Convert Rules Using the Panorama Web Interface

Use the Panorama™ web interface to convert IPS rules to custom PAN-OS
®
threat signatures.
After you install the intrusion prevention system (IPS) signature converter plugin, you can use it to translate Snort and Suricata rules into custom Palo Alto Networks threat signatures. You can then register the custom signatures on Palo Alto Networks firewalls that belong to device groups that you specify and use these customer signatures in your Vulnerability Protection and Anti-Spyware Security Profiles.
Additionally, you can export rules that list IP address indicators of compromise (IOC) and use the resultant text file as an external dynamic list to enforce policy on the entries contained in the list.
The following example uses this Snort rule:
alert tcp any any -> any any (msg:"Malformed_UA"; content:"User-Agent: Mozillar/"; depth:500; sid:99999999;)
  1. Select
    Panorama
    IPS Signature Converter
    Manage
    .
  2. Upload Signatures
    .
  3. Select one of two methods for uploading your rules:
    • Browse
      to and select a text file.
      You cannot convert binary file types, such as .pdf or .docx.
    • Paste the rules directly into the text box.
  4. Click
    OK
    .
    Your signatures will populate at least one of the following tabs:
    Succeeded
    ,
    Succeeded with Warnings
    ,
    Failed
    ,
    Duplicates
    , or
    Existing Coverage
    .
  5. (
    Optional
    ) Export rules to an indicator of compromise (IOC) list.
    Panorama converts a rule that does not contain the keywords
    content
    or
    PCRE
    into an
    IOC List
    .
    Export IOC List
    to group these rules into a text file that you can use as an external dynamic list for your Security policy rules.
    1. Select
      Export IOC List
      .
      A dialog displays any rules that converted as
      IOC List
      .
    2. Select the rules that you want to export.
    3. Enter the name of the file to which you want to export your rules.
    4. Click
      OK
      .
      The exported text file will appear in your downloads folder.
  6. Commit converted signatures to Panorama.
    1. Select the signatures you want to upload.
    2. Import Custom Signatures
      .
    3. Select a Device Group from the drop-down.
      Select
      Shared
      to make the signatures available to all device groups.
    4. Under the Destination column, select whether to commit the signatures as
      Vulnerability
      or
      Spyware
      .
    5. Click
      OK
      .
    6. In the top right of the screen, select and Commit to Panorama.
    7. Verify that you successfully committed your signatures.
      1. Select
        Objects
        Custom Objects
        .
      2. Select either
        Spyware
        or
        Vulnerability
        , depending on how you categorized your signatures in the previous step.
  7. The firewalls must be running PAN-OS 10.0 or a later release with an active Threat Prevention license.
  8. Test your signatures on a firewall in the device group to which you pushed the signatures.

Recommended For You