topic Re: Where to check Threat IDs? in Next-Generation Firewall Discussions

Where to check Threat IDs?

tinhnho — Fri, 06 Dec 2024 15:34:24 GMT

Hi Guys,

I was reading this article https://security.paloaltonetworks.com/CVE-2024-0012.

Per the article, 'Additionally, if you have a Threat Prevention subscription, you can block these attacks using Threat IDs 95746, 95747, 95752, 95753, 95759, and 95763 (available in Applications and Threats content version 8915-9075 and later). For these Threat IDs to protect against attacks for this vulnerability,'

I have Threat Prevention subscription. Where do I check Threat IDs 95746, 95747, 95752, 95753, 95759, and 95763 to see if they're set to block mode?

How do I set them to block mode if they aren't set to block mode?

Thanks.

Re: Where to check Threat IDs?

Adrian_Jensen — Fri, 06 Dec 2024 16:43:55 GMT

The Apps&Threats signatures generally show up under your Anti-Virus, Anti-Spyware, or Vulnerability Protection profiles (depending on the threat type), if your have a Threat Prevention license. You can also check the type and default status from Threat Vault (https://threatvault.paloaltonetworks.com/).

Go to Objects -> Security Profiles -> Vulnerability Protection and select the profile that you are using for filtering traffic (must be applied under Actions of the Security Policies you are using to filter inbound/outbound traffic). Click the Exceptions tab and then check the 'Show all signatures" box at the bottom (only exceptions to default signatures show by default). Scroll or use the filter box to find the relevant signature.

Note that not all the indicated signatures are block by default as they may be more generic in detection. Default settings:

ID - Severity/Action

95746 - Low/Alert

95747 - Critical/Reset-server

95752 - Critical/Reset-server

95753 - Medium/Alert

95759 - Critical/Reset-server

95763 - Critical/Reset-server

To change a signature action under a profile, select the signature in the Exceptions tab and click the "Enable" box. Enter an exempt IP, change the Action, or change the Packet Capture settings to your desired setting and click OK/Commit. If you have multiple Security Profiles for different Security Policies, you will have to change each relevant one.

Re: Where to check Threat IDs?

tinhnho — Wed, 11 Dec 2024 17:54:38 GMT

Hi, Thanks for the comment.

For the ID 95746 (low/alert) , under 'IP Address Exemptions', what IP address do i need to put there?

Since the default is alert, what action do I need here? Drop?

Re: Where to check Threat IDs?

Adrian_Jensen — Wed, 11 Dec 2024 18:35:59 GMT

If you put any IPs in the "IP Address Exemptions" list (click the empty box to enter), those IPs will be excluded from that signature detection and will not trigger (either source or destination). So, for example, if you had a server that regularly triggered a false positive for a ColdFusion exploit signature (when your server didn't even have ColdFusion installed) and you want to ignore that, but not disable the signature for other devices, you could enter the server IP under Exemptions. That particular server would no long trip that signature, but all other devices still would.

The 95746 signature is more generic (may trigger on far more than just CV-2024-0012), so PA has decided to make it low-severity and alert only. If you want to change it to immediately kill the connection, you can change the action to any of the following:

Reset Server - Sends a TCP reset to the server to kill the session
Rest Client - Sends a TCP reset the the client to kill the session
Reset Both - Sends TCP resets to both sides of the session
Drop - Drops all further packets in the session
Block - Blocks further packets from the source/destination (*don't really know anything about this, never seen it used)

You would probably want to Reset Both or Reset Server to ensure the existing session is cancelled and the server does not try to parse a partial packet reception. See the documentation on the various options here:

https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-web-interface-help/objects/objects-security-profiles/actions-in-security-profiles