: Convert Rules Using the Panorama CLI
Focus
Focus

Convert Rules Using the Panorama CLI

Table of Contents

Convert Rules Using the Panorama CLI

Use the Panorama CLI to convert IPS rules in custom PAN-OS® threat signatures.
In addition to the web interface, you can use the command-line interface (CLI) to convert Snort and Suricata rules into custom PAN-OS® threat signatures. This example uses the following Snort rule:
alert tcp $HOME_NET 2589 -> $EXTERNAL_NET any ( msg:"MALWARE-BACKDOOR - Dagger_1.4.0"; flow:to_client,established; content:"2|00 00 00 06 00 00 00|Drives|24 00|",depth 16; metadata:ruleset community; classtype:misc-activity; sid:105; rev:14; )
You can not convert rule files through the CLI. If you want to convert a file with multiple rules in it, use the Panorama web interface.
The CLI Quick Start contains additional CLI commands.
  1. Encode the rule in Base64 format.
    You can do this using a free, browser-based tool (example).
    Before encoding the rule, ensure there are no line breaks. Otherwise, the line breaks are encoded and cause the rule conversion in the subsequent step to fail.
  2. Convert the encoded rule:
    admin@demo-panorama-vm> request plugins ips-signature-converter convert b64-encode <base64_encoded_rule>
    
    LINE# TITLE                    RESULT     TYPE        CONVERTER_MSG
    1     Converted_MALWARE-       Succeed    Plain       None
          BACKDOOR -
          Dagger_1.4.0_105
    
    Summary: Total:1, Succeed:1, Warnings:0, Existing Coverage:0, Duplicated:0, Failed:0
  3. (Optional) Change the signature type.
    If your signature is for protection against spyware, you can set the type as spyware so that Panorama imports it as an Anti-Spyware signature. Otherwise, rules convert as vulnerability by default.
    admin@demo-panorama-vm> request plugins ips-signature-converter set-properties signature-type <vulnerability/spyware> lines <line_number>
    
    LINE# TITLE                               SIG_TYPE      ACTION     SEVERITY
    1     Converted_MALWARE-BACKDOOR -        spyware       alert      low
          Dagger_1.4.0_105
  4. Import the signature to Panorama:
    admin@demo-panorama-vm> request plugins ips-signature-converter import-custom-signatures device-group <device_group> lines <line_number>
    
    LINE# TITLE                           THREAT_ID STATUS  DETAIL
    1     Converted_MALWARE-BACKDOOR -    16002     Success Import Succeeded
          Dagger_1.4.0_105	
    If you do not specify a device-group, Panorama imports the signature to the Shared location.
  5. Commit your changes to Panorama:
    admin@demo-panorama-vm# commit
    
    Commit job 707 is in progress. Use Ctrl+C to return to command prompt
    ...23%.59%80%.......90%.....100%
    Configuration committed successfully
    
  6. Push the signatures to a device group:
    @demo-panorama-vm> commit-all shared-policy device-group <device_group> 
    
    Job enqueued with jobid 709
    709
  7. Log in to a firewall in the device group that you specified in the previous step to verify that the push succeeded:
    admin@PA-3220# show threats <vulnerability/spyware> <threat_id>
    ~
    spyware {
      16002 {
        signature {
          standard {
            ips_converted_pattern {
              and-condition {
                "And Condition 1" {
                  or-condition {
                    "Or Condition 1" {
                      operator {
                        pattern-match {
                          pattern "2\x00 00 00 06 00 00 00\xDrives\x24 00\x";
                          context tcp-context-free;
                          negate no;
                        }
                      }
                    }
                  }
                }
              }
              order-free no;
              scope session;