https://live.paloaltonetworks.com/t5/advanced-threat-prevention/daily-shodan-scan/m-p/198271#M195 <P>External Dynamic Lists can be used in security policies regardless of directionality.&nbsp; Behavior will vary depending on the type of list.&nbsp; In your case you can specify and IP-based EDLs within the source column of a security policy rule.</P> Thu, 01 Feb 2018 16:57:42 GMT bvandivier 2018-02-01T16:57:42Z https://live.paloaltonetworks.com/t5/advanced-threat-prevention/daily-shodan-scan/m-p/198222#M190 <P>Hello all,</P><P>&nbsp;</P><P>We just recently made the Shodan wall of fame and I'm now getting their scan showing up every day in my Threat log. Our action is set to reset. What do you typically do in this case? Should I ignore this and accept I will be seeing this scan every day from now on?</P><P>&nbsp;</P><TABLE border="0" cellspacing="0" cellpadding="0"><TBODY><TR><TD><DIV class="x-grid3-cell-inner x-grid3-col-id2">Threat Name</DIV></TD><TD><DIV class="x-grid3-cell-inner x-grid3-col-3">Gh0st.Gen Command and Control Traffic</DIV></TD></TR></TBODY></TABLE><TABLE border="0" cellspacing="0" cellpadding="0"><TBODY><TR><TD><DIV class="x-grid3-cell-inner x-grid3-col-id2">Attacker</DIV></TD><TD><DIV class="x-grid3-cell-inner x-grid3-col-3">66.240.205.34</DIV></TD></TR></TBODY></TABLE><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-left" image-alt="ShodanScan.PNG" style="width: 500px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/13594iD4E4303CC382DDA8/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="ShodanScan.PNG" alt="ShodanScan.PNG" /></span></P> Thu, 01 Feb 2018 14:55:23 GMT https://live.paloaltonetworks.com/t5/advanced-threat-prevention/daily-shodan-scan/m-p/198222#M190 SethArnoff 2018-02-01T14:55:23Z https://live.paloaltonetworks.com/t5/advanced-threat-prevention/daily-shodan-scan/m-p/198265#M193 <P>One suggestion would be to implement Zone Protection and/or DoS Protection to block reconnaissance activity of this nature if you have not already done so.</P> <P>&nbsp;</P> <P><A href="https://live.paloaltonetworks.com/t5/Tech-Note-Articles/Understanding-DoS-Protection/ta-p/54562?attachment-id=1085" target="_blank">https://live.paloaltonetworks.com/t5/Tech-Note-Articles/Understanding-DoS-Protection/ta-p/54562?attachment-id=1085</A></P> <P>&nbsp;</P> <P>Otherwise, you could implement the use of EDLs in conjunction with an automated feed from somewhere such as Minemeld to dynamically block Shodan activity.</P> <P>&nbsp;</P> <P><A href="https://www.paloaltonetworks.com/documentation/80/pan-os/pan-os/policy/use-an-external-dynamic-list-in-policy/external-dynamic-list" target="_blank">https://www.paloaltonetworks.com/documentation/80/pan-os/pan-os/policy/use-an-external-dynamic-list-in-policy/external-dynamic-list</A></P> <P><A href="https://live.paloaltonetworks.com/t5/MineMeld-Articles/Connecting-PAN-OS-to-MineMeld-using-External-Dynamic-Lists/ta-p/190414" target="_blank">https://live.paloaltonetworks.com/t5/MineMeld-Articles/Connecting-PAN-OS-to-MineMeld-using-External-Dynamic-Lists/ta-p/190414</A></P> <P><A href="https://live.paloaltonetworks.com/t5/MineMeld/ct-p/MineMeld" target="_blank">https://live.paloaltonetworks.com/t5/MineMeld/ct-p/MineMeld</A></P> Thu, 01 Feb 2018 16:30:34 GMT https://live.paloaltonetworks.com/t5/advanced-threat-prevention/daily-shodan-scan/m-p/198265#M193 bvandivier 2018-02-01T16:30:34Z https://live.paloaltonetworks.com/t5/advanced-threat-prevention/daily-shodan-scan/m-p/198269#M194 <P>Thank you! The Zone Protection was what I was looking for.</P><P>&nbsp;</P><P>Question on EDL: I have it setup to block Outgoing IP's, but this Shodan scan is Incoming. I'm assuming I can set an EDL to also block Incoming connections by setting the EDL in the Source Address as opposed to Destination?</P><P>&nbsp;</P> Thu, 01 Feb 2018 16:46:54 GMT https://live.paloaltonetworks.com/t5/advanced-threat-prevention/daily-shodan-scan/m-p/198269#M194 SethArnoff 2018-02-01T16:46:54Z https://live.paloaltonetworks.com/t5/advanced-threat-prevention/daily-shodan-scan/m-p/198271#M195 <P>External Dynamic Lists can be used in security policies regardless of directionality.&nbsp; Behavior will vary depending on the type of list.&nbsp; In your case you can specify and IP-based EDLs within the source column of a security policy rule.</P> Thu, 01 Feb 2018 16:57:42 GMT https://live.paloaltonetworks.com/t5/advanced-threat-prevention/daily-shodan-scan/m-p/198271#M195 bvandivier 2018-02-01T16:57:42Z https://live.paloaltonetworks.com/t5/advanced-threat-prevention/daily-shodan-scan/m-p/198286#M198 <P>Thank you again!</P> Thu, 01 Feb 2018 17:25:30 GMT https://live.paloaltonetworks.com/t5/advanced-threat-prevention/daily-shodan-scan/m-p/198286#M198 SethArnoff 2018-02-01T17:25:30Z https://live.paloaltonetworks.com/t5/advanced-threat-prevention/daily-shodan-scan/m-p/198287#M199 <P>You are very welcome.&nbsp; It was my pleasure.</P> Thu, 01 Feb 2018 17:26:53 GMT https://live.paloaltonetworks.com/t5/advanced-threat-prevention/daily-shodan-scan/m-p/198287#M199 bvandivier 2018-02-01T17:26:53Z