https://live.paloaltonetworks.com/t5/general-topics/pa-blocks-spyware-identify-compromised-computer/m-p/14050#M10322 <HTML><HEAD></HEAD><BODY><P>Thanks for the update.&nbsp; Sink hole has been on my list to get rolled out for a while.&nbsp; I need to get this setup.</P></BODY></HTML> Mon, 22 Jun 2015 22:36:50 GMT pulukas 2015-06-22T22:36:50Z https://live.paloaltonetworks.com/t5/general-topics/pa-blocks-spyware-identify-compromised-computer/m-p/14044#M10316 <HTML><HEAD></HEAD><BODY><P>Hi there,</P><P></P><P>we're running the following setup:</P><P></P><P>trusted zone | DC zone | Internet</P><P>Client/Proxy/some old DNS Server| DNS Server| Internet</P><P></P><P>I see that the PA is blocking malware traffic (app DNS). But the attacker is either the proxy, asking the DNS in the DC zone, or the old DNS server, asking DNS servers in the Internet.</P><P>Unforunately that way I don't get the compromised machine.</P><P></P><P>What do you guys have in place to identify such computers? Put the proxy and the old DNS in a different zone? Or is the DNS sinkhole the way to go?</P><P></P><P>Thanks for your suggestions.</P><P></P><P>Cheers,</P><P>Sven</P></BODY></HTML> Wed, 17 Jun 2015 07:04:15 GMT https://live.paloaltonetworks.com/t5/general-topics/pa-blocks-spyware-identify-compromised-computer/m-p/14044#M10316 Sven_Lieckfeldt 2015-06-17T07:04:15Z https://live.paloaltonetworks.com/t5/general-topics/pa-blocks-spyware-identify-compromised-computer/m-p/14045#M10317 <HTML><HEAD></HEAD><BODY><P>In order for the PA to identify the computer the traffic would have to cross the PA from the computer to the DNS server or from the computer to the proxy.</P><P></P><P>For the proxy server requests I would check the proxy logs for the DNS record and see if it logs that site as visited by a user.</P><P></P><P>For the DNS server if you did put this into its own dmz like zone then all traffic to the DNS would get seen and logged.&nbsp; But be careful what you ask for.&nbsp; This will generate a LOT of logs and will thus shorten the time frame of available logs on the PA.&nbsp; DNS is used very frequently on a modern network.&nbsp; A single page load can generate 10 dns requests easily.</P></BODY></HTML> Wed, 17 Jun 2015 10:32:58 GMT https://live.paloaltonetworks.com/t5/general-topics/pa-blocks-spyware-identify-compromised-computer/m-p/14045#M10317 pulukas 2015-06-17T10:32:58Z https://live.paloaltonetworks.com/t5/general-topics/pa-blocks-spyware-identify-compromised-computer/m-p/14046#M10318 <HTML><HEAD></HEAD><BODY><P>Hi Steven,</P><P></P><P>thanks for your answer!</P><P>We're not logging allowed traffic to avoid logs blowing our firewall. So that would be fine.</P><P>So I've the following options:</P><P>- put proxy's into another zone</P><P>- scan the proxy logs</P><P></P><P>Cheers,</P><P>Sven</P></BODY></HTML> Thu, 18 Jun 2015 14:47:48 GMT https://live.paloaltonetworks.com/t5/general-topics/pa-blocks-spyware-identify-compromised-computer/m-p/14046#M10318 Sven_Lieckfeldt 2015-06-18T14:47:48Z https://live.paloaltonetworks.com/t5/general-topics/pa-blocks-spyware-identify-compromised-computer/m-p/14047#M10319 <HTML><HEAD></HEAD><BODY><P>Sven,</P><P></P><P>Would using the sinkhole feature within your Anti-spyware Profile help?&nbsp;&nbsp; We have a situation where the user to DNS server communication does not traverse the firewall.&nbsp; By using the sinkhole response on DNS signatures you can see who is going to the sinkhole IP address (because you define it and force the traffic to it to traverse the firewall ).&nbsp; Certainly this is useful in helping you to look a bit more closely at specific source IP addresses on your network.&nbsp; DNS sinkhole is one of those red flags to help you identify unusual or suspicious traffic.</P><P></P><P>Hope this helps,</P><P></P><P>Phil</P></BODY></HTML> Thu, 18 Jun 2015 19:27:03 GMT https://live.paloaltonetworks.com/t5/general-topics/pa-blocks-spyware-identify-compromised-computer/m-p/14047#M10319 HITSSEC 2015-06-18T19:27:03Z https://live.paloaltonetworks.com/t5/general-topics/pa-blocks-spyware-identify-compromised-computer/m-p/14048#M10320 <HTML><HEAD></HEAD><BODY><P>I was wondering the same thing. (DNS Sinkhole)</P><P></P><P>I'm getting ready to implement it on our firewall.</P></BODY></HTML> Sun, 21 Jun 2015 20:07:21 GMT https://live.paloaltonetworks.com/t5/general-topics/pa-blocks-spyware-identify-compromised-computer/m-p/14048#M10320 rkoenig 2015-06-21T20:07:21Z https://live.paloaltonetworks.com/t5/general-topics/pa-blocks-spyware-identify-compromised-computer/m-p/14049#M10321 <HTML><HEAD></HEAD><BODY><P>I have implemented SinkHole and it works awesome.</P><P></P><P>thanks</P></BODY></HTML> Mon, 22 Jun 2015 15:48:16 GMT https://live.paloaltonetworks.com/t5/general-topics/pa-blocks-spyware-identify-compromised-computer/m-p/14049#M10321 scantwell 2015-06-22T15:48:16Z https://live.paloaltonetworks.com/t5/general-topics/pa-blocks-spyware-identify-compromised-computer/m-p/14050#M10322 <HTML><HEAD></HEAD><BODY><P>Thanks for the update.&nbsp; Sink hole has been on my list to get rolled out for a while.&nbsp; I need to get this setup.</P></BODY></HTML> Mon, 22 Jun 2015 22:36:50 GMT https://live.paloaltonetworks.com/t5/general-topics/pa-blocks-spyware-identify-compromised-computer/m-p/14050#M10322 pulukas 2015-06-22T22:36:50Z