Exceptions aggregation criteria

raji_toor — Mon, 24 Sep 2018 14:33:14 GMT

What does these options for aggregation criteria actually mean when creating exceptions in vulerabilit profile - source, destination or by source and destination.

And also track by IP source and IP source destination

Re: Exceptions aggregation criteria

mivaldi — Wed, 03 Oct 2018 23:19:28 GMT

You are referring to the options that pop up when you click on select Vulnerability signatures that do have a 'Pencil and Paper' icon at the left of the Threat Name entry.

These are special 'Combination' signatures, the way they work is you have a parent and a child signature. Some people refer to them as a witness (for the parent) and event (for the child) signatures.

The idea is that the event(child) based signature is tracking events that by themselves (as isolated events), are not malicious in nature - i.e., login attempts to an SSH server, however, if you see a big number of these events in a very short time, it can be an indication of a brute force attempt. The key concept is the time component. The witness(parent) signature is tracking the n-ocurrences of the event(child) in a specified time window.

Event(Child) signatures do not need to write entries to the Threat logs to be counted by Witness(Parent) signatures. This means that the Parent signature will count ocurrences of the Child signature, even if it is not logging to the Threat Logs (action allow).

The source or source-and-destination aggregation criteria refers to definition of what the witness is counting as events in a given time-window. Going back to our example, if the same source is attempting to log-in using SSH to multiple different destination IP's within the specified time window, and your aggregation criteria is only source, then these events will all count toward the trigger condition of the witness signature, however, if you define it as source-and-destination, you define additional granularity and you'd be instantiating multiple time-windows where the trigger condition that is counted is the n-number of instances where a single source goes to a *specific* destination.

You can read additional details in our "Creating custom application and threat signatures" document available at https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClOFCA0 (See Combination Signatures in Page 65).

There is also additional information on Brute Force signatures available at https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClmpCAC

Re: Exceptions aggregation criteria

raji_toor — Thu, 04 Oct 2018 19:05:26 GMT

@mivaldi That's a nice explanation. So isn't chosing by source only better than selecting source and destination. As doing by source & destiantion it will miss out on the threat if it trying to ssh multiple destinations within that short period and can remain hidden.

And what about destinantion only, which source IP would firewall choose to block.

topic Re: Exceptions aggregation criteria in Advanced Threat Prevention Discussions

Exceptions aggregation criteria

Re: Exceptions aggregation criteria

Re: Exceptions aggregation criteria