Sunday, July 1, 2012

Palo Alto Firewalls Creating a Custom App-ID

This post is for 3.1.X but the process should be the same for 4.X.

Take a packet capture of the traffic you want an App-ID signature for. This example is a flash video over HTTP.

Note: The Follow TCP Stream feature in Wireshark is handy to see the HTTP headers easily.
(Screenshot shows a different set of headers than the example below is based on)




Look in the capture for fields in the headers that should be static no matter what browser or operating system the client is using and pick those to make a signature with.


Go to the Objects Tab > Applications then click on New...
Create a name, set the properties and characteristics.









Go to the Advanced Tab and set the Defaults and Engine at least.













Go to the Signatures Tab and click New...
Set a name for the Signature.









Create an And and an Or for each item you want to match on (each item to match on must be at least 7 bytes long or roughly 7 characters)
In this example I'll use http-req-params and http-req-host-header. These will match the GET and Host lines in the header send from the client to the server, looking for these values.

Remember to escape periods with a forward slash.



I don't remember where I found this, but it's very helpful:
Field/context definition for custom App and Threat Signatures

Edit: Here's a much nicer guide Palo Alto made for 5.X
https://live.paloaltonetworks.com/servlet/JiveServlet/previewBody/5534-102-5-16683/Creating_Custom_Signatures-RevA.pdf

1 comment:

Guru Prasad said...

I really appreciate information shared above. It’s of great help. If someone want to learn Online (Virtual) instructor lead live training in TECHNOLOGY , kindly contact us http://www.maxmunus.com/contact
MaxMunus Offer World Class Virtual Instructor led training on TECHNOLOGY. We have industry expert trainer. We provide Training Material and Software Support. MaxMunus has successfully conducted 100000+ trainings in India, USA, UK, Australlia, Switzerland, Qatar, Saudi Arabia, Bangladesh, Bahrain and UAE etc.
For Demo Contact us.
Sangita Mohanty
MaxMunus
E-mail: sangita@maxmunus.com
Skype id: training_maxmunus
Ph:(0) 9738075708 / 080 - 41103383
http://www.maxmunus.com/