Known Issues in the IPS Signature Converter Plugin 1.0.4
Table of Contents
Expand all | Collapse all
-
-
-
-
-
- Features Introduced in Enterprise Data Loss Prevention 4.0.3
- Known Issues in Enterprise DLP Plugin 4.0.3
- Features Introduced in Enterprise Data Loss Prevention 4.0.2
- Known Issues in Enterprise DLP Plugin 4.0.2
- Features Introduced in Enterprise Data Loss Prevention 4.0.1
- Known Issues in Enterprise DLP Plugin 4.0.1
- Features Introduced in Enterprise Data Loss Prevention 4.0.0
- Known Issues in Enterprise DLP Plugin 4.0.0
-
- Features Introduced in Enterprise Data Loss Prevention 3.0.8
- Features Introduced in Enterprise Data Loss Prevention 3.0.7
- Features Introduced in Enterprise Data Loss Prevention 3.0.6
- Features Introduced in Enterprise Data Loss Prevention 3.0.5
- Features Introduced in Enterprise Data Loss Prevention 3.0.4
- Features Introduced in Enterprise Data Loss Prevention 3.0.3
- Features Introduced in Enterprise Data Loss Prevention 3.0.2
- Features Introduced in Enterprise Data Loss Prevention 3.0.1
- Features Introduced in Enterprise Data Loss Prevention 3.0.0
- Known Issues in Enterprise Data Loss Prevention 3.0.8
- Known Issues in Enterprise Data Loss Prevention 3.0.7
- Known Issues in Enterprise Data Loss Prevention 3.0.6
- Known Issues in Enterprise Data Loss Prevention 3.0.5
- Known Issues in Enterprise Data Loss Prevention 3.0.4
- Known Issues in Enterprise Data Loss Prevention (DLP) Plugin 3.0.3
- Known Issues in Enterprise Data Loss Prevention (DLP) Plugin 3.0.0
-
- Features Introduced in Enterprise Data Loss Prevention 1.0.8
- Features Introduced in Enterprise Data Loss Prevention 1.0.3
- Features Introduced in Enterprise Data Loss Prevention 1.0.1
- Known Issues in Enterprise Data Loss Prevention (DLP) Plugin 1.0.8
- Known Issues in Enterprise Data Loss Prevention (DLP) Plugin 1.0.7
- Known Issues in Enterprise Data Loss Prevention (DLP) Plugin 1.0.6
- Known Issues in Enterprise Data Loss Prevention (DLP) Plugin 1.0.4
- Known Issues in Enterprise Data Loss Prevention (DLP) Plugin 1.0.3
- Known Issues in Enterprise Data Loss Prevention (DLP) Plugin 1.0.2
- Known Issues in Enterprise Data Loss Prevention (DLP) Plugin 1.0.1
- Features Introduced in the Enterprise Data Loss Prevention (DLP) Cloud Service
- Limitations
-
-
Known Issues in the IPS Signature Converter Plugin 1.0.4
Known issues in the Panorama intrusion prevention system (IPS) Signature Converter plugin
1.0.4.
The following list describes known issues in the Panorama intrusion prevention
system (IPS) Signature Converter plugin 1.0.4.
CON-47699
You can only upload entire rule files
for conversion through the Panorama web interface.
CON-47902
Some Snort rule options are not supported.
Valid rule options are either supported and convert into custom
PAN-OS threat signatures or they are ignored because they do not
have an equivalent in the PAN-OS signature format. Rule options
that are neither supported nor ignored will cause conversion to
fail and display a warning message. See below for all valid rule options:
Supported | Ignored |
---|---|
distance and within are only
supported with unnegated content patterns.
With pcre or negated content patterns,
they are ignored. |
|
CON-47904
Rules will not convert if they contain the following
regex constructs:
CON-47905
Rules will not convert if they contain the following
modifiers:
- rawbytes
- http_raw_cookie
- http_raw_header
- http_raw_host
- http_raw_uri
CON-47907
A rule will not convert if the only condition in it
is negated with the
!
operator.Example:
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.RisingSun variant outbound connection"; flow:to_server,established; http_uri; content:"/ProductImage/index.asp",fast_pattern,nocase; http_header; content:!"Referer:"; metadata:impact_flag red,policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop; service:http; classtype:trojan-activity; sid:49467; rev:1; )
Also, if the final condition of a rule is negated, it will convert
with the following warning:
[FP risk] The order of the conditions are swapped since the last condition is negate
Example:
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Sakula/Mivast RAT CnC Beacon 2"; flow:to_server,established; content:"GET"; http_method; content:".jpg?resid="; http_uri; fast_pattern:only; content:!"Accept-"; http_header; content:!"Referer|3a|"; http_header; reference:md5,3cd598e8e2fd033134d8784251eff59e; classtype:trojan-activity; sid:2021200; rev:1; metadata:created_at 2015_06_08, updated_at 2015_06_08;)
CON-47908
A rule that contains more than 16 conditions strung
together using semicolons (
;
) will
not convert.alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer CStr internal string use-after-free attempt"; flow:to_server,established; file_data; content:"window.location.href"; nocase; content:"="; within:10; content:"window.location.href"; within:40; nocase; content:"<script"; distance:0; nocase; content:"src"; within:40; nocase; content:"<script"; within:100; nocase; content:"src"; within:40; nocase; content:"<script"; within:100; nocase; content:"src"; within:40; nocase; content:"<script"; within:100; nocase; content:"src"; within:40; nocase; content:"<script"; within:100; nocase; content:"src"; within:40; nocase; content:"<script"; within:100; nocase; content:"src"; within:40; nocase; content:"<script"; within:100; nocase; content:"src"; within:40; nocase; content:"<script"; within:100; nocase; content:"src"; within:40; nocase; content:"<script"; within:100; nocase; content:"src"; within:40; nocase; content:"<script"; within:100; nocase; content:"src"; within:40; nocase; content:"<script"; within:100; nocase; content:"src"; within:40; nocase; content:"<script"; within:100; nocase; content:"src"; within:40; nocase; content:"<script"; within:100; nocase; content:"src"; within:40; nocase; content:"<script"; within:100; nocase; content:"src"; within:40; nocase; content:"<script"; within:100; nocase; content:"src"; within:40; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-3326; reference:url,technet.microsoft.com/en-us/security/bulletin/ms16-095; classtype:attempted-user; sid:39827; rev:4;)
CON-47909
If a rule uses any of these content modifiers—
depth
, within
, offset
,
or distance
—they must use integer values
or the rule will not convert.CON-47910
A rule that contains a regular expression longer than
127 characters will not convert.
CON-47911
The converter accepts only Snort rules with headers
that contain one of the following actions:
- alert
- drop
- log
- pass
- reject
- sdrop
CON-47914
When you
Upload Signatures
,
the size of your submission can’t exceed 8MB.PAN-142770
Patterns using unsupported regex constructs might convert
and import successfully but will cause a commit failure when you try
to
Commit and Push
these patterns to your
firewalls.Example:
A rule that uses atomic grouping, an unsupported
construct, will convert but will cause a commit failure:
alert tcp any any -> any any (msg:"Atomic Grouping test rule"; flow:to_server; pcre:"/a(?>bc|b)c/iU";)
CON-48803
Rules with the
threshold
keyword set to type threshold
or type both
will convert
as brute force signatures. However,
if you convert a rule with the threshold
keyword
set to type limit
, the rule will convert
into a regular custom signature that will match when the conditions
in the signature are true. For details about these keywords, see
the Suricata documentation.CON-48921
A brute force rule using the
threshold
keyword
with seconds
greater than 3600 will
not convert.Example:
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER Jorgee Scan"; flow:established,to_server; content:"HEAD"; http_method; content:"User-Agent|3a 20|Mozilla/5.0 Jorgee|0d 0a|"; http_header; fast_pattern:12,20; threshold: type limit, track by_dst, count 3, seconds 3601; metadata: former_category WEB_SERVER; reference:url,www.skepticism.us/2015/05/new-malware-user-agent-value-jorgee/; classtype:trojan-activity; sid:2024265; rev:2; metadata:created_at 2015_06_26, updated_at 2017_05_01
PAN-144773
Two signatures that contain similar patterns for the
same context may cause a commit failure when you push them to firewalls.
Example: Two signatures contain the following patterns, both
written for the
file-data
context: *\/2\.0\/method *\/2\.0\/method\/(checkConnection|config|delay|error|get|info|setOnline|update)
CON-48472
There is a maximum of 63 characters allowed for a URL
in the
reference
option of a rule.
The converter ignores URLs that exceed the 63-character limit.Example: This URL is ignored
reference:url,www.exploit-db.com/moaub-17-firefox-plugin-parameter-ensurecachedattrparamarrays-remote-code-execution/
when you convert the following rule:
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Firefox Plugin Parameter EnsureCachedAttrParamArrays Remote Code Execution Attempt"; flow:established,to_client; content:"appletComponentArch.DynamicTreeApplet"; nocase; content:"PARAM"; nocase; distance:0; content:"PARAM"; nocase; distance:0; content:"PARAM"; nocase; distance:0; content:"PARAM"; nocase; distance:0; content:"PARAM"; nocase; distance:0; content:"PARAM"; nocase; distance:0; content:"PARAM"; nocase; distance:0; content:"PARAM"; nocase; distance:0; content:"PARAM"; nocase; distance:0; content:"PARAM"; nocase; distance:0; reference:url,www.exploit-db.com/moaub-17-firefox-plugin-parameter-ensurecachedattrparamarrays-remote-code-execution/; reference:url,www.mozilla.org/security/announce/2010/mfsa2010-37.html; reference:bugtraq,41842; reference:cve,2010-1214; classtype:attempted-user; sid:2011538; rev:2; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Web_Client_Attacks, signature_severity Major, created_at 2010_09_27, updated_at 2016_07_01
CON-47906
A rule to prevent brute force attacks by using the
threshold
element
must have a count
between 1 and 255
to convert successfully.PLUG-5153
The
depth
and offset
rule
modifiers are ignored.PLUG-5405
A rule fails conversion when it includes a
pcre
pattern
that would convert to use the tcp-context-free
, udp-context-free
,
or file-data
custom signature context.PLUG-5343
A rule with multiple
content
patterns that use the
distance
or
within
modifiers
converts differently depending on whether any of the patterns are negated.
If none, the converter concatenates the patterns.
If one or more are negated with
!
, then the
converter does not concatenate them.
Example:
A rule that contains
distance
and within
but no negated patterns:alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-CNC Ios.Backdoor.SYNful inbound connection"; flow:to_server,established; content:"text"; depth:4; offset:78; content:"|00 00 00|"; within:3; distance:1; content:"|45 25 6D|"; within:3; distance:1; fast_pattern; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,attack.mitre.org/techniques/T1205; reference:url,blogs.cisco.com/security/synful-knock; reference:url,tools.cisco.com/security/center/viewAlert.x?alertId=40411; classtype:trojan-activity; sid:36054; rev:5;)
converts into:
<vulnerability-threat version="10.0.0"> <entry name="6800001"> <signature> <standard> <entry name="ips_converted_pattern"> <and-condition> <entry name="And Condition 1"> <or-condition> <entry name="Or Condition 1"> <operator> <pattern-match> <pattern>text.{1,1}\x00 00 00\x.{1,1}E%m</pattern> <context>tcp-context-free</context> <negate>no</negate> </pattern-match> </operator> </entry> </or-condition> </entry> </and-condition> <order-free>no</order-free> <scope>session</scope> </entry> </standard> </signature> <default-action> <alert/> </default-action> <reference> <member>attack.mitre.org/techniques/T1205</member> <member>blogs.cisco.com/security/synful-knock</member> <member>tools.cisco.com/security/center/viewAlert.x?alertId=40411</member> </reference> <threatname>Converted_MALWARE-CNC Ios.Backdoor.SYNful inbound connection_36054</threatname> <severity>low</severity> <direction>client2server</direction> <affected-host> <server>yes</server> </affected-host> </entry> </vulnerability-threat>
However, a rule with negated patterns:
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Kelihos.F Checkin"; flow:established,to_server; content:"GET"; http_method; urilen:<13; content:".htm" ; fast_pattern:only; http_uri; pcre:"/^\/[^\x2f]+?\.htm$/U" ; content:!"BridgitAgent" ; http_header; content:!"Accept" ; http_header; content:!"Referer" ; http_header; content:!"Content-Type" ; http_header; content:"Content-Length|3a 20|" ; content:!"0|0d 0a|" ; within:3; content:"|0d 0a|" ; distance:0; reference:md5,00db349caf2eefc3be5ee30b8b8947a2; classtype:trojan-activity; sid:2017191; rev:2; metadata:created_at 2013_07_24, updated_at 2013_07_24;))
converts into:
<vulnerability-threat version="10.0.0"> <entry name="6800001"> <signature> <standard> <entry name="ips_converted_pattern"> <and-condition> <entry name="And Condition 1"> <or-condition> <entry name="Or Condition 1"> <operator> <pattern-match> <qualifier> <entry name="http-method"> <value>GET</value> </entry> </qualifier> <pattern>\.htm</pattern> <context>http-req-uri</context> <negate>no</negate> </pattern-match> </operator> </entry> </or-condition> </entry> <entry name="And Condition 2"> <or-condition> <entry name="Or Condition 1"> <operator> <pattern-match> <qualifier> <entry name="http-method"> <value>GET</value> </entry> </qualifier> <pattern>\/[^\x2f\x]+?\.htm</pattern> <context>http-req-uri</context> <negate>no</negate> </pattern-match> </operator> </entry> </or-condition> </entry> <entry name="And Condition 3"> <or-condition> <entry name="Or Condition 1"> <operator> <pattern-match> <qualifier> <entry name="http-method"> <value>GET</value> </entry> </qualifier> <pattern>BridgitAgent</pattern> <context>http-req-headers</context> <negate>yes</negate> </pattern-match> </operator> </entry> </or-condition> </entry> <entry name="And Condition 4"> <or-condition> <entry name="Or Condition 1"> <operator> <pattern-match> <qualifier> <entry name="http-method"> <value>GET</value> </entry> </qualifier> <pattern>Accept</pattern> <context>http-req-headers</context> <negate>yes</negate> </pattern-match> </operator> </entry> </or-condition> </entry> <entry name="And Condition 5"> <or-condition> <entry name="Or Condition 1"> <operator> <pattern-match> <qualifier> <entry name="http-method"> <value>GET</value> </entry> </qualifier> <pattern>Referer</pattern> <context>http-req-headers</context> <negate>yes</negate> </pattern-match> </operator> </entry> </or-condition> </entry> <entry name="And Condition 6"> <or-condition> <entry name="Or Condition 1"> <operator> <pattern-match> <qualifier> <entry name="http-method"> <value>GET</value> </entry> </qualifier> <pattern>Content-Type</pattern> <context>http-req-headers</context> <negate>yes</negate> </pattern-match> </operator> </entry> </or-condition> </entry> <entry name="And Condition 7"> <or-condition> <entry name="Or Condition 1"> <operator> <pattern-match> <pattern>Content-Length: </pattern> <context>tcp-context-free</context> <negate>no</negate> </pattern-match> </operator> </entry> </or-condition> </entry> <entry name="And Condition 8"> <or-condition> <entry name="Or Condition 1"> <operator> <pattern-match> <pattern>0\x0d 0a\x</pattern> <context>tcp-context-free</context> <negate>yes</negate> </pattern-match> </operator> </entry> </or-condition> </entry> <entry name="And Condition 9"> <or-condition> <entry name="Or Condition 1"> <operator> <pattern-match> <pattern>\x0d 0a\x</pattern> <context>tcp-context-free</context> <negate>no</negate> </pattern-match> </operator> </entry> </or-condition> </entry> </and-condition> <order-free>no</order-free> <scope>session</scope> </entry> </standard> </signature> <default-action><alert/></default-action> <threatname>Converted_ET TROJAN Win32 Kelihos.F Checkin_2017191</threatname> <severity>low</severity> <direction>client2server</direction> <affected-host> <server>yes</server> </affected-host> </entry> </vulnerability-threat>