Note-Creating Custom Signatures-RevE - Lab 5
Note-Creating Custom Signatures-RevE - Lab 5
Note-Creating Custom Signatures-RevE - Lab 5
Revision E
Table of Contents
Table of Contents...................................................................................................................................................................................................... 2
Overview ..................................................................................................................................................................................................................... 5
Integer Contexts (Greater than, Less than, Equal to) .................................................................................................................................. 5
dnp3-req-func-code ...................................................................................................................................................................................................................... 5
dnp3-req-object-type ................................................................................................................................................................................................................... 6
dns-rsp-tcp-over-dns ................................................................................................................................................................................................................... 6
dns-rsp-txt-found ........................................................................................................................................................................................................................... 7
ftp-req-params-len ........................................................................................................................................................................................................................ 7
http-req-content-length .............................................................................................................................................................................................................. 8
http-req-cookie-length ................................................................................................................................................................................................................ 8
http-req-header-length ............................................................................................................................................................................................................... 9
http-req-param-length ................................................................................................................................................................................................................ 9
http-req-uri-path-length .......................................................................................................................................................................................................... 11
http-req-uri-tilde-count-num ................................................................................................................................................................................................ 11
http-rsp-code ................................................................................................................................................................................................................................ 12
http-rsp-content-length ........................................................................................................................................................................................................... 12
http-rsp-total-headers-len ...................................................................................................................................................................................................... 13
iccp-req-func-code...................................................................................................................................................................................................................... 13
imap-req-cmd-param-len ........................................................................................................................................................................................................ 14
imap-req-first-param-len ........................................................................................................................................................................................................ 14
imap-req-param-len-from-second ...................................................................................................................................................................................... 14
smtp-req-helo-argument-length .......................................................................................................................................................................................... 15
smtp-req-mail-argument-length .......................................................................................................................................................................................... 15
smtp-req-rcpt-argument-length........................................................................................................................................................................................... 15
sctp-req-ppid ................................................................................................................................................................................................................................ 16
ssl-rsp-version .............................................................................................................................................................................................................................. 16
stun-req-attr-type ....................................................................................................................................................................................................................... 17
panav-rsp-zip-compression-ratio ........................................................................................................................................................................................ 17
String Contexts (Pattern Match) ....................................................................................................................................................................... 18
dns-req-addition-section ......................................................................................................................................................................................................... 18
dns-req-answer-section ........................................................................................................................................................................................................... 18
dns-req-authority-section ....................................................................................................................................................................................................... 19
dns-req-header ............................................................................................................................................................................................................................ 19
dns-req-section ............................................................................................................................................................................................................................ 20
dns-rsp-addition-section ......................................................................................................................................................................................................... 21
dns-rsp-answer-section ........................................................................................................................................................................................................... 21
dns-rsp-authority-section ....................................................................................................................................................................................................... 22
dns-rsp-header ............................................................................................................................................................................................................................. 22
dns-rsp-ptr-answer-data ......................................................................................................................................................................................................... 23
dns-rsp-queries-section ........................................................................................................................................................................................................... 23
email-headers ............................................................................................................................................................................................................................... 24
file- ..................................................................................................................................................................................................................................................... 24
elf-body ............................................................................................................................................................................................................................................ 25
file-flv-body ................................................................................................................................................................................................................................... 25
file-html-body ............................................................................................................................................................................................................................... 26
file-java-body ................................................................................................................................................................................................................................ 26
file-mov-body................................................................................................................................................................................................................................ 27
file-office-content ........................................................................................................................................................................................................................ 27
file-pdf-body .................................................................................................................................................................................................................................. 27
file- ..................................................................................................................................................................................................................................................... 27
riff-body........................................................................................................................................................................................................................................... 28
file-swf-body ................................................................................................................................................................................................................................. 28
file-tiff-body ................................................................................................................................................................................................................................... 29
file-unknown-body ..................................................................................................................................................................................................................... 29
ftp-...................................................................................................................................................................................................................................................... 29
req-params..................................................................................................................................................................................................................................... 30
ftp-rsp-banner .............................................................................................................................................................................................................................. 30
ftp-rsp-message ........................................................................................................................................................................................................................... 30
gdbremote-req-context ............................................................................................................................................................................................................ 31
gdbremote-rsp-context ............................................................................................................................................................................................................ 32
giop-req-message-body............................................................................................................................................................................................................ 32
giop-rsp-message-body ............................................................................................................................................................................................................ 33
h225-payload ................................................................................................................................................................................................................................ 33
http-req-cookie ............................................................................................................................................................................................................................ 34
http-req-headers ......................................................................................................................................................................................................................... 34
http-req-host-header................................................................................................................................................................................................................. 35
http-req-message-body ............................................................................................................................................................................................................ 35
http-req-mime-form-data ....................................................................................................................................................................................................... 36
http-req-params .......................................................................................................................................................................................................................... 36
http-req-uri-path ......................................................................................................................................................................................................................... 37
http-rsp-headers ......................................................................................................................................................................................................................... 37
http-rsp-non-2xx-response-body ........................................................................................................................................................................................ 38
imap-req-cmd-line ...................................................................................................................................................................................................................... 38
imap-req-first-param ................................................................................................................................................................................................................ 39
imap-req-params-after-first-param ................................................................................................................................................................................... 39
irc-req-params ............................................................................................................................................................................................................................. 39
irc-req-prefix ................................................................................................................................................................................................................................. 40
jpeg-file-scan-data ...................................................................................................................................................................................................................... 40
jpeg-file-segment-data .............................................................................................................................................................................................................. 40
jpeg-file-segment-header ........................................................................................................................................................................................................ 40
ms-ds-smb-req-share-name ................................................................................................................................................................................................... 41
msrpc-req-bind-data ................................................................................................................................................................................................................. 41
mssql-db-req-body ..................................................................................................................................................................................................................... 42
nettcp-req-context ...................................................................................................................................................................................................................... 42
oracle-req-data-text ................................................................................................................................................................................................................... 42
pe-dos-headers ............................................................................................................................................................................................................................ 43
pe-file-header ............................................................................................................................................................................................................................... 43
pe-optional-header..................................................................................................................................................................................................................... 43
pe-section-header ....................................................................................................................................................................................................................... 44
pe-body-data ................................................................................................................................................................................................................................. 44
rtmp-req-message-body .......................................................................................................................................................................................................... 45
rtsp-req-headers ......................................................................................................................................................................................................................... 45
rtsp-req-uri-path ......................................................................................................................................................................................................................... 46
snmp-req-community-text ..................................................................................................................................................................................................... 46
smtp-req-argument .................................................................................................................................................................................................................... 47
smtp-rsp-content ........................................................................................................................................................................................................................ 47
ssh-req-banner ............................................................................................................................................................................................................................. 48
ssh-rsp-banner ............................................................................................................................................................................................................................. 48
ssl-req-certificate ........................................................................................................................................................................................................................ 48
ssl-req-client-hello ..................................................................................................................................................................................................................... 49
ssl-req-random-bytes................................................................................................................................................................................................................ 49
ssl-rsp-cert-subjectpublickey ................................................................................................................................................................................................ 50
ssl-rsp-certificate ........................................................................................................................................................................................................................ 50
ssl-rsp-server-hello .................................................................................................................................................................................................................... 51
telnet-req-client-data ................................................................................................................................................................................................................ 51
telnet-rsp-server-data............................................................................................................................................................................................................... 51
unknown-req-tcp-payload ...................................................................................................................................................................................................... 52
unknown-rsp-tcp-payload ...................................................................................................................................................................................................... 52
unknown-req-udp-payload .................................................................................................................................................................................................... 52
unknown-rsp-udp-payload..................................................................................................................................................................................................... 53
Regex Syntax with Examples .............................................................................................................................................................................. 54
Table of PAN-OS Regex Characters ..................................................................................................................................................................................... 54
Simple Examples of Patterns Using Each Supported Character ............................................................................................................................. 54
Common Regex Syntax Errors ............................................................................................................................................................................................... 55
Custom Signature Examples ............................................................................................................................................................................... 58
Signature Terminology Refresher ....................................................................................................................................................................................... 58
Example 1 – Integer-based Context .................................................................................................................................................................................... 59
Example 2 – Matching Hexadecimal Values .................................................................................................................................................................... 61
Example 3 – Custom Signature Using a Qualifier .......................................................................................................................................................... 63
Example 4 – Combination Signature .................................................................................................................................................................................. 65
Context Qualifiers .................................................................................................................................................................................................. 66
Table 1: FTP Command Qualifiers ....................................................................................................................................................................................... 66
Table 2: FTP Vendor ID Qualifiers ....................................................................................................................................................................................... 66
Table 3: HTTP Header Field Qualifiers .............................................................................................................................................................................. 66
Table 4: HTTP Method Qualifiers......................................................................................................................................................................................... 66
Table 5: IMAP Command Qualifiers .................................................................................................................................................................................... 67
Table 6: RTSP Method Qualifiers ......................................................................................................................................................................................... 67
Table 7: SMTP Method Qualifiers ........................................................................................................................................................................................ 67
Revision History ..................................................................................................................................................................................................... 67
Overview
The following information was written based on a firewall running PAN-OS 5.0, but the information is also applicable to
later versions. The first section describes all integer contexts, which apply to the greater- than, less-than, and equal-to
operators. These contexts are available for custom IPS signatures, but are not available for custom application signatures.
The second section describes all string contexts, which apply to the pattern-matching operator. The third section details
the PAN-OS regex library of characters, regex examples, and common regex-specific mistakes you may run into when
creating patterns for custom signatures. The fourth section contains step-by-step procedures for creating custom
signatures of all types. The final section provides tables of all qualifiers available to various contexts. Qualifiers can be
used to further refine and limit the scope of a custom signature, and are context-dependent.
When creating a custom signature, you will start by taking a packet-capture of the traffic of interest. To analyze the packet
captures, we used the Wireshark application to help provide a simple reference when trying to understand what each
context provides.
dnp3-req-func-code
Description: DNP3 Application Layer request and response headers contains function codes. For example, some of the
function codes are read, write, select, operate, and direct_operate. The dnp3-req-func-code context identifies these
function codes. The DNP3 function codes are 1 byte in length. In this example, the function code ‘Select’ has hex value
0x03 and in the custom app, a decimal equivalent of 3 will have to be defined.
Example:
dnp3-req-object-type
Description: Objects in the DNP3 library are divided into Groups and Variations. This context can be used to identify the
groups and variations. The dnp3-req-object-type context is 2 bytes hex value. In this case, the hex is 0x0c01 and the
custom app will take a decimal value of 3073.
Example:
dns-rsp-tcp-over-dns
Description: Checks multiple conditions of a DNS response to detect TCP-over-DNS (for example, tools like Iodine can
tunnel IPv4 data through a DNS server). If conditions that indicate TCP-over-DNS are detected, the dns-rsp-tcp-over-dns
field is set to 1.
Example:
dns-rsp-txt-found
Description: Checks the Answer section of a DNS response, and checks if the Type field is set to TXT. In this case, set
the dns-rsp-text-found to 1 if TXT has to be identified as the DNS Type field.
Example:
ftp-req-params-len
Description: Length of the arguments to an FTP command, not including the command itself
Qualifiers: This context can use FTP command (Table 1) and FTP vendor ID (Table 2) qualifiers to limit signatures to
specific FTP commands and known FTP clients.
http-req-content-length
Description: Content length of a HTTP request
http-req-cookie-length
Description: Identifies the Cookie header in an HTTP request header, and detects the number of bytes in the cookie
string.
Example:
http-req-header-length
Description: Length of a HTTP request header, excluding method, path, and HTTP version
Example: This context provides the length of the text highlighted in yellow.
Qualifiers: This context can use HTTP header field (Table 3) and HTTP method (Table 4) qualifiers to limit signatures to
HTTP headers with specific values for select header fields and for specific HTTP methods.
http-req-param-length
Description: Length of the URL query string
Example: This context provides the length of the text highlighted in yellow (everything after the ‘?’).
http-req-no-version-string-small-pkt
Description: If this field is set to 1, an HTTP request that is less than 50 bytes and is missing the HTTP version string
“HTTP/x.y” has been found.
http-req-uri-path-length
Description: Length of the URI path, not including query string (up to and including the ‘?’).
Example: This context provides the length of the text highlighted in yellow.
Qualifiers: This context can use the HTTP method (Table 4) qualifier to limit signatures to HTTP headers with specific
HTTP methods.
http-req-uri-tilde-count-num
Description: Number of “~” characters in the path (same path that http-req-uri-path provides). The following encoded
characters are included in this context:
• %3A
• %u003A
• %u0589
• %u2236
• %u007E
• %u0303
• %u223C
• %uFF5E
Qualifiers: This context can use the HTTP method (Table 4) qualifier to limit signatures to HTTP headers with specific
HTTP methods.
http-rsp-code
Description: The number corresponding to the HTTP response code
http-rsp-content-length
Description: Content length of a HTTP response
http-rsp-total-headers-len
Description: Length of the HTTP response headers, not including the HTTP status banner
Example: This context provides the length of the text highlighted in yellow.
iccp-req-func-code
Description: ICCP function codes such as read, write, identify, and rename can be identified using the iccp-req-func-code
context. This context identifies the 1 byte function code value. In this case, the read function code has a hex value of 0xa4
and the corresponding decimal value is 164 which has to be entered while creating the custom app.
Example:
imap-req-cmd-param-len
Description: Total length of all parameters of an IMAP command
Example: This context provides the length of the text highlighted in yellow.
Qualifiers: This context can use the IMAP command (Table 5) qualifier to limit signatures to specific IMAP commands.
imap-req-first-param-len
Description: Length of the first parameter of an IMAP command
Example: This context provides the length of the text highlighted in yellow.
Qualifiers: This context can use the IMAP command (Table 5) qualifier to limit signatures to specific IMAP commands.
imap-req-param-len-from-second
Description: Total length of all parameters of an IMAP command, not including the first
Example: This context provides the length of the text highlighted in yellow.
Qualifiers: This context can use the IMAP command (Table 5) qualifier to limit signatures to specific IMAP commands.
smtp-req-helo-argument-length
Description: Length of the argument to the SMTP “HELO” command
Example: This context provides the length of the text highlighted in yellow.
smtp-req-mail-argument-length
Description: Length of the argument to the SMTP “MAIL FROM” command
Example: This context provides the length of the text highlighted in yellow.
smtp-req-rcpt-argument-length
Description: Length of the argument to the SMTP “RCPT TO” command
Example: This context provides the length of the text highlighted in yellow.
sctp-req-ppid
Description: Payload Protocol Identifier (PPID) is a 32 bit unsigned integer value which represents an application (upper
layer) specified protocol identifier. It identifies the type of information being carried in a SCTP DATA chunk.
Example:
ssl-rsp-version
Description: Detects the SSL version listed in the SSL server hello handshake.
Example:
stun-req-attr-type
Description: STUN server requests and responses contain message attributes. This context identifies the 2 byte attribute
type value. In this case, the hex is 0x0003 and the custom app will take a decimal equivalent value of 3.
Example:
panav-rsp-zip-compression-ratio
Description: The data compression ration compares the uncompressed size and the compressed size of a file. This
context detects the zip compression ratio of files downloaded over HTTP and can be used to identify a zip bomb or files
with large data compression ratios.
Example:
dns-req-addition-section
Description: Additional records section if found in a DNS request (normal DNS requests should not have an additional
records section).
dns-req-answer-section
Description: Answer section if found in a DNS request (normal DNS requests should not have an answer section).
dns-req-authority-section
Description: Authority section if found in a DNS request (normal DNS requests should not have an authority section).
dns-req-header
Description: Full DNS request header (12 bytes), which includes the transaction ID, query flags, number of questions,
and the Resource Record (RR) values in a DNS request.
dns-req-section
Description: This context matches against the DNS questions of a DNS query, so that patterns can be written against
one or more domains in a given DNS query. It is a direct pattern match against the format of a DNS query, so patterns
must adhere to the DNS question structure. A recommended approach to create a DNS pattern is to capture the DNS
request with Wireshark and copy the DNS Request field (make sure to remove the ending period in the request).
Example 1: The following example illustrates how to build a signature for a DNS query for the domain
www.bayareagamers.com.
Pattern Description
\x Indicates this pattern is a hex pattern match
03 Indicates that the next 3 bytes are to be matched
77 77 77 "www"
[The period in the domain name is omitted.]
10 Indicates that the next 16 bytes (10 hex) are to be
matched
74 68 65 62 61 79 61 72 65 61 67 61 6d 65 72 73 "thebayareagamers"
03 Indicates that the next 3 bytes are to be matched
63 6f 6d "com"
\x Ends hex pattern match
Example-2: Here you can see the Wireshark representation of this table. Everything highlighted yellow and blue is
provided by this context. The blue section is where the hexadecimal string is pulled from for the above table.
dns-rsp-addition-section
Description: Additional records sections of a DNS response
dns-rsp-answer-section
Description: All of the DNS Answers section with the exception of PTR records. PTR records are matched in a separate
context.
dns-rsp-authority-section
Description: The complete authority section of a DNS response
dns-rsp-header
Description: Full DNS response header, which includes the transaction ID, query flags, the number of questions, and the
Resource Record (RR) values.
dns-rsp-ptr-answer-data
Description: FQDN for a type PTR DNS response
dns-rsp-queries-section
Description: Name, type, and class of the queries section in a DNS response
email-headers
Description: All email headers and the plain text email body. Attachments are not included in this context as they are
provided elsewhere.
Hey,
Kelly
R0lGODlhFAAWAKEAAP///8z//wCZMwAAACH+TlRoaXMgYXJ0IGlzIGluIHRoZSBwdWJsaWMgZG9t
YWluLiBLZXZpbiBIdWdoZXMsIGtldmluaEBlaXQuY29tLCBTZXB0ZW1iZXIgMTk5NQAh+QQBAAAB
ACwAAAAAFAAWAAACY4yPqTrtm5qYtMEGBNiaWzRMHEVlwgBm5lieR7hqsiqjQSjG3I7C9LgznXw5
nUwjAaqEIiSs2Vl2nKWglIfbsHJTV3bJJNkGLG10arspwZ20mlYVum++8PBCBn8gBseDD7hQAAA7
file-
elf-body
Description: Identifies an executable and linkable formatted (ELF) file type contained in a protocol or application
response and checks the ELF file body.
Example:
file-flv-body
Description: Full body of a flash video file, minus the first 9 bytes as they’re reserved for the header. Here is a
screenshot from Wikipedia detailing the 9-byte header:
Example: Using a cli hex-editor named xxd, we can view the header of the flash file.
Every byte after the 9th is provided by this context. Only the first 50 bytes were printed here as an example.
file-html-body
Description: Full body of a HTML file, minus the first 8 bytes as they’re reserved for the header
Example: xxd is a cli-based hex editor; every byte after the 8th is provided by this context. Only the first 50 bytes were
printed here as an example.
file-java-body
Description: Full body of a java file, minus the first 4 bytes as they’re reserved for java’s ‘magic number’
Example: Using a cli based hex editor named xxd, we can view the first 4 bytes of the java file:
Every byte after the 4th is provided by this context. Only the first 25 bytes were printed here as an example.
file-mov-body
Description: Full body of a MOV file, minus the first 8 bytes as they’re reserved for the header
Example: xxd is a cli-based hex editor; every byte after the 8th is provided by this context. Only the first 50 bytes were
printed here as an example.
file-office-content
Description: Full body of a Microsoft Office Document file, minus the first 8 bytes as they’re reserved for the header
Example: xxd is a cli-based hex editor, every byte after the 8th is provided by this context. Only the first 50 bytes were
printed here as an example.
file-pdf-body
Description: This context provides the full body of a PDF file, minus the first 8 bytes as they’re reserved for the header.
Compressed data is provided as decompressed data by the decoder.
Example: xxd is a cli-based hex editor, every byte after the 8th is provided by this context. Only the first 50 bytes were
printed here as an example.
file-
riff-body
Description: Full body of a RIFF file, minus the first 8 bytes as they’re reserved for the header
Example: xxd is a cli-based hex editor; every byte after the 8th is provided by this context. Only the first 50 bytes were
printed here as an example.
file-
swf-body
Description: Full body of a SWF file, minus the first 8 bytes as they’re reserved for the header
Example: xxd is a cli-based hex editor; every byte after the 8th is provided by this context. Only the first 50 bytes were
printed here as an example.
file-tiff-body
Description: When the firewall detects a tagged image file format (TIFF) file, this context returns data contained within
the body of the file.
Example:
file-unknown-body
Description: If a file isn’t matched to one of our other contexts, you can use this context to match the file. This context
provides data after the first 8 bytes and up to 7 packets of an unknown file we couldn’t otherwise identify.
Example: xxd is a cli-based hex editor; every byte after the 8th is provided up until 7 bytes is seen. In the below example
the first 8 bytes are numbered to easily show what wouldn’t be matched. Next are “A”s followed by “shellcode” in hex. We
could for instance block this file by adding ‘\x7368656c6c636f6465\x’ in the “Pattern” field of the custom signature.
Macbook:~ noob$ xxd file.bin
0000000: 1122 3344 5566 7788 4141 4141 4141 4141 ."3DUfw.AAAAAAAA
0000010: 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
0000020: 7368 656c 6c63 6f64 65 shellcode
ftp-
req-params
Description: Parameters following an FTP command
Qualifiers: This context can use FTP command (Table 1) and FTP vendor ID (Table 2) qualifiers to limit signatures to
specific FTP commands and known FTP clients.
ftp-rsp-banner
Description: FTP welcome banner shown before authentication
ftp-rsp-message
Description: FTP server response code and the code itself. Note, that the code and the space can be used as part of the
required 7-byte anchor.
gdbremote-req-context
Description: GDB is a process debugger that has the ability to debug across the network. This context provides the
request data.
Example: After capturing the GDB network data, follow the TCP stream to view the data. In this instance, everything in
red is the request data, and that is what this context provides.
gdbremote-rsp-context
Description: GDB is a process debugger that has the ability to debug across the network. This context provides the
response data.
Example: After capturing the GDB network data, I followed the TCP stream to view the data. In this instance, everything
in blue is what this context provides.
giop-req-message-body
Description: Everything in the GIOP request
giop-rsp-message-body
Description: Data after the GIOP header in a GIOP response
h225-payload
Description: Extracts any data contained in an H.225.0 (App-ID: h.225) request.
Example:
http-req-cookie
Description: Returns the Cookie header value contained in an HTTP request header.
Example:
http-req-headers
Description: HTTP request header, not including the method, path, HTTP version, or host as those are provided
elsewhere.
Qualifiers: This context can use HTTP header field (Table 3) and HTTP method (Table 4) qualifiers to limit signatures to
HTTP headers with specific values for select header fields and for specific HTTP methods.
http-req-host-header
Description: Host field in a HTTP request header
Qualifiers: This context can use HTTP header field (Table 3) and HTTP method (Table 4) qualifiers to limit signatures to
HTTP headers with specific values for select header fields and for specific HTTP methods.
http-req-message-body
Description: Body content of a HTTP request when the body content cannot be recognized as URL encoded or MIME
type data using the Content-type field.
Example: This context provides the full body. I followed the TCP stream in Wireshark and only chose a portion of the
body for the signature to match.
Qualifiers: This context can use the HTTP method (Table 4) qualifier to limit signatures to HTTP headers with specific
HTTP methods.
http-req-mime-form-data
Description: MIME header data in the body of an HTTP request, not including embedded file contents
http-req-params
Description: Query string as well as parameters in the HTTP body for a POST method (after the ‘?’).
Qualifiers: This context can use the HTTP method (Table 4) qualifier to limit signatures to HTTP headers with specific
HTTP methods.
http-req-uri-path
Description: Path in a HTTP request header (up to and including the ‘?’).
Qualifiers: This context can use the HTTP method (Table 4) qualifier to limit signatures to HTTP headers with specific
HTTP methods.
http-rsp-headers
Description: Full HTTP response header, not including the HTTP banner
http-rsp-non-2xx-response-body
Description: Body of non-2xx HTTP responses, excluding HTTP 406 (Not Acceptable) responses.
imap-req-cmd-line
Description: IMAP command used.
imap-req-first-param
Description: First parameter to an IMAP command
Qualifiers: This context can use the IMAP command (Table 5) qualifier to limit signatures to specific IMAP commands.
imap-req-params-after-first-param
Description: Every parameter to an IMAP command, not including the first parameter
irc-req-params
Description: Argument after the actual IRC command and space
irc-req-prefix
Description: Data before an IRC command, typically used to indicate the true origin of a message
Example: You can see by following the TCP stream in Wireshark that there is data in between the IRC commands. It
appears this message was Proxied.
jpeg-file-scan-data
Description: This context provides all of the scan data within a jpeg file.
jpeg-file-segment-data
Description: This context provides all of the segment data within a jpeg file.
jpeg-file-segment-header
Description: This context provides the segment header data within a jpeg file.
ms-ds-smb-req-share-name
Description: Full path to a file that is read or written using SMB
msrpc-req-bind-data
Description: Data payload of a MS RPC Bind request
Example: This context provides the text highlighted in yellow. The easiest way to find a pattern to match is to look at the
hex representation of the payload and pick at least 7 bytes to match on as seen below.
mssql-db-req-body
Description: Request to a Microsoft SQL server, excluding the request header
nettcp-req-context
Description: Checks the RequestContext field in Net.TCP (App-ID: net.tcp) requests.
oracle-req-data-text
Description: When the firewall detects an Oracle request, and the request type is DATA, this context returns the data
contained in the request.
Example:
pe-dos-headers
Description: This context provides the DOS MZ header and the DOS stub. These are located in the first 64 bytes of the
PE file.
PE File Structure
DOS MZ Header + DOS Stub – first 64 bytes
PE File Header – next 20 bytes
PE Optional Header – next 224 bytes
PE Section Header – next 40 bytes each
PE Body Data – Rest of the file
pe-file-header
Description: This context provides the PE file header. This is 20 bytes long and starts at the 65th byte of the PE file.
PE File Structure
DOS MZ Header + DOS Stub – first 64 bytes
PE File Header – next 20 bytes
PE Optional Header – next 224 bytes
PE Section Header – next 40 bytes each
PE Body Data – Rest of the file
pe-optional-header
Description: This context provides the optional header of a PE file. This is typically 224 bytes long and starts at the 86 th
byte of the PE file.
PE File Structure
DOS MZ Header + DOS Stub – first 64 bytes
PE File Header – next 20 bytes
PE Optional Header – next 224 bytes
PE Section Header – next 40 bytes each
PE Body Data – Rest of the file
pe-section-header
Description: This context provides the section headers for a PE file. These are 40 bytes each. Some typical sections with
headers are “idata”, “rsrc”, “data”, “text”, and “src”. However, each PE file may not include each section and they’re not
guaranteed to be in any specific order.
PE File Structure
DOS MZ Header + DOS Stub – first 64 bytes
PE File Header – next 20 bytes
PE Optional Header – next 224 bytes
PE Section Header – next 40 bytes each
PE Body Data – Rest of the file
pe-body-data
Description: This context provides the body data of a PE file. This includes everything inside the file sections themselves.
The body data is located after the headers mentioned above.
PE File Structure
DOS MZ Header + DOS Stub – first 64 bytes
PE File Header – next 20 bytes
PE Optional Header – next 224 bytes
PE Section Header – next 40 bytes each
PE Body Data – Rest of the file
rtmp-req-message-body
Description: RTMP body up until twenty packets have been sent
rtsp-req-headers
Description: Full RTSP request headers, not including the command line
Qualifiers: This context can use the RTSP method (Table 6) qualifier to limit signatures to specific RTSP methods.
rtsp-req-uri-path
Description: Path of an RTSP request, not including the command line
Qualifiers: This context can use the RTSP method (Table 6) qualifier to limit signatures to specific RTSP methods.
snmp-req-community-text
Description: When the firewall detects an SNMP request, there is a variable field called community in text in the SNMP
request header. The context snmp-req-community-text is used track the value of the community field.
Example:
smtp-req-argument
Description: Argument of a SMTP command
Qualifiers: This context can use the SMTP method (Table 7) qualifier to limit signatures to specific SMTP methods.
smtp-rsp-content
Description: SMTP server response content
ssh-req-banner
Description: SSH banner of the client, not including comments
ssh-rsp-banner
Description: SSH banner of the server, not including comments
ssl-req-certificate
Description: Certificate request message of a SSL negotiation when initiated from the client
ssl-req-client-hello
Description: Client hello message of a SSL negotiation
ssl-req-random-bytes
Description: Random bytes field in the SSL client hello
Example: This value is already hexadecimal; you’ll need to write the pattern in your signature as such (enclosed in \x).
ssl-rsp-cert-subjectpublickey
Description: Certificate subject public key that’s part of an SSL server hello handshake
ssl-rsp-certificate
Description: Certificate response message of a SSL negotiation from the server
ssl-rsp-server-hello
Description: Server hello message of a SSL negotiation
telnet-req-client-data
Description: All telnet data for traffic originating from the client
telnet-rsp-server-data
Description: All telnet data for traffic originating from the server
unknown-req-tcp-payload
Description: Full TCP payload for unknown TCP traffic originating from the client
unknown-rsp-tcp-payload
Description: Full TCP payload for unknown TCP traffic originating from the server
unknown-req-udp-payload
Description: Full UDP payload for unknown UDP traffic originating from the “client”, which is the initiator of UDP
communications
unknown-rsp-udp-payload
Description: Full UDP payload for unknown UDP traffic originating from the “server”, which is opposite the “client”
Syntax Description
. Match any single character
? Match the preceding character or expression 0 or 1 time; the general expression MUST be inside a pair of parentheses, e.g. (abc)?
* Match the preceding character or expression 0 or more times; the general expression MUST be inside a pair of parentheses, e.g. (abc)*
Match the preceding character or regular expression 1 or more times; the general expression MUST be inside a pair of parentheses, e.g.
+ (abc)+
Equivalent to "or" as in this example: ((bif)|(scr)|(exe)): match “bif”, “scr” or “exe”. Note that the alternative substrings MUST be in
| parentheses
- Used to create range expressions as in this example: [c-z]: match any character between c and z INCLUSIVE
^ Match any except, as in this example: [^abz]: match any character but a, b, or z
Min/Max number of bytes, as in this example: .{10,20}: match any string that is between 10 and 20 bytes. Note: Must be directly in front of
{} fixed string of at least 7 bytes, and only supports “.”.
\ To perform a literal match on any one of the special characters above, it MUST be escaped by preceding them with a ‘\’ (backslash)
& & is a special character, so to look for the "&" in a string you must use "&" instead
The following lists the current string contexts that ignore case:
Note: This information is based on PAN-OS 6.1 and may differ in other releases. For JavaScript, the name is file-
html-body and it is not case sensitive.
entry alias="rtmp-req-body" name="rtmp-req-message-body"
entry name="http-req-headers"
entry name="http-req-host-header"
entry name="http-req-params"
entry name="http-req-uri-path"
entry name="http-req-message-body"
entry name="imap-req-cmd-line"
entry name="giop-req-message-body" alias="corba-req-field"
entry name="giop-rsp-message-body" alias="corba-rsp-field"
entry name="imap-req-first-param"
entry name="email-headers" alias="panav-rsp-email-headers"
entry name="ssl-req-random-bytes"
entry name="ssl-req-certificate"
entry name="imap-req-params-after-first-param"
entry name="smtp-req-argument"
entry name="smtp-rsp-content"
entry name="rtsp-req-uri-path"
entry name="rtsp-req-headers"
entry name="telnet-req-client-data"
entry name="telnet-rsp-server-data"
entry alias="unknown-req-text" name="unknown-req-udp-payload"
entry alias="unknown-rsp-text" name="unknown-rsp-udp-payload"
entry name="unknown-req-tcp-payload"
entry name="unknown-rsp-tcp-payload"
entry name="ms-ds-smb-req-share-name"
entry name="ssh-req-banner"
entry name="ssh-rsp-banner"
entry name="msrpc-req-bind-data"
entry name="mssql-db-req-body"
3. The “Pattern” field in the condition window has a limit of 127 characters, but what if your pattern is
longer?
o The solution is to ‘AND’ them together as shown in figure 5. You can even leave “Ordered Condition
Match” selected, so it must see them in order to perform a closer match to the full string.
Figure 4 – Too many characters in the “Pattern” field Figure 5 – String split in half with ‘AND’
o Another work-around that is possible in some patterns is to just write out the ‘.’ (dot) characters instead of
using the repetition. ‘{4}’ would become ‘….’ and there is no repetition requirement.
Figure 4.1 – Invalid because only 4 bytes, ‘BBBB’ follow the repetition ‘.{4}’
Figure 4.2 – Valid because 7 bytes ‘BBBBBBB’ now follow the repetition element
o To fix this, you need to increase the size of at least one of the strings to 7 bytes or more. Figure 5.2
shows a fixed signature by changing “net” to “networks” which is at least 7 bytes.
Figure 5.1 – Invalid because there are two strings less than 7 bytes separated by a DFA
Figure 5.2 –Valid because there is only 1 string less than 7 bytes now surround the repetition element
Qualifier - Qualifiers can be used to further refine and limit the scope of a custom signature, and are context-dependent.
They often limit the scope to an individual command or header type.
Aggregation Criteria – This is a setting found in combination signatures used to granularly aggregate the number of hits
per second. If for example you wanted to alert only after 25 POSTs have been seen in 60 seconds and only when going to
a certain destination IP, you would set the aggregation criteria to “destination”. Only a POST to that destination would
count towards your limit of 25 POSTs. You can also choose “source” or “source-and-destination” to aggregate the number
of hits differently.
Context – After the decoder decodes the protocol or file, it separates each portion into a context. Each context provides
certain portions of that file or protocol. We then specify the context where we expect our pattern to be.
Ordered Condition Match – If your signature has multiple conditions and the order of which the conditions are seen is
important, you can enable this setting. (The list of conditions uses the top-down approach, meaning it matches in order
from top to bottom.)
And / Or Conditions – Just like any other Boolean conditions, “And” matches the first condition and the second condition
and so on. “Or” matches the first condition or the second condition. “Or” conditions broaden the search, while “and”
conditions narrow the search.
Direction – Found in the configuration tab of a custom signature. This indicates whether the threat is assessed from the
client to server, server to client, or both.
Affected System – Found in the configuration tab of a custom signature. Indicates whether the threat involves the client,
server, either, or both. This applies to vulnerability signatures, but not spyware signatures.
1. First, you’ll need to go to the Objects tab -> click Vulnerability under the Custom Signatures section -> and click
“Add”.
2. The only required fields are Threat ID, Name, Severity, and Direction. Ensure the Threat ID is between 41000-
45000.
3. Next, you’ll need to click the “Signatures” tab. We will cover combination signatures in a later example. For now,
leave it at standard. Click “Add” at the bottom of the window to bring up the “Standard” window.
4. We start by giving this signature a name. This example will only have one condition; therefore we can ignore the
Ordered Condition Match setting. Also, we only want to alert on a single transaction and not the full session, so
we will leave the scope at “Transaction”. Finally, click “Add And Condition”.
5. Since we’re looking for the exact value of “404”, choose “Equal To” from the “Operator” drop-down menu. You’ll
notice that the entries in the “Context” drop-down depend on your “Operator” selection. If for example you were to
choose the operator “Pattern Match”, it would contain contexts based on a pattern, not an integer. Knowing this,
select the “http-rsp-code” context from the “Context” drop-down menu. Next, enter “404” in the “Value” field.
6. The completed condition should look like “figure 6”. Click “OK” on each of the signature windows, commit, and
test your new signature.
You can use any hex-editor to view the hex contents of the file. I chose to go with xxd, a cli-based editor. By reading the
“file-flv-body” context example in the contexts section above, we know that this context provides every byte after the
header. Everything in bold is within the context, so we can write a pattern using those bytes.
We pick ‘0a6f 6e4d 6574 61’ as our value to match on. Keep in mind that every two alphanumeric values represent one
byte, so this pattern just meets our 7-byte requirement. Let’s pretend we’ve identified these bytes as malicious shell-code
that we don’t want passing through our firewall. Let’s now walk through the process of creating the signature from start to
finish:
1. Add a new custom vulnerability signature and fill out the mandatory fields.
2. Click the signatures tab and click “Add” to bring up the “Standard” window.
3. Fill in the “Signature Name” field and leave the scope as transaction. We only have one condition, so we can
leave “Ordered Condition Match” alone. Click “Add And Condition”.
4. Choose “Pattern Match” as the operator, then find “file-flv-body” from the “Context” drop-down, and enter the
pattern we found earlier with ‘\x’ before and after the pattern to indicate we’re matching hexadecimal. (See Figure 4
below)
5. Click “OK” on each of the signature windows, commit, and test your new signature.
1. Create a new Custom Vulnerability Signature and fill out the needed fields in the “Configuration” tab.
2. Go to the “Signatures” tab, leave “Standard” selected and click “Add” to bring up the “Standard” window.
3. Enter a signature name, leave the scope as “Transaction”; again we only have one condition so the “Ordered
Match Setting” can be ignored.
4. Click “Add And Condition” for the condition window to open. Here, choose “Pattern Match” from the “Operator”
drop-down menu since we’re matching on a string. Select “http-req-uri-path” from the “Context” drop-down menu
and enter the pattern “wp\-login\.php” (without the quotes as seen in figure 4). We escape the ‘–‘ and ‘.’ characters
with backslashes since they’re part of the regex library and we want a literal match on those characters.
5. Last, we’re going to click “Add” on the condition window from step 4 to add a qualifier to the signature. Choose
“http-method” as the qualifier and set the value to “POST”. This way, our pattern only matches if it’s found inside
of a HTTP POST message.
6. Click “OK” on each signature window, commit, and test the signature.
1. Create a new custom signature and fill out the needed fields in the “Configuration” tab.
2. Click the signature tab, choose “Combination” and click “Add And Condition”.
3. In the condition window, you first name the condition. Then choose the threat ID that will be used. Here we chose
Threat ID “42100” which is the WordPress login signature we created in the last example.
4. Click the “Time Attribute” tab. These settings are what make this a combination signature. We can monitor the
matches on this signature and only alert or drop if the number of hits reaches our maximum value within our
defined amount of seconds. You’ll also want to choose your “Aggregation Criteria”.
5. Click “OK” on each of the signature windows, commit, and test the signature.
Context Qualifiers
Revision History
Date Revision Comment
August 22, 2017 E Added the context http-req-no-version-string-small-pkt to the
String section.
March 31, 2017 D Added the http-rsp-non-2xx-response-body field to the String
section; reformatted title page, header/footer, and page breaks
for smoother flow of text.
April 22, 2015 B Added information in the “Common Regex Syntax Errors”
section that states that when writing a custom application
signature, the application decoder may or may not be case-
sensitive for a given field, depending on the decoder that the
firewall uses.
July 26, 2013 A The first release of this document.