https://live.paloaltonetworks.com/t5/virustotal/ntp-and-bittorrent-traffic-issue/m-p/500191#M2146 <DIV class="lia-quilt-row lia-quilt-row-message-main"> <DIV class="lia-quilt-column lia-quilt-column-24 lia-quilt-column-single lia-quilt-column-message-main-content"> <DIV class="lia-quilt-column-alley lia-quilt-column-alley-single"> <DIV class="lia-message-body-wrapper lia-component-message-view-widget-body"> <DIV id="bodyDisplay_0" class="lia-message-body"> <DIV class="lia-message-body-content"> <P>Hello and sorry for my poor English.</P> <P>I wrote this question/feedback before <A href="https://live.paloaltonetworks.com/t5/customer-resources/ntp-app-id-enhancement-release-plan/tac-p/498979#M603" target="_self">here</A>, but no one wrote an answer. I decided to share it here as well.</P> <P>&nbsp;</P> <P>We are a member of pool.ntp.org</P> <P>Our time server url is ntp.cbu.edu.tr</P> <P>Beginning May 19th problem appeared on our NTP service. We started getting a lot of bittorrent requests. Of course, requests were denied. However, pool.ntp.org started reporting that we were not responding to ntp requests.</P> <P>We captured the packets that PaloAlto detected as bittorrent. When we examined the packages, we could not see anything other than ntp traffic.</P> <P>As a result, we think that PaloAlto mistakenly detected ntp traffic as bittorrent traffic.</P> <P>If you want to examine it, I'm putting a file here that the packages we capture.</P> <P>&nbsp;</P> <P>Thank you.</P> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV><BR /><BR />Please note you are posting a public message where community members and experts can provide assistance. Sharing private information such as serial numbers or company information is not recommended. Mon, 06 Jun 2022 12:50:48 GMT riza.emet 2022-06-06T12:50:48Z https://live.paloaltonetworks.com/t5/virustotal/ntp-and-bittorrent-traffic-issue/m-p/500191#M2146 <DIV class="lia-quilt-row lia-quilt-row-message-main"> <DIV class="lia-quilt-column lia-quilt-column-24 lia-quilt-column-single lia-quilt-column-message-main-content"> <DIV class="lia-quilt-column-alley lia-quilt-column-alley-single"> <DIV class="lia-message-body-wrapper lia-component-message-view-widget-body"> <DIV id="bodyDisplay_0" class="lia-message-body"> <DIV class="lia-message-body-content"> <P>Hello and sorry for my poor English.</P> <P>I wrote this question/feedback before <A href="https://live.paloaltonetworks.com/t5/customer-resources/ntp-app-id-enhancement-release-plan/tac-p/498979#M603" target="_self">here</A>, but no one wrote an answer. I decided to share it here as well.</P> <P>&nbsp;</P> <P>We are a member of pool.ntp.org</P> <P>Our time server url is ntp.cbu.edu.tr</P> <P>Beginning May 19th problem appeared on our NTP service. We started getting a lot of bittorrent requests. Of course, requests were denied. However, pool.ntp.org started reporting that we were not responding to ntp requests.</P> <P>We captured the packets that PaloAlto detected as bittorrent. When we examined the packages, we could not see anything other than ntp traffic.</P> <P>As a result, we think that PaloAlto mistakenly detected ntp traffic as bittorrent traffic.</P> <P>If you want to examine it, I'm putting a file here that the packages we capture.</P> <P>&nbsp;</P> <P>Thank you.</P> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV><BR /><BR />Please note you are posting a public message where community members and experts can provide assistance. Sharing private information such as serial numbers or company information is not recommended. Mon, 06 Jun 2022 12:50:48 GMT https://live.paloaltonetworks.com/t5/virustotal/ntp-and-bittorrent-traffic-issue/m-p/500191#M2146 riza.emet 2022-06-06T12:50:48Z https://live.paloaltonetworks.com/t5/virustotal/ntp-and-bittorrent-traffic-issue/m-p/502132#M2147 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/42596">@riza.emet</a>&nbsp;,</P> <P>&nbsp;</P> <P>The Community Feedback area is dedicated to questions about the LIVEcommunity.</P> <P>&nbsp;</P> <P>In order to get better traction for your question I've moved it to the VirusTotal discussions area.&nbsp;<SPAN>This area is moderated by the threat team to check signatures and verdicts.</SPAN></P> <P>&nbsp;</P> <P><SPAN>Cheers,</SPAN></P> <P><SPAN>-Kiwi.</SPAN></P> Thu, 09 Jun 2022 09:37:26 GMT https://live.paloaltonetworks.com/t5/virustotal/ntp-and-bittorrent-traffic-issue/m-p/502132#M2147 kiwi 2022-06-09T09:37:26Z https://live.paloaltonetworks.com/t5/virustotal/ntp-and-bittorrent-traffic-issue/m-p/502519#M2148 <P>did you get any proper solution for this problem</P> Fri, 10 Jun 2022 06:57:23 GMT https://live.paloaltonetworks.com/t5/virustotal/ntp-and-bittorrent-traffic-issue/m-p/502519#M2148 Jerry748 2022-06-10T06:57:23Z https://live.paloaltonetworks.com/t5/virustotal/ntp-and-bittorrent-traffic-issue/m-p/502523#M2149 <P>No, we haven't found it yet. However, we have opened a case to PaloAlto Support for the issue. We're waiting.</P> Fri, 10 Jun 2022 07:12:54 GMT https://live.paloaltonetworks.com/t5/virustotal/ntp-and-bittorrent-traffic-issue/m-p/502523#M2149 riza.emet 2022-06-10T07:12:54Z https://live.paloaltonetworks.com/t5/virustotal/ntp-and-bittorrent-traffic-issue/m-p/502771#M2150 <P>Sorry but I don't believe this has anything to do with VirusTotal either. This forum is for non-customers. The Threat and Vulnerability forum may have been a better fit, however, posts in the LIVECommunity expect answers from other Palo Alto Networks customers. If you need a response from Palo Alto Networks Support, the correct avenue for help is filing a Support ticket.</P> Fri, 10 Jun 2022 17:35:36 GMT https://live.paloaltonetworks.com/t5/virustotal/ntp-and-bittorrent-traffic-issue/m-p/502771#M2150 mivaldi 2022-06-10T17:35:36Z https://live.paloaltonetworks.com/t5/virustotal/ntp-and-bittorrent-traffic-issue/m-p/502780#M2151 <P>What is your Security policy for the incoming NTP traffic to your server? Are you using Application="ntp" and Service="application-default" in your allow rule? Or are you using a Service="udp_123" or something similar?</P> Fri, 10 Jun 2022 18:22:16 GMT https://live.paloaltonetworks.com/t5/virustotal/ntp-and-bittorrent-traffic-issue/m-p/502780#M2151 Adrian_Jensen 2022-06-10T18:22:16Z https://live.paloaltonetworks.com/t5/virustotal/ntp-and-bittorrent-traffic-issue/m-p/502783#M2152 <P>We are using Application="ntp" and Service="application-default" in our allow rule.</P><P>Monitor show some udp-123 traffic "ntp", some udp-123 traffic "bittorrent". As expected bittorrent blocked but they are actually ntp.&nbsp;</P> Fri, 10 Jun 2022 18:38:13 GMT https://live.paloaltonetworks.com/t5/virustotal/ntp-and-bittorrent-traffic-issue/m-p/502783#M2152 riza.emet 2022-06-10T18:38:13Z https://live.paloaltonetworks.com/t5/virustotal/ntp-and-bittorrent-traffic-issue/m-p/502789#M2153 <P>Seems like a false positive then. Looking thru my PaloAlto Apps and Threats release notes I don't see anything about bittorrent Application changes in the last year. I think you are going to have to get PaloAlto support to investigate/fix the false positive. If it is a serious problem for you, you could temporarily bypass the application filter and just allow UDP 123 in the mean time.</P> Fri, 10 Jun 2022 19:04:11 GMT https://live.paloaltonetworks.com/t5/virustotal/ntp-and-bittorrent-traffic-issue/m-p/502789#M2153 Adrian_Jensen 2022-06-10T19:04:11Z https://live.paloaltonetworks.com/t5/virustotal/ntp-and-bittorrent-traffic-issue/m-p/502808#M2154 <P>I replayed your PCAP to my lab. I see NTPv4 traffic detected as ntp-base, and NTPv1 traffic detected as ntp-non-rfc. I don't see any bittorrent traffic, but I am running 10.2.2, maybe your PAN-OS identifies it differently. Check the source ports of the sessions identified as bittorrent, and compare them to your packet capture to see if there is a correlation between NTPv1 and bittorrent, versus NTPv4 and correct identifification of ntp-base traffic. It is possible that your firewall is detecting ntp-non-rfc as bittorrent.</P> Fri, 10 Jun 2022 19:42:18 GMT https://live.paloaltonetworks.com/t5/virustotal/ntp-and-bittorrent-traffic-issue/m-p/502808#M2154 mivaldi 2022-06-10T19:42:18Z https://live.paloaltonetworks.com/t5/virustotal/ntp-and-bittorrent-traffic-issue/m-p/502811#M2155 <P>Also check if the misdetection began around March 15, 2022, that's when the change was pushed in Content.&nbsp;<A href="https://live.paloaltonetworks.com/t5/customer-resources/app-id-decoders-enhancement-plan/ta-p/469547" target="_blank" rel="noopener">https://live.paloaltonetworks.com/t5/customer-resources/app-id-decoders-enhancement-plan/ta-p/469547</A></P><P>&nbsp;</P><P>You can test adding ntp-non-rfc as an allowed app in your policy to see if it resolves the issue.</P> Fri, 10 Jun 2022 19:49:26 GMT https://live.paloaltonetworks.com/t5/virustotal/ntp-and-bittorrent-traffic-issue/m-p/502811#M2155 mivaldi 2022-06-10T19:49:26Z https://live.paloaltonetworks.com/t5/virustotal/ntp-and-bittorrent-traffic-issue/m-p/502812#M2156 <P>Thanks for answer. I will compare.</P> Fri, 10 Jun 2022 19:47:51 GMT https://live.paloaltonetworks.com/t5/virustotal/ntp-and-bittorrent-traffic-issue/m-p/502812#M2156 riza.emet 2022-06-10T19:47:51Z https://live.paloaltonetworks.com/t5/virustotal/ntp-and-bittorrent-traffic-issue/m-p/507632#M2188 <P>The problem to be fixed with App&amp;Thread Update 8586. The release note says that false positive is fixed.</P><P>Thank you for your interest.</P> Fri, 01 Jul 2022 09:02:42 GMT https://live.paloaltonetworks.com/t5/virustotal/ntp-and-bittorrent-traffic-issue/m-p/507632#M2188 riza.emet 2022-07-01T09:02:42Z