I work with PAN products doing pro services. I have been really trying to correlate the Palo Alto context for custom signatures and what we find in Wireshark Display filters. Being somewhat new to this whole process, I thought I'd post a question here and see where it goes. My apologies if this is not the correct forum for this type of question. What I am trying to do is to understand how a Palo Alto context matches with something you would find decoded or dissected by Wireshark ( I assume decoder and dissector are synonymous ?) So.. as an example I want to write a PAN Custom Signature. I obtain a packet capture. I can dig through and find some unique field or string i want to match on. Then the real work, or the real question is, how do I relate that to what Palo Alto defines as context? They have documentation that roughly equates to something you may see in Wireshark. For example an integer context defined by Palo Alto would be such dnp3-req-object-type I can find nothing that really matches in a display filter. Unless i have Palo Alto's reference material and some clue as to where I may find this integer, i really dont see how else I would create a custom signature. I type dnp3. in Wireshark display filter and I get a possible list of filters that might get me to the field or value I am looking for. But these references dont match anything near what PAN is suggesting. Perhaps there is a reason PAN just doesn't use the same filter syntax or perhaps I'm not getting something. Does anybody have experience writing custom sigs with PANOS ? Thanks in advance asked 01 Dec '16, 12:15  dlammon edited 01 Dec '16, 13:48  Guy Harris ♦♦ |
One Answer:
The Wireshark display filter strings are essentially random, added as a dissector author's personal preference with little if any reference to external standards. Certainly that's the case with dnp3, where I personally added a lot of those fields and I used abbreviations that made sense to me. Note also that these field names may change at any point in time if a dissector is modified, although we don't like changing them as it causes issues for users with previously prepared filters. As to what PAN use for the context names, unless they religiously track what the fields are in Wireshark dissectors, I think any correlation with Wireshark is just coincidence. answered 02 Dec '16, 02:48  grahamb ♦ |
Thank you for the response, makes total sense. For me I guess its a matter of just correlating what PAN uses with something I can find in a packet trace. Paying "attention" ( for me ) is probably the operative word :-) It is good to know also that if some field can be used to match something with a Palo Alto Signature at some point in time it may not, if the dissector changes .