Custom Application IDs and Signatures
    : Convert Rules Using the Panorama Web Interface
    Focus
    Download PDF
    Focus
    1. Home
    2. PAN-OS
    3. Custom Application IDs and Signatures
    4. IPS Signature Converter Plugin for Panorama
    5. Convert Rules Using the Panorama Web Interface
    Download PDF

    Custom Application IDs and Signatures

    Convert Rules Using the Panorama Web Interface

    Table of Contents

    Convert Rules Using the Panorama Web Interface

    Use the Panorama™ web interface to convert IPS rules to custom PAN-OS
    ®
     threat signatures.
    After you install the intrusion prevention system (IPS) signature converter plugin, you can use it to translate Snort and Suricata rules into custom Palo Alto Networks threat signatures. You can then register the custom signatures on Palo Alto Networks firewalls that belong to device groups that you specify and use these customer signatures in your Vulnerability Protection and Anti-Spyware Security Profiles.
    Additionally, you can export rules that list IP address indicators of compromise (IOC) and use the resultant text file as an external dynamic list to enforce policy on the entries contained in the list.
    The following example uses this Snort rule: 
    alert tcp any any -> any any (msg:"Malformed_UA"; content:"User-Agent: Mozillar/"; depth:500; sid:99999999;)
    1. Select
      Panorama
      IPS Signature Converter
      Manage
      .
    2. Upload Signatures
      .
    3. Select one of two methods for uploading your rules:
      • Browse
         to and select a text file.
        You cannot convert binary file types, such as .pdf or .docx.
      • Paste the rules directly into the text box.
      You can upload only 300 rules at a time for conversion.
    4. Click
      OK
      .
      Your signatures will populate at least one of the following tabs:
      Succeeded
      ,
      Succeeded with Warnings
      ,
      Failed
      ,
      Duplicates
      , or
      Existing Coverage
      .
    5. (
      Optional
      ) Export rules to an indicator of compromise (IOC) list.
      Panorama converts a rule that does not contain the keywords
      content
       or
      PCRE
       into an
      IOC List
      .
      Export IOC List
       to group these rules into a text file that you can use as an external dynamic list for your Security policy rules.
      1. Select
        Export IOC List
        .
        A dialog displays any rules that converted as
        IOC List
        .
      2. Select the rules that you want to export.
      3. Enter the name of the file to which you want to export your rules.
      4. Click
        OK
        .
        The exported text file will appear in your downloads folder.
    6. Commit converted signatures to Panorama.
      1. Select the signatures you want to upload.
      2. Import Custom Signatures
        .
      3. Select a Device Group from the drop-down.
        Select
        Shared
         to make the signatures available to all device groups.
      4. Under the Destination column, select whether to commit the signatures as
        Vulnerability
         or
        Spyware
        .
      5. Click
        OK
        .
      6. In the top right of the screen, select and Commit to Panorama.
      7. Verify that you successfully committed your signatures.
        1. Select
          Objects
          Custom Objects
          .
        2. Select either
          Spyware
           or
          Vulnerability
          , depending on how you categorized your signatures in the previous step.
    7. The firewalls must be running PAN-OS 10.0 or a later release with an active Threat Prevention license.
    8. Test your signatures on a firewall in the device group to which you pushed the signatures.

    Recommended For You

    © 2024 Palo Alto Networks, Inc. All rights reserved.