Limitations

Limitations associated with the IPS Signature Converter plugin.
The following are limitations associated with the IPS Signature Converter plugin.
Issue ID
Description
CON-47912
You can upload only 100 rules at a time for conversion. If you attempt to upload more than 100 rules, the plugin will convert only the first 100 rules and then will display a warning.
CON-47912
The converter supports only rules with headers that contain one of five protocols:
  • tcp
  • udp
  • icmp
  • smb
  • http
PAN-159486
The converter always treats certain fields as either case-sensitive or case-insensitive, even if the original custom signature specifies case-sensitivity using
nocase
or
\i
. The following fields are always case-sensitive:
  • http-rsp-reason
  • http-rsp-headers
  • http-rsp-code
  • http-req-mime-form-data
  • file-data
The following are always case-insensitive:
  • http-req-uri
  • http-req-headers
  • http-req-host-header
  • http-req-user-agent-header
  • tcp-context-free
  • udp-context-free
PLUG-6375
Snort rules that use the
soid
keyword are not supported.
PLUG-6183
Snort rules for enabling or disabling decoder and preprocessor events are not supported.
PLUG-6155
Converted Snort/Suricata rules with large values for the
within
keyword can result in long commit times on PA-220 and PA-850 platforms. As a result, the maximum supported value of
within
is
100
. The converter will reduce any value greater than that to
100
.
PLUG-5405
A rule fails conversion when it includes a
pcre
pattern that would convert to use the
tcp-context-free
,
udp-context-free
, or
file-data
custom signature context.

Recommended For You