This Source:
https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/threat-prevention/threat-signatures
There are three types of Palo Alto Networks threat signatures, each designed to detect different types of threats as the firewall scans network traffic:
- Antivirus signatures—Detect viruses and malware found in executables and file types.
- Anti-spyware signatures—Detects command-and-control (C2) activity, where spyware on an infected client is collecting data without the user's consent and/or communicating with a remote attacker.
- Vulnerability signatures—Detects system flaws that an attacker might otherwise attempt to exploit.
A signature's severity indicates the risk of the detected event, and a signature's default action (for example, block or alert) is how Palo Alto Networks recommends that you enforce matching traffic.
You must Set Up Antivirus, Anti-Spyware, and Vulnerability Protection to tell the firewall what action to take when it detects a threat, and you can easily use the default security profiles to start blocking threats based on Palo Alto Networks recommendations. For each signature type, category, and even specific signatures you can continue to modify or create new profiles to more granularly enforce potential threats.
The following table lists all possible signature categories by type—Antivirus, Spyware, and Vulnerability—and includes the content update (Applications and Threats, Antivirus, or WildFire) that provides the signatures in each category. You can also go to the Palo Alto Networks Threat Vault to Learn More About Threat Signatures.
THREAT CATEGORY
|
CONTENT UPDATE THAT PROVIDES THESE SIGNATURES
|
DESCRIPTION
|
|---|---|---|
Antivirus Signatures
| ||
apk
|
Antivirus
WildFire or WildFire Private
|
Malicious Android Application (APK) files.
|
dmg
|
Antivirus
Wildfire or WildFire Private
|
Malicious Apple disk image (DMG) files, that are used with Mac OS X.
|
flash
|
Antivirus
Wildfire or WildFire Private
|
Adobe Flash applets and Flash content embedded in web pages.
|
java-class
|
Antivirus
|
Java applets (JAR/class file types).
|
macho
|
Antivirus
Wildfire or WildFire Private
|
Mach object files (Mach-O) are executables, libraries, and object code that are native to Mac OS X.
|
office
|
Antivirus
Wildfire or WildFire Private
|
Microsoft Office files, including documents (DOC, DOCX, RTF), workbooks (XLS, XLSX), and PowerPoint presentations (PPT, PPTX).
|
openoffice
|
Antivirus
Wildfire or WildFire Private
|
Office Open XML (OOXML) 2007+ documents.
|
pdf
|
Antivirus
Wildfire or WildFire Private
|
Portable Document Format (PDF) files.
|
pe
|
Antivirus
Wildfire or WildFire Private
|
Portable executable (PE) files can automatically execute on a Microsoft Windows system and should be only allowed when authorized. These files types include:
|
pkg
|
Antivirus
Wildfire or WildFire Private
|
Apple software installer packages (PKGs), used with Mac OS X.
|
Spyware Signatures
| ||
adware
|
Applications and Threats
|
Detects programs that display potentially unwanted advertisements. Some adware modifies browsers to highlight and hyperlink the most frequently searched keywords on web pages-these links redirect users to advertising websites. Adware can also retrieve updates from a command-and-control (C2) server and install those updates in a browser or onto a client system.
Newly-released protections in this category are rare.
|
autogen
|
Antivirus
|
These payload-based signatures detect command-and-control (C2) traffic and are automatically-generated. Importantly, autogen signatures can detect C2 traffic even when the C2 host is unknown or changes rapidly.
|
backdoor
|
Applications and Threats
|
Detects a program that allows an attacker to gain unauthorized remote access to a system.
|
botnet
|
Applications and Threats
|
Indicates botnet activity. A botnet is a network of malware-infected computers (“bots”) that an attacker controls. The attacker can centrally command every computer in a botnet to simultaneously carry out a coordinated action (like launching a DoS attack, for example).
|
browser-hijack
|
Applications and Threats
|
Detects a plugin or software that is modifying browser settings. A browser hijacker might take over auto search or track users’ web activity and send this information to a C2 server.
Newly-released protections in this category are rare.
|
data-theft
|
Applications and Threats
|
Detects a system sending information to a known C2 server.
Newly-released protections in this category are rare.
|
dns
|
Antivirus
|
Detects DNS requests to connect to malicious domains.
dns and dns-wildfire signatures detect the same malicious domains; however, dns signatures are included in the daily Antivirus content update and dns-wildfire signatures are included in the WildFire updates that release protections every 5 minutes.
|
dns-wildfire
|
Wildfire or WildFire Private
|
Detects DNS requests to connect to malicious domains.
dns and dns-wildfire signatures detect the same malicious domains; however, dns signatures are included in the daily Antivirus content update and dns-wildfire signatures are included in the WildFire updates that release protections every 5 minutes.
|
keylogger
|
Applications and Threats
|
Detects programs that allow attackers to secretly track user activity, by logging keystrokes and capturing screenshots.
Keyloggers use various C2 methods to periodically sends logs and reports to a predefined e-mail address or a C2 server. Through keylogger surveillance, an attacker could retrieve credentials that would enable network access.
|
networm
|
Applications and Threats
|
Detects a program that self-replicates and spreads from system to system. Net-worms might use shared resources or leverage security failures to access target systems.
|
phishing-kit
|
Applications and Threats
|
Detects when a user attempts to connect to a phishing kit landing page (likely after receiving an email with a link to the malicious site). A phishing website tricks users into submitting credentials that an attacker can steal to gain access to the network.
In addition to blocking access to phishing kit landing pages, enable Multi-Factor Authentication and Credential Phishing Prevention to prevent phishing attacks at all stages.
|
post-exploitation
|
Applications and Threats
|
Detects activity that indicates the post-exploitation phase of an attack, where an attacker attempts to assess the value of a compromised system. This might include evaluating the sensitivity of the data stored on the system, and the system’s usefulness in further compromising the network.
|
web shell
|
Applications and Threats
|
Detects systems that are infected with a web shell. A web shell is a script that enables remote administration of a web server; attackers can use web shell-infected web servers (the web servers can be both internet-facing or internal systems) to target other internal systems.
|
spyware
|
Applications and Threats
|
Detect outbound C2 communication. These signatures are either auto-generated or are manually created by Palo Alto Networks researchers.
Spyware and autogen signatures both detect outbound C2 communication; however, autogen signatures are payload-based and can uniquely detect C2 communications with C2 hosts that are unknown or change rapidly.
|
Vulnerability Signatures
| ||
brute force
|
Applications and Threats
|
A brute-force signature detects multiple occurrences of a condition in a particular time frame. While the activity in isolation might be benign, the brute-force signature indicates that the frequency and rate at which the activity occurred is suspect. For example, a single FTP login failure does not indicate malicious activity. However, many failed FTP logins in a short period likely indicate an attacker attempting password combinations to access an FTP server.
You can tune the action and trigger conditions for brute force signatures.
|
code execution
|
Applications and Threats
|
Detects a code execution vulnerability that an attacker can leverage to run code on a system with the privileges of the logged-in user.
|
code-obfuscation
|
Applications and Threats
|
Detects code that has been transformed to conceal certain data while retaining its function. Obfuscated code is difficult or impossible to read, so it’s not apparent what commands the code is executing or with which programs its designed to interact. Most commonly, malicious actors obfuscate code to conceal malware. More rarely, legitimate developers might obfuscate code to protect privacy, intellectual property, or to improve user experience. For example, certain types of obfuscation (like minification) reduce file size, which decreases website load times and bandwidth usage.
|
dos
|
Applications and Threats
|
Detects a denial-of-service (DoS) attack, where an attacker attempts to render a targeted system unavailable, temporarily disrupting the system and dependent applications and services. To perform a DoS attack, an attacker might flood a targeted system with traffic or send information that causes it to fail. DoS attacks deprive legitimate users (like employees, members, and account holders) of the service or resource to which they expect access.
|
exploit-kit
|
Applications and Threats
|
Detects an exploit kit landing page. Exploit kit landing pages often contain several exploits that target one or many common vulnerabilities and exposures (CVEs), for multiple browsers and plugins. Because the targeted CVEs change quickly, exploit-kit signatures trigger based on the exploit kit landing page, and not the CVEs.
When a user visits a website with an exploit kit, the exploit kit scans for the targeted CVEs and attempts to silently deliver a malicious payload to the victim’s computer.
|
info-leak
|
Applications and Threats
|
Detects a software vulnerability that an attacker could exploit to steal sensitive or proprietary information. Often, an info-leak might exist because comprehensive checks do not exist to guard the data, and attackers can exploit info-leaks by sending crafted requests.
|
overflow
|
Applications and Threats
|
Detects an overflow vulnerability, where a lack of proper checks on requests could be exploited by an attacker. A successful attack could lead to remote code execution with the privileges of the application, server or operating system.
|
phishing
|
Applications and Threats
|
Detects when a user attempts to connect to a phishing kit landing page (likely after receiving an email with a link to the malicious site). A phishing website tricks users into submitting credentials that an attacker can steal to gain access to the network.
In addition to blocking access to phishing kit landing pages, enable Multi-Factor Authentication and Credential Phishing Prevention to prevent phishing attacks at all stages.
|
protocol-anomaly
|
Applications and Threats
|
Detects protocol anomalies, where a protocol behavior deviates from standard and compliant usage. For example, a malformed packet, poorly-written application, or an application running on a non-standard port would all be considered protocol anomalies, and could be used as evasion tools. It is a best practice to block protocol anomalies of any severity.
|
sql-injection
|
Applications and Threats
|
Detects a common hacking technique where an attacker inserts SQL queries into an application’s requests, in order to read from or modify a database. This type of technique is often used on websites that do not comprehensively sanitize user input.
|
沒有留言:
張貼留言