Escolar Documentos
Profissional Documentos
Cultura Documentos
Tech Note
Revision B
Contents
Overview ................................................................................................................................................................................. 4
Integer Contexts (Greater than, Less than, Equal to) ............................................................................................................... 4
ftp-req-params-len ................................................................................................................................................................ 4
http-req-content-length ........................................................................................................................................................ 4
http-req-header-length .......................................................................................................................................................... 5
http-req-param-length .......................................................................................................................................................... 5
http-req-uri-path-length ....................................................................................................................................................... 6
http-req-uri-tilde-count-num ................................................................................................................................................ 6
http-rsp-code ........................................................................................................................................................................ 6
http-rsp-content-length ......................................................................................................................................................... 7
http-rsp-total-headers-len ..................................................................................................................................................... 7
imap-req-cmd-param-len ...................................................................................................................................................... 7
imap-req-first-param-len ...................................................................................................................................................... 8
imap-req-param-len-from-second ......................................................................................................................................... 8
smtp-req-helo-argument-length ............................................................................................................................................ 8
smtp-req-mail-argument-length ............................................................................................................................................ 9
smtp-req-rcpt-argument-length............................................................................................................................................. 9
String Contexts (Pattern Match) .............................................................................................................................................. 9
dns-req-addition-section ....................................................................................................................................................... 9
dns-req-answer-section ....................................................................................................................................................... 10
dns-req-authority-section ................................................................................................................................................... 10
dns-req-header.................................................................................................................................................................... 11
dns-req-section ................................................................................................................................................................... 11
dns-rsp-addition-section ..................................................................................................................................................... 12
dns-rsp-answer-section ....................................................................................................................................................... 13
dns-rsp-authority-section .................................................................................................................................................... 13
dns-rsp-header .................................................................................................................................................................... 14
dns-rsp-ptr-answer-data ..................................................................................................................................................... 14
dns-rsp-queries-section ....................................................................................................................................................... 15
email-headers ..................................................................................................................................................................... 15
file-flv-body ........................................................................................................................................................................ 16
file-html-body..................................................................................................................................................................... 16
file-java-body ..................................................................................................................................................................... 17
file-mov-body ..................................................................................................................................................................... 17
file-office-content ............................................................................................................................................................... 17
file-pdf-body....................................................................................................................................................................... 18
file-riff-body ....................................................................................................................................................................... 18
file-swf-body ...................................................................................................................................................................... 18
file-unknown-body ............................................................................................................................................................. 19
ftp-req-params.................................................................................................................................................................... 19
ftp-rsp-banner .................................................................................................................................................................... 19
ftp-rsp-message................................................................................................................................................................... 20
gdbremote-req-context ....................................................................................................................................................... 20
gdbremote-rsp-context ....................................................................................................................................................... 21
giop-req-message-body ....................................................................................................................................................... 21
giop-rsp-message-body ....................................................................................................................................................... 22
http-req-headers ................................................................................................................................................................. 22
http-req-host-header ........................................................................................................................................................... 22
http-req-message-body ....................................................................................................................................................... 23
http-req-mime-form-data ................................................................................................................................................... 23
http-req-params.................................................................................................................................................................. 24
http-req-uri-path ................................................................................................................................................................ 24
http-rsp-headers ................................................................................................................................................................. 25
imap-req-cmd-line .............................................................................................................................................................. 25
imap-req-first-param .......................................................................................................................................................... 25
2013, Palo Alto Networks, Inc.
[2]
imap-req-params-after-first-param ..................................................................................................................................... 26
irc-req-params .................................................................................................................................................................... 26
irc-req-prefix ...................................................................................................................................................................... 26
jpeg-file-scan-data .............................................................................................................................................................. 26
jpeg-file-segment-data ........................................................................................................................................................ 26
jpeg-file-segment-header ..................................................................................................................................................... 27
ms-ds-smb-req-share-name ................................................................................................................................................. 27
msrpc-req-bind-data ........................................................................................................................................................... 27
mssql-db-req-body ............................................................................................................................................................. 28
pe-dos-headers.................................................................................................................................................................... 28
pe-file-header...................................................................................................................................................................... 28
pe-optional-header ............................................................................................................................................................. 29
pe-section-header ............................................................................................................................................................... 29
pe-body-data ...................................................................................................................................................................... 29
rtmp-req-message-body ...................................................................................................................................................... 30
rtsp-req-headers.................................................................................................................................................................. 30
rtsp-req-uri-path ................................................................................................................................................................. 31
smtp-req-argument ............................................................................................................................................................. 31
smtp-rsp-content ................................................................................................................................................................ 31
ssh-req-banner .................................................................................................................................................................... 32
ssh-rsp-banner .................................................................................................................................................................... 32
ssl-req-certificate ................................................................................................................................................................ 32
ssl-req-client-hello .............................................................................................................................................................. 33
ssl-req-random-bytes .......................................................................................................................................................... 33
ssl-rsp-cert-subjectpublickey ............................................................................................................................................... 34
ssl-rsp-certificate................................................................................................................................................................. 34
ssl-rsp-server-hello .............................................................................................................................................................. 35
telnet-req-client-data .......................................................................................................................................................... 35
telnet-rsp-server-data .......................................................................................................................................................... 35
unknown-req-tcp-payload .................................................................................................................................................. 36
unknown-rsp-tcp-payload .................................................................................................................................................. 36
unknown-req-udp-payload ................................................................................................................................................. 36
unknown-rsp-udp-payload ................................................................................................................................................. 36
Regex Syntax with Examples ................................................................................................................................................. 37
Table of PAN-OS Regex Characters................................................................................................................................... 37
Simple Examples of Patterns Using Each Supported Character .......................................................................................... 37
Common Regex Syntax Errors ........................................................................................................................................... 38
Custom Signature Examples .................................................................................................................................................. 41
Signature Terminology Refresher ....................................................................................................................................... 41
Example 1 Integer-based Context .................................................................................................................................... 41
Example 2 Matching Hexadecimal Values ...................................................................................................................... 43
Example 3 Custom Signature Using a Qualifier............................................................................................................... 45
Example 4 Combination Signature .................................................................................................................................. 46
Context Qualifiers ................................................................................................................................................................. 48
Table 1: FTP Command Qualifiers..................................................................................................................................... 48
Table 2: FTP Vendor ID Qualifiers .................................................................................................................................... 48
Table 3: HTTP Header Field Qualifiers ............................................................................................................................. 48
Table 4: HTTP Method Qualifiers ..................................................................................................................................... 48
Table 5: IMAP Command Qualifiers ................................................................................................................................. 48
Table 6: RTSP Method Qualifiers ...................................................................................................................................... 48
Table 7: SMTP Method Qualifiers ..................................................................................................................................... 49
Revision History .................................................................................................................................................................... 49
[3]
Overview
The following information was written based on a firewall running PAN-OS 5.0, but the information is also applicable to
later versions. The first section describes all integer contexts, which apply to the greater- than, less-than, and equal-to
operators. These contexts are available for custom IPS signatures, but are not available for custom application signatures.
The second section describes all string contexts, which apply to the pattern-matching operator. The third section details
the PAN-OS regex library of characters, regex examples, and common regex-specific mistakes you may run into when
creating patterns for custom signatures. The fourth section contains step-by-step procedures for creating custom
signatures of all types. The final section provides tables of all qualifiers available to various contexts. Qualifiers can be
used to further refine and limit the scope of a custom signature, and are context-dependent.
When creating a custom signature, you will start by taking a packet-capture of the traffic of interest. To analyze the packet
captures, we used the Wireshark application to help provide a simple reference when trying to understand what each
context provides.
Qualifiers: This context can use FTP command (Table 1) and FTP vendor ID (Table 2) qualifiers to limit signatures to
specific FTP commands and known FTP clients.
http-req-content-length
Description: Content length of a HTTP request
Example: This context provides the integer highlighted in yellow.
[4]
http-req-header-length
Description: Length of a HTTP request header, excluding method, path, and HTTP version
Example: This context provides the length of the text highlighted in yellow.
Qualifiers: This context can use HTTP header field (Table 3) and HTTP method (Table 4) qualifiers to limit signatures to
HTTP headers with specific values for select header fields and for specific HTTP methods.
http-req-param-length
Description: Length of the URL query string
Example: This context provides the length of the text highlighted in yellow (everything after the ?).
[5]
http-req-uri-path-length
Description: Length of the URI path, not including query string (up to and including the ?).
Example: This context provides the length of the text highlighted in yellow.
Qualifiers: This context can use the HTTP method (Table 4) qualifier to limit signatures to HTTP headers with specific
HTTP methods.
http-req-uri-tilde-count-num
Description: Number of ~ characters in the path (same path that http-req-uri-path provides). The following encoded
characters are included in this context:
%3A
%u003A
%u0589
%u2236
%u007E
%u0303
%u223C
%uFF5E
Qualifiers: This context can use the HTTP method (Table 4) qualifier to limit signatures to HTTP headers with specific
HTTP methods.
http-rsp-code
Description: The number corresponding to the HTTP response code
Example: This context provides the integer highlighted in yellow.
[6]
http-rsp-content-length
Description: Content length of a HTTP response
Example: This context provides the integer highlighted in yellow.
http-rsp-total-headers-len
Description: Length of the HTTP response headers, not including the HTTP status banner
Example: This context provides the length of the text highlighted in yellow.
imap-req-cmd-param-len
Description: Total length of all parameters of an IMAP command
Example: This context provides the length of the text highlighted in yellow.
Qualifiers: This context can use the IMAP command (Table 5) qualifier to limit signatures to specific IMAP commands.
[7]
imap-req-first-param-len
Description: Length of the first parameter of an IMAP command
Example: This context provides the length of the text highlighted in yellow.
Qualifiers: This context can use the IMAP command (Table 5) qualifier to limit signatures to specific IMAP commands.
imap-req-param-len-from-second
Description: Total length of all parameters of an IMAP command, not including the first
Example: This context provides the length of the text highlighted in yellow.
Qualifiers: This context can use the IMAP command (Table 5) qualifier to limit signatures to specific IMAP commands.
smtp-req-helo-argument-length
Description: Length of the argument to the SMTP HELO command
Example: This context provides the length of the text highlighted in yellow.
[8]
smtp-req-mail-argument-length
Description: Length of the argument to the SMTP MAIL FROM command
Example: This context provides the length of the text highlighted in yellow.
smtp-req-rcpt-argument-length
Description: Length of the argument to the SMTP RCPT TO command
Example: This context provides the length of the text highlighted in yellow.
[9]
dns-req-answer-section
Description: Answer section if found in a DNS request (normal DNS requests should not have an answer section).
Example: This context provides the text highlighted in yellow.
dns-req-authority-section
Description: Authority section if found in a DNS request (normal DNS requests should not have an authority section).
Example: This context provides the text highlighted in yellow.
[10]
dns-req-header
Description: Full DNS request header (12 bytes), which includes the transaction ID, query flags, number of questions,
and the Resource Record (RR) values in a DNS request.
Example: This context provides the text highlighted in yellow.
dns-req-section
Description: This context matches against the DNS questions of a DNS query, so that patterns can be written against
one or more domains in a given DNS query. It is a direct pattern match against the format of a DNS query, so patterns
must adhere to the DNS question structure. A recommended approach to create a DNS pattern is to capture the DNS
request with Wireshark and copy the DNS Request field (make sure to remove the ending period in the request).
Example 1: The following example illustrates how to build a signature for a DNS query for the domain
www.bayareagamers.com.
The signature pattern is:
\x 03 77 77 77 10 74 68 65 62 61 79 61 72 65 61 67 61 6d 65 72 73 03 63 6f 6d\x
Pattern
\x
03
77 77 77
10
74 68 65 62 61 79 61 72 65 61 67 61 6d 65 72 73
03
63 6f 6d
\x
Description
Indicates this pattern is a hex pattern match
Indicates that the next 3 bytes are to be matched
"www"
[The period in the domain name is omitted.]
Indicates that the next 16 bytes (10 hex) are to be
matched
"thebayareagamers"
Indicates that the next 3 bytes are to be matched
"com"
Ends hex pattern match
[11]
Example-2: Here you can see the Wireshark representation of this table. Everything highlighted yellow and blue is
provided by this context. The blue section is where the hexadecimal string is pulled from for the above table.
dns-rsp-addition-section
Description: Additional records sections of a DNS response
Example: This context provides the text highlighted in yellow.
[12]
dns-rsp-answer-section
Description: All of the DNS Answers section with the exception of PTR records. PTR records are matched in a separate
context.
Example: This context provides the text highlighted in yellow.
dns-rsp-authority-section
Description: The complete authority section of a DNS response
Example: This context provides the text highlighted in yellow.
[13]
dns-rsp-header
Description: Full DNS response header, which includes the transaction ID, query flags, the number of questions, and the
Resource Record (RR) values.
Example: This context provides the text highlighted in yellow.
dns-rsp-ptr-answer-data
Description: FQDN for a type PTR DNS response
Example: This context provides the text highlighted in yellow.
[14]
dns-rsp-queries-section
Description: Name, type, and class of the queries section in a DNS response
Example: This context provides the text highlighted in yellow.
email-headers
Description: All email headers and the plain text email body. Attachments are not included in this context as they are
provided elsewhere.
Example: This context provides the text in bold.
Microsoft Mail Internet Headers Version 2.0
Received: from mail.litwareinc.com ([10.54.108.101]) by mail.proseware.com with Microsoft
SMTPSVC(6.0.3790.0);
Wed, 12 Dec 2007 13:39:22 -0800
Received: from mail ([10.54.108.23] RDNS failed) by mail.litware.com with Microsoft SMTPSVC(6.0.3790.0);
Wed, 12 Dec 2007 13:38:49 -0800
From: "Kelly J. Weadock" <kelly@litware.com>
To: <anton@proseware.com>
Cc: <tim@cpandl.com>
Subject: Review of staff assignments
Date: Wed, 12 Dec 2007 13:38:31 -0800
Message-ID: <MAILbbnewS5TqCRL00000013@mail.litware.com>
X-OriginalArrivalTime: 12 Dec 2007 21:38:50.0145 (UTC)
Hey,
Check out this picture.
Kelly
Content-Type: image/gif; name="world1.gif"
Content-Description: world1.gif
Content-Disposition: attachment; filename="world1.gif"; size=292;
creation-date="Wed, 12 DEC 2007 07:29:14 GMT";
modification-date=" Wed, 12 DEC 2007 07:29:14 GMT"
Content-ID: <LKAJDF9282LKSDKA@litware.com>
Content-Transfer-Encoding: base64
R0lGODlhFAAWAKEAAP///8z//wCZMwAAACH+TlRoaXMgYXJ0IGlzIGluIHRoZSBwdWJsaWMgZG9t
YWluLiBLZXZpbiBIdWdoZXMsIGtldmluaEBlaXQuY29tLCBTZXB0ZW1iZXIgMTk5NQAh+QQBAAAB
ACwAAAAAFAAWAAACY4yPqTrtm5qYtMEGBNiaWzRMHEVlwgBm5lieR7hqsiqjQSjG3I7C9LgznXw5
nUwjAaqEIiSs2Vl2nKWglIfbsHJTV3bJJNkGLG10arspwZ20mlYVum++8PBCBn8gBseDD7hQAAA7
[15]
file-flv-body
Description: Full body of a flash video file, minus the first 9 bytes as theyre reserved for the header. Here is a
screenshot from Wikipedia detailing the 9-byte header:
Example: Using a cli hex-editor named xxd, we can view the header of the flash file.
Macbook:~ noob$ xxd -l 9 flash_video.flv
0000000: 464c 5601 0500 0000 09
FLV......
th
Every byte after the 9 is provided by this context. Only the first 50 bytes were printed here as an example.
file-html-body
Description: Full body of a HTML file, minus the first 8 bytes as theyre reserved for the header
th
Example: xxd is a cli-based hex editor; every byte after the 8 is provided by this context. Only the first 50 bytes were
printed here as an example.
Macbook:~ noob$ xxd -l 50 The_legend_of_random.html
0000000: 3c21 444f 4354 5950 4520 6874 6d6c 2050 <!DOCTYPE html P
0000010: 5542 4c49 4320 222d 2f2f 5733 432f 2f44 UBLIC "-//W3C//D
0000020: 5444 2058 4854 4d4c 2031 2e30 2054 7261 TD XHTML 1.0 Tra
0000030: 6e73
ns
[16]
file-java-body
Description: Full body of a java file, minus the first 4 bytes as theyre reserved for javas magic number
Example: Using a cli based hex editor named xxd, we can view the first 4 bytes of the java file:
th
Every byte after the 4 is provided by this context. Only the first 25 bytes were printed here as an example.
Macbook:~ noob$ xxd -l 25 java_file.class
0000000: cafe babe 0000 0033 0047 0a00 1300 2107 .......3.G....!.
0000010: 0022 0a00 0200 210a 00
file-mov-body
Description: Full body of a MOV file, minus the first 8 bytes as theyre reserved for the header
th
Example: xxd is a cli-based hex editor; every byte after the 8 is provided by this context. Only the first 50 bytes were
printed here as an example.
Macbook:~ noob$ xxd -l 50 /System/Library/Compositions/Yosemite.mov
0000000: 0000 0020 6674 7970 7174 2020 2005 0300 ... ftypqt ...
0000010: 7174 2020 0000 0000 0000 0000 0000 0000 qt ............
0000020: 0000 10ae 6d6f 6f76 0000 006c 6d76 6864 ....moov...lmvhd
0000030: 0000
file-office-content
Description: Full body of a Microsoft Office Document file, minus the first 8 bytes as theyre reserved for the header
th
Example: xxd is a cli-based hex editor, every byte after the 8 is provided by this context. Only the first 50 bytes were
printed here as an example.
Macbook:~ noob$ xxd -l 50 Word_Document.doc
0000000: d0cf 11e0 a1b1 1ae1 0000 0000 0000 0000 ................
0000010: 0000 0000 0000 0000 3e00 0300 feff 0900 ........>.......
0000020: 0600 0000 0000 0000 0000 0000 2000 0000 ............ ...
0000030: b20f
[17]
file-pdf-body
Description: This context provides the full body of a PDF file, minus the first 8 bytes as theyre reserved for the header.
Compressed data is provided as decompressed data by the decoder.
th
Example: xxd is a cli-based hex editor, every byte after the 8 is provided by this context. Only the first 50 bytes were
printed here as an example.
Macbook:~ noob$ xxd -l 50 WildFire_Administrators_Guide-5.1.pdf
0000000: 2550 4446 2d31 2e36 0d25 e2e3 cfd3 0d0a %PDF-1.6.%......
0000010: 3431 3332 2030 206f 626a 0d3c 3c2f 4c69 4132 0 obj.<</Li
0000020: 6e65 6172 697a 6564 2031 2f4c 2031 3237 nearized 1/L 127
0000030: 3834
84
file-riff-body
Description: Full body of a RIFF file, minus the first 8 bytes as theyre reserved for the header
th
Example: xxd is a cli-based hex editor; every byte after the 8 is provided by this context. Only the first 50 bytes were
printed here as an example.
Macbook:~ noob$ xxd -l 50 /pentest/misc/exiftool/t/images/RIFF.avi
0000000: 5249 4646 b63b 2a00 4156 4920 4c49 5354 RIFF.;*.AVI LIST
0000010: 4601 0000 6864 726c 6176 6968 3800 0000 F...hdrlavih8...
0000020: 6a04 0100 c824 0300 0000 0000 1000 0100 j....$..........
0000030: e900
..
file-swf-body
Description: Full body of a SWF file, minus the first 8 bytes as theyre reserved for the header
th
Example: xxd is a cli-based hex editor; every byte after the 8 is provided by this context. Only the first 50 bytes were
printed here as an example.
Macbook:~ noob$ xxd -l 50 Cinema.swf
0000000: 4357 530a bef9 3c00 78da c4bd 0778 1bc7
0000010: d52e 8c99 c562 b128 043b 2952 9229 773b
0000020: b624 cb89 132b 8e1d 8aa4 2426 5431 49c9
0000030: f697
CWS...<.x....x..
.....b.(.;)R.)w;
.$...+....$&T1I.
..
[18]
file-unknown-body
Description: If a file isnt matched to one of our other contexts, you can use this context to match the file. This context
provides data after the first 8 bytes and up to 7 packets of an unknown file we couldnt otherwise identify.
th
Example: xxd is a cli-based hex editor; every byte after the 8 is provided up until 7 bytes is seen. In the below example
the first 8 bytes are numbered to easily show what wouldnt be matched. Next are As followed by shellcode in hex. We
could for instance block this file by adding \x7368656c6c636f6465\x in the Pattern field of the custom signature.
Macbook:~ noob$ xxd file.bin
0000000: 1122 3344 5566 7788 4141 4141 4141 4141 ."3DUfw.AAAAAAAA
0000010: 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
0000020: 7368 656c 6c63 6f64 65
shellcode
ftp-req-params
Description: Parameters following an FTP command
Example: The context provides the text highlighted in yellow.
Qualifiers: This context can use FTP command (Table 1) and FTP vendor ID (Table 2) qualifiers to limit signatures to
specific FTP commands and known FTP clients.
ftp-rsp-banner
Description: FTP welcome banner shown before authentication
Example: This context provides the text highlighted in yellow.
[19]
ftp-rsp-message
Description: FTP server response code and the code itself. Note, that the code and the space can be used as part of the
required 7-byte anchor.
Example: This context matches the text highlighted in yellow.
gdbremote-req-context
Description: GDB is a process debugger that has the ability to debug across the network. This context provides the
request data.
Example: After capturing the GDB network data, follow the TCP stream to view the data. In this instance, everything in
red is the request data, and that is what this context provides.
[20]
gdbremote-rsp-context
Description: GDB is a process debugger that has the ability to debug across the network. This context provides the
response data.
Example: After capturing the GDB network data, I followed the TCP stream to view the data. In this instance, everything
in blue is what this context provides.
giop-req-message-body
Description: Everything in the GIOP request
Example: This context provides the text highlighted in yellow.
[21]
giop-rsp-message-body
Description: Data after the GIOP header in a GIOP response
Example: This context provides the text highlighted in yellow.
http-req-headers
Description: HTTP request header, not including the method, path, HTTP version, or host as those are provided
elsewhere.
Example: This context provides the text highlighted in yellow.
Qualifiers: This context can use HTTP header field (Table 3) and HTTP method (Table 4) qualifiers to limit signatures to
HTTP headers with specific values for select header fields and for specific HTTP methods.
http-req-host-header
Description: Host field in a HTTP request header
Example: This context provides the text highlighted in yellow.
Qualifiers: This context can use HTTP header field (Table 3) and HTTP method (Table 4) qualifiers to limit signatures to
HTTP headers with specific values for select header fields and for specific HTTP methods.
[22]
http-req-message-body
Description: Body content of a HTTP request when the body content cannot be recognized as URL encoded or MIME
type data using the Content-type field.
Example: This context provides the full body. I followed the TCP stream in Wireshark and only chose a portion of the
body for the signature to match.
Qualifiers: This context can use the HTTP method (Table 4) qualifier to limit signatures to HTTP headers with specific
HTTP methods.
http-req-mime-form-data
Description: MIME header data in the body of an HTTP request, not including embedded file contents
Example: This context provides the data highlighted in yellow.
[23]
http-req-params
Description: Query string as well as parameters in the HTTP body for a POST method (after the ?).
Example: This context provides the text highlighted in yellow.
Qualifiers: This context can use the HTTP method (Table 4) qualifier to limit signatures to HTTP headers with specific
HTTP methods.
http-req-uri-path
Description: Path in a HTTP request header (up to and including the ?).
Example: This context provides the text highlighted in yellow.
Qualifiers: This context can use the HTTP method (Table 4) qualifier to limit signatures to HTTP headers with specific
HTTP methods.
[24]
http-rsp-headers
Description: Full HTTP response header, not including the HTTP banner
Example: This context provides the text highlighted in yellow.
imap-req-cmd-line
Description: IMAP command used.
Example: This context provides the text highlighted in yellow.
imap-req-first-param
Description: First parameter to an IMAP command
Example: This context provides the text highlighted in yellow.
Qualifiers: This context can use the IMAP command (Table 5) qualifier to limit signatures to specific IMAP commands.
[25]
imap-req-params-after-first-param
Description: Every parameter to an IMAP command, not including the first parameter
Example: This context provides the text highlighted in yellow.
irc-req-params
Description: Argument after the actual IRC command and space
Example: This context provides the text highlighted in yellow.
irc-req-prefix
Description: Data before an IRC command, typically used to indicate the true origin of a message
Example: You can see by following the TCP stream in Wireshark that there is data in between the IRC commands. It
appears this message was Proxied.
jpeg-file-scan-data
Description: This context provides all of the scan data within a jpeg file.
jpeg-file-segment-data
Description: This context provides all of the segment data within a jpeg file.
[26]
jpeg-file-segment-header
Description: This context provides the segment header data within a jpeg file.
ms-ds-smb-req-share-name
Description: Full path to a file that is read or written using SMB
Example: This context provides the text highlighted in yellow.
msrpc-req-bind-data
Description: Data payload of a MS RPC Bind request
Example: This context provides the text highlighted in yellow. The easiest way to find a pattern to match is to look at the
hex representation of the payload and pick at least 7 bytes to match on as seen below.
[27]
mssql-db-req-body
Description: Request to a Microsoft SQL server, excluding the request header
Example: This context provides the text highlighted in yellow.
pe-dos-headers
Description: This context provides the DOS MZ header and the DOS stub. These are located in the first 64 bytes of the
PE file.
Example: This context provides the data in bold.
PE File Structure
DOS MZ Header + DOS Stub first 64 bytes
PE File Header next 20 bytes
PE Optional Header next 224 bytes
PE Section Header next 40 bytes each
PE Body Data Rest of the file
pe-file-header
th
Description: This context provides the PE file header. This is 20 bytes long and starts at the 65 byte of the PE file.
Example: This context provides the data in bold.
PE File Structure
DOS MZ Header + DOS Stub first 64 bytes
PE File Header next 20 bytes
PE Optional Header next 224 bytes
PE Section Header next 40 bytes each
PE Body Data Rest of the file
[28]
pe-optional-header
Description: This context provides the optional header of a PE file. This is typically 224 bytes long and starts at the 86
byte of the PE file.
th
pe-section-header
Description: This context provides the section headers for a PE file. These are 40 bytes each. Some typical sections with
headers are idata, rsrc, data, text, and src. However, each PE file may not include each section and theyre not
guaranteed to be in any specific order.
Example: This context provides the data in bold.
PE File Structure
DOS MZ Header + DOS Stub first 64 bytes
PE File Header next 20 bytes
PE Optional Header next 224 bytes
PE Section Header next 40 bytes each
PE Body Data Rest of the file
pe-body-data
Description: This context provides the body data of a PE file. This includes everything inside the file sections themselves.
The body data is located after the headers mentioned above.
Example: This context provides the data in bold.
PE File Structure
DOS MZ Header + DOS Stub first 64 bytes
PE File Header next 20 bytes
PE Optional Header next 224 bytes
PE Section Header next 40 bytes each
PE Body Data Rest of the file
[29]
rtmp-req-message-body
Description: RTMP body up until twenty packets have been sent
Example: This context provides the text highlighted in yellow.
rtsp-req-headers
Description: Full RTSP request headers, not including the command line
Example: This context provides the text highlighted in yellow.
Qualifiers: This context can use the RTSP method (Table 6) qualifier to limit signatures to specific RTSP methods.
[30]
rtsp-req-uri-path
Description: Path of an RTSP request, not including the command line
Example: This context provides the text highlighted in yellow.
Qualifiers: This context can use the RTSP method (Table 6) qualifier to limit signatures to specific RTSP methods.
smtp-req-argument
Description: Argument of a SMTP command
Example: This context provides the text highlighted in yellow.
Qualifiers: This context can use the SMTP method (Table 7) qualifier to limit signatures to specific SMTP methods.
smtp-rsp-content
Description: SMTP server response content
Example: This context provides the text highlighted in yellow.
[31]
ssh-req-banner
Description: SSH banner of the client, not including comments
Example: This context provides the text highlighted in yellow.
ssh-rsp-banner
Description: SSH banner of the server, not including comments
Example: This context provides the text highlighted in yellow.
ssl-req-certificate
Description: Certificate request message of a SSL negotiation when initiated from the client
Example: This context provides the text highlighted in yellow.
[32]
ssl-req-client-hello
Description: Client hello message of a SSL negotiation
Example: This context provides the text highlighted in yellow.
ssl-req-random-bytes
Description: Random bytes field in the SSL client hello
Example: This value is already hexadecimal; youll need to write the pattern in your signature as such (enclosed in \x).
[33]
ssl-rsp-cert-subjectpublickey
Description: Certificate subject public key thats part of an SSL server hello handshake
Example: This context matches the text highlighted in yellow.
ssl-rsp-certificate
Description: Certificate response message of a SSL negotiation from the server
Example: This context matches the text highlighted in yellow.
[34]
ssl-rsp-server-hello
Description: Server hello message of a SSL negotiation
Example: This context provides the text highlighted in yellow.
telnet-req-client-data
Description: All telnet data for traffic originating from the client
Example: This context matches the text highlighted in yellow.
telnet-rsp-server-data
Description: All telnet data for traffic originating from the server
Example: This context matches the text highlighted in yellow.
[35]
unknown-req-tcp-payload
Description: Full TCP payload for unknown TCP traffic originating from the client
Example: This context matches the text highlighted in yellow.
unknown-rsp-tcp-payload
Description: Full TCP payload for unknown TCP traffic originating from the server
Example: This context matches the text highlighted in yellow.
unknown-req-udp-payload
Description: Full UDP payload for unknown UDP traffic originating from the client, which is the initiator of UDP
communications
Example: This context matches the text highlighted in yellow.
unknown-rsp-udp-payload
Description: Full UDP payload for unknown UDP traffic originating from the server, which is opposite the client
Example: This context matches the text highlighted in yellow.
[36]
Match the preceding character or expression 0 or 1 time; the general expression MUST be inside a pair of parentheses, e.g. (abc)?
Match the preceding character or expression 0 or more times; the general expression MUST be inside a pair of parentheses, e.g. (abc)*
Match the preceding character or regular expression 1 or more times; the general expression MUST be inside a pair of parentheses, e.g.
(abc)+
Equivalent to "or" as in this example: ((bif)|(scr)|(exe)): match bif, scr or exe. Note that the alternative substrings MUST be in
parentheses
Used to create range expressions as in this example: [c-z]: match any character between c and z INCLUSIVE
[]
Match any except, as in this example: [^abz]: match any character but a, b, or z
Min/Max number of bytes, as in this example: .{10,20}: match any string that is between 10 and 20 bytes. Note: Must be directly in front of
{}
\
&
Pattern Example
Possible Matches
Explanation
.
?
*
+
|
[]
^
{}
\
&
Malware.
Copyrights?
PayloadA*
Networks+
Copyright(s)|(ed)
Shellcode[a-d]
Customer[12]
Network[^ABC]
Anchors.{2,5}
www\.paloaltonetworks\.com
Username&Password
Malwares, Malware1
Copyright, Copyrights
Payload, PayloadAAAAA
Networks, Networksssss
Copyrights, Copyrighted
Shellcodea, Shellcodec
Customer1, Customer2
NetworkD, Networkz
AnchorsAB, Anchorscdefg
www.paloaltonetworks.com
Username&Password
[37]
3. The Pattern field in the condition window has a limit of 127 characters, but what if your pattern is
longer?
o The solution is to AND them together as shown in figure 5. You can even leave Ordered Condition
Match selected, so it must see them in order to perform a closer match to the full string.
[38]
Another work-around that is possible in some patterns is to just write out the . (dot) characters instead of
using the repetition. {4} would become . and there is no repetition requirement.
Figure 4.1 Invalid because only 4 bytes, BBBB follow the repetition .{4}
Figure 4.2 Valid because 7 bytes BBBBBBB now follow the repetition element
This error indicates the pattern entered contains two strings that are both less than 7 bytes and are
separated by a regex wildcard element. An example of this is like the one seen in Figure 5.1. pan and
net are both less than 7 bytes each and are separated by the repetition variables, .{4} which is
considered a wildcard element along with * start, . dot, and so on.
To fix this, you need to increase the size of at least one of the strings to 7 bytes or more. Figure 5.2
shows a fixed signature by changing net to networks which is at least 7 bytes.
[39]
Figure 5.1 Invalid because there are two strings less than 7 bytes separated by a DFA
Figure 5.2 Valid because there is only 1 string less than 7 bytes now surround the repetition element
[40]
[41]
3. Next, youll need to click the Signatures tab. We will cover combination signatures in a later example. For now,
leave it at standard. Click Add at the bottom of the window to bring up the Standard window.
4. We start by giving this signature a name. This example will only have one condition; therefore we can ignore the
Ordered Condition Match setting. Also, we only want to alert on a single transaction and not the full session, so
we will leave the scope at Transaction. Finally, click Add And Condition.
5. Since were looking for the exact value of 404, choose Equal To from the Operator drop-down menu. Youll
notice that the entries in the Context drop-down depend on your Operator selection. If for example you were to
choose the operator Pattern Match, it would contain contexts based on a pattern, not an integer. Knowing this,
select the http-rsp-code context from the Context drop-down menu. Next, enter 404 in the Value field.
6. The completed condition should look like figure 6. Click OK on each of the signature windows, commit, and
test your new signature.
[42]
[43]
3. Fill in the Signature Name field and leave the scope as transaction. We only have one condition, so we can
leave Ordered Condition Match alone. Click Add And Condition.
4. Choose Pattern Match as the operator, then find file-flv-body from the Context drop-down, and enter the
pattern we found earlier with \x before and after the pattern to indicate were matching hexadecimal. (See Figure 4
below)
5. Click OK on each of the signature windows, commit, and test your new signature.
[44]
1. Create a new Custom Vulnerability Signature and fill out the needed fields in the Configuration tab.
2. Go to the Signatures tab, leave Standard selected and click Add to bring up the Standard window.
3. Enter a signature name, leave the scope as Transaction; again we only have one condition so the Ordered
Match Setting can be ignored.
4. Click Add And Condition for the condition window to open. Here, choose Pattern Match from the Operator
drop-down menu since were matching on a string. Select http-req-uri-path from the Context drop-down menu
and enter the pattern wp\-login\.php (without the quotes as seen in figure 4). We escape the and . characters
with backslashes since theyre part of the regex library and we want a literal match on those characters.
[45]
5. Last, were going to click Add on the condition window from step 4 to add a qualifier to the signature. Choose
http-method as the qualifier and set the value to POST. This way, our pattern only matches if its found inside
of a HTTP POST message.
1. Create a new custom signature and fill out the needed fields in the Configuration tab.
2. Click the signature tab, choose Combination and click Add And Condition.
[46]
3. In the condition window, you first name the condition. Then choose the threat ID that will be used. Here we chose
Threat ID 42100 which is the WordPress login signature we created in the last example.
4. Click the Time Attribute tab. These settings are what make this a combination signature. We can monitor the
matches on this signature and only alert or drop if the number of hits reaches our maximum value within our
defined amount of seconds. Youll also want to choose your Aggregation Criteria.
5. Click OK on each of the signature windows, commit, and test the signature.
[47]
Context Qualifiers
Table 1: FTP Command Qualifiers
FTP command qualifiers can be added to custom signatures that use FTP-related contexts to limit a match condition to
specific FTP commands.
ABOR
DELE
MODE
PWD
RNTO
STRU
XCRC
ACCT
EHLO
NLIST
QUIT
SITE
SYST
XMD5
ALLO
ERPT
OPTS
REIN
SIZE
TEST
XSHA1
APPE
HELO
PASS
REST
SMNT
TYPE
AUTH
LIST
PASV
RETR
STAT
UNKNOWN_COMMAND
CDUP
MDTM
PBSZ
RMD
STOR
UNLOCK
CWD
MKD
PORT
RNFR
STOU
USER
EASY_FILE_SHARING_FTP
SERV_U
FILE_COPA_FTP
UNKNOWN_FTP_SERVER
FREEFTPD
VSFTPD
MICROSOFTFTP
WARFTPD
NETTERM
WS_FTP
AUTHORIZATION
CONTENT_ENCODING
CONTENT_LENGTH
CONTENT_TYPE
HOST
IF_MOD_SINCE
SUBSCRIBE_HDR
TRANSFER_ENCODING
UNKNOWN_HDR
X_FORWARD_FOR
BDELETE
COPY
MOVE
PROXY_SUCCESS
TRACE
BITS_POST
DELETE
NOTIFY
PUT
TRACK
BMOVE
GET
OPTIONS
RPC_CONNECT
UNKNOWN_METHOD
BPROPFIND
HEAD
POLL
SEARCH
UNLINK
BPROPPATCH
LINK
POST
SMS_POST
UNLOCK
CCM_POST
LOCK
PROPFIND
SOURCE
UNSUBSCRIBE
AUTHENTICATE
EXAMINE
LSUB
SUBSCRIBE
CAPABILITY
EXPUNGE
NOOP
UNKNOWN_COMMAND
CHECK
FETCH
RENAME
UNSUBSCRIBE
CLOSE
FIND
SEARCH
COPY
IDLE
SELECT
CREATE
LIST
STARTTLS
DESCRIBE
RECORD
TEAR_DOWN
GET_PARAMETER
REDIRECT
UNKNOWN_METHOD
[48]
OPTIONS
SET_PARAMETER
PAUSE
SETUP
BDAT
RSET
VRFY
DATA
SAML
XEXCH50
EHLO
SEND
XEXPS
HELO
SOML
XLINK2STATE
MAIL
STARTTLS
XTELLMAIL
Revision History
Date
April 22, 2015
Revision
B
Comment
Added information in the Common Regex Syntax Errors
section that states that when writing a custom application
signature, the application decoder may or may not be casesensitive for a given field, depending on the decoder that the
firewall uses.
The first release of this document.
[49]
QUIT
UNKNOWN_CMD