https://live.paloaltonetworks.com/t5/automation-api-discussions/fingerprinting-acunetix/m-p/19148#M488 <HTML><HEAD></HEAD><BODY><P>SRA, we tried your suggestion but met with only limited success.&nbsp; Here's the experiment we did:</P><P></P><P>Our firewall guy created a custom application which identified the initial connection attempt by Acunetix based on the signatures that the Acunetix CTO gave us.</P><P></P><P>I then downloaded a free, community edition of Acunetix, version 8, and ran a scan against a URL which resides behind our firewall.</P><P></P><P>The result was this: Palo Alto firewall noticed the signature present in the first couple of packets and, so, blocked those packets. Subsequent packets (from the same source IP), which lacked these signatures, were not identified as part of the banned application and were allowed through.</P><P></P><P> Is there some we can create a DDoS trigger that can block the originating IP? Etc. What can we do about this? Please advise.</P><P></P><P>Thank you again,</P><P>Dovid</P></BODY></HTML> Wed, 24 Jul 2013 19:22:57 GMT wolkenfeld 2013-07-24T19:22:57Z https://live.paloaltonetworks.com/t5/automation-api-discussions/fingerprinting-acunetix/m-p/19145#M485 <HTML><HEAD></HEAD><BODY><P>Dear PAN Developers,</P><P></P><P>Several times now a developer on our side has reported to us from monitoring tools he manages that people have scanned our critical applications with a freely available Web Application Vulnerability scanner from Acunetix.</P><P></P><P>Our CSO contacted the CTO of Acunetix asking how can we could fingerprint their scanner so as to protect our applications from it. Their CTO wrote this:</P><P></P><P>"<SPAN style="font-size: 10pt; line-height: 1.5em;">About blocking the attack: </SPAN><SPAN style="font-size: 10pt; line-height: 1.5em;">I don't know exactly what edition was used to scan your website. </SPAN><SPAN style="font-size: 10pt; line-height: 1.5em;">Some of our editions send the following header with each request: </SPAN><SPAN style="font-size: 10pt; line-height: 1.5em;">Acunetix-Scanning-agreement:Third Party Scanning PROHIBITED </SPAN><SPAN style="font-size: 10pt; line-height: 1.5em;">Check if you can see this header and block based on that.</SPAN><SPAN style="font-size: 10pt; line-height: 1.5em;">However, if they are using a Consultant edition, this header is not sent.</SPAN></P><P><SPAN style="font-size: 10pt; line-height: 1.5em;"><BR /></SPAN></P><P><SPAN style="font-size: 10pt; line-height: 1.5em;">All editions are making a request to the following URL before starting the scan: </SPAN><SPAN style="font-size: 10pt; line-height: 1.5em;"><A class="jive-link-external-small" href="http://">http://</A><SPAN>{website}/acunetix-wvs-test-for-some-inexistent-file. </SPAN></SPAN><SPAN style="font-size: 10pt; line-height: 1.5em;">So, you can also look for that."</SPAN></P><P><SPAN style="font-size: 10pt; line-height: 1.5em;"><BR /></SPAN></P><P><SPAN style="font-size: 10pt; line-height: 1.5em;">Please let me know if, based on this information, you can create for us a method by which to finger print and (dynamically) filter traffic from this scanner in the future. Our current countermeasure - waking up our network engineers and having them manually add the source IP of the scanner (which varies with each attack) - is time consuming...</SPAN></P><P><SPAN style="font-size: 10pt; line-height: 1.5em;"><BR /></SPAN></P><P><SPAN style="font-size: 10pt; line-height: 1.5em;">Thank you so much</SPAN></P><P><SPAN style="font-size: 10pt; line-height: 1.5em;">Dovid<BR /></SPAN></P></BODY></HTML> Tue, 23 Jul 2013 16:21:01 GMT https://live.paloaltonetworks.com/t5/automation-api-discussions/fingerprinting-acunetix/m-p/19145#M485 wolkenfeld 2013-07-23T16:21:01Z https://live.paloaltonetworks.com/t5/automation-api-discussions/fingerprinting-acunetix/m-p/19146#M486 <HTML><HEAD></HEAD><BODY><P>You can build a custom vulnerability or app signature to identify this traffic. To match on patterns in http request headers, you can use the http-req-headers context, and for matching patterns in URL you can use http-req-uri-path context.</P></BODY></HTML> Tue, 23 Jul 2013 20:44:16 GMT https://live.paloaltonetworks.com/t5/automation-api-discussions/fingerprinting-acunetix/m-p/19146#M486 SRA 2013-07-23T20:44:16Z https://live.paloaltonetworks.com/t5/automation-api-discussions/fingerprinting-acunetix/m-p/19147#M487 <HTML><HEAD></HEAD><BODY><P>Thank you SRA, I have communicated your response to our firewall manager; we'll be in touch...</P></BODY></HTML> Wed, 24 Jul 2013 15:09:10 GMT https://live.paloaltonetworks.com/t5/automation-api-discussions/fingerprinting-acunetix/m-p/19147#M487 wolkenfeld 2013-07-24T15:09:10Z https://live.paloaltonetworks.com/t5/automation-api-discussions/fingerprinting-acunetix/m-p/19148#M488 <HTML><HEAD></HEAD><BODY><P>SRA, we tried your suggestion but met with only limited success.&nbsp; Here's the experiment we did:</P><P></P><P>Our firewall guy created a custom application which identified the initial connection attempt by Acunetix based on the signatures that the Acunetix CTO gave us.</P><P></P><P>I then downloaded a free, community edition of Acunetix, version 8, and ran a scan against a URL which resides behind our firewall.</P><P></P><P>The result was this: Palo Alto firewall noticed the signature present in the first couple of packets and, so, blocked those packets. Subsequent packets (from the same source IP), which lacked these signatures, were not identified as part of the banned application and were allowed through.</P><P></P><P> Is there some we can create a DDoS trigger that can block the originating IP? Etc. What can we do about this? Please advise.</P><P></P><P>Thank you again,</P><P>Dovid</P></BODY></HTML> Wed, 24 Jul 2013 19:22:57 GMT https://live.paloaltonetworks.com/t5/automation-api-discussions/fingerprinting-acunetix/m-p/19148#M488 wolkenfeld 2013-07-24T19:22:57Z https://live.paloaltonetworks.com/t5/automation-api-discussions/fingerprinting-acunetix/m-p/19149#M489 <HTML><HEAD></HEAD><BODY><P>The entire session should be blocked, not just a few packets; unless the remaining packets are part of a different session. Also, from your original post it seems like the patterns don't appear in the session in all the editions of their product. Can you confirm from a packet capture that the patterns (either a header or URI) are indeed present in the session.</P></BODY></HTML> Wed, 24 Jul 2013 19:40:17 GMT https://live.paloaltonetworks.com/t5/automation-api-discussions/fingerprinting-acunetix/m-p/19149#M489 SRA 2013-07-24T19:40:17Z https://live.paloaltonetworks.com/t5/automation-api-discussions/fingerprinting-acunetix/m-p/19150#M490 <HTML><HEAD></HEAD><BODY><P>SRA, thank you for your speedy reply. As the Acunetix CTO stated "<SPAN style="font-size: 10pt; font-family: Arial, Helvetica, sans-serif; color: #000000; background-color: #ffffff;"><STRONG>All</STRONG> editions are making a request to the following URL before starting the scan:</SPAN><SPAN style="font-size: 10pt; font-family: Arial, Helvetica, sans-serif; color: #000000; background-color: #ffffff;"><A class="jive-link-external-small" style="color: #316989; font-style: inherit; font-family: inherit;">http://</A><SPAN style="font-style: inherit; font-family: inherit;">{website}/acunetix-wvs-test-for-some-inexistent-file" </SPAN></SPAN></P><P><SPAN style="color: #000000; font-size: 10pt; font-style: inherit; background-color: #ffffff; font-family: inherit;"><BR /></SPAN></P><P><SPAN style="color: #000000; font-size: 10pt; font-style: inherit; background-color: #ffffff; font-family: inherit;">OK, I re-ran an experiment scan after our firewall guy hit "session" in the rule: same results. </SPAN></P><P><SPAN style="color: #000000; font-size: 10pt; font-style: inherit; background-color: #ffffff; font-family: inherit;"><BR /></SPAN></P><P><SPAN style="color: #000000; font-size: 10pt; font-style: inherit; background-color: #ffffff; font-family: inherit;">What can we do from here - any ideas?</SPAN></P><P><SPAN style="color: #000000; font-size: 10pt; font-style: inherit; background-color: #ffffff; font-family: inherit;"><BR /></SPAN></P><P><SPAN style="color: #000000; font-size: 10pt; font-style: inherit; background-color: #ffffff; font-family: inherit;">Thanks again,</SPAN></P><P><SPAN style="color: #000000; font-size: 10pt; font-style: inherit; background-color: #ffffff; font-family: inherit;">Dovid<BR /></SPAN></P></BODY></HTML> Wed, 24 Jul 2013 20:54:47 GMT https://live.paloaltonetworks.com/t5/automation-api-discussions/fingerprinting-acunetix/m-p/19150#M490 wolkenfeld 2013-07-24T20:54:47Z https://live.paloaltonetworks.com/t5/automation-api-discussions/fingerprinting-acunetix/m-p/19151#M491 <HTML><HEAD></HEAD><BODY><P>The session vs. transaction option only matters when you have multiple conditions in the signature, and you want all of those be within a single transaction, or they can occur across transactions in a session. Have you taken a packet capture of the session to check if the patterns are indeed exactly the same as you used in the signature.</P></BODY></HTML> Wed, 24 Jul 2013 21:49:14 GMT https://live.paloaltonetworks.com/t5/automation-api-discussions/fingerprinting-acunetix/m-p/19151#M491 SRA 2013-07-24T21:49:14Z https://live.paloaltonetworks.com/t5/automation-api-discussions/fingerprinting-acunetix/m-p/19152#M492 <HTML><HEAD></HEAD><BODY><P>Pardon me for the late reply, please; yes, we took a packet capture and have uploaded this capture to our ticket (ticket #: <SPAN style="color: #333333; font-family: Arial, Helvetica, sans-serif; font-size: 10.909090995788574px; background-color: #ffffff;">00149001</SPAN>). Please let me know if this will suffice for now, or if there is anything else we can provide you with in helping us develop a filter to test against this scanner.</P><P></P><P>Thank you so much,</P><P>Dovid</P></BODY></HTML> Tue, 06 Aug 2013 20:45:39 GMT https://live.paloaltonetworks.com/t5/automation-api-discussions/fingerprinting-acunetix/m-p/19152#M492 wolkenfeld 2013-08-06T20:45:39Z