:
    @demo-panorama-vm>
    commit-all shared-policy device-group
    <device_group>
    Job enqueued with jobid 709 709
  7. Log in to a firewall in the device group that you specified in the previous step to verify that the push succeeded:
    admin@PA-3220#
    show threats
    <vulnerability/spyware>
    <threat_id>
    ~ spyware { 16002 { signature { standard { ips_converted_pattern { and-condition { "And Condition 1" { or-condition { "Or Condition 1" { operator { pattern-match { pattern "2\x00 00 00 06 00 00 00\xDrives\x24 00\x"; context tcp-context-free; negate no; } } } } } } order-free no; scope session;

Recommended For You