topic Re: Suspicious DNS Query Pan-DB and BrightCloud in General Topics

Suspicious DNS Query Pan-DB and BrightCloud

obor — Tue, 23 Sep 2014 07:03:33 GMT

We are using the BrightCloud URL DB for URL Filtering. Last week we had discovered an issue that users can’t access the URL http(s)://www.haalmeeruitjecard.nl

Searching the PaloAlto we see that is not blocked by the URL Log. BrightCloud says as URL Category “business-and-economy” and that is allowed.

Still the session can’t be setup and we did not see any block page at all.

Further looking we discovered that is blocked by the Anti-Spyware Rule with the Suspicious DNS Query action. We block Suspicious DNS Query query’s.

In the Thread log was reported : Suspicious DNS Query (www.haalmeeruitjecard.nl)!! Uuh this is a normal site here in the Netherlands.

So is it the Threat DB that this is causing??? NO, found out that the URL is marked in the PAN-DB Url Database as malware.

Requested a change for Pan-DB and after this was changed we had no more Suspicious DNS Query’s for this url.

URL: www.haalmeeruitjecard.nl

Previous category: malware

You suggested: financial-services

New category: financial-services

The new categorization is available starting with URL DB version: 2014.09.22.221

Does this mean that the PaloAlto Device is using both URL database’s to provide protection?

Is it than maybe better to migrate to PAN-DB URL Database so that all information is provided from 1 DB?

Thanks for your responses.

Osman Bor

Re: Suspicious DNS Query Pan-DB and BrightCloud

HULK — Tue, 23 Sep 2014 07:47:42 GMT

Hello Osman,

PAN firewall is having multiple layer of protection on it. Example: The content/packet will be inspected by:

--- URL filtering database ( Bright Cloud or PAN DB) for categorization.

--- Application & Threat database for Vulnerability/DNS signature checking.

--- Antivirus database for virus /ANtispyware checking.

So, if any packet identified with malicious in nature, will be blocked by the above mentioned database.

Thanks

Re: Suspicious DNS Query Pan-DB and BrightCloud

hshah — Tue, 23 Sep 2014 13:08:39 GMT

Hi Obor,

Please find Virus Total analysis for web site .haalmeeruitjecard.nl, it confirms its not malicious.

Scan report for http://haalmeeruitjecard.nl/ at2014-09-23 13:06:14 UTC - VirusTotal

Make sure your are on latest content. If issue still occurs than please open a case with TAC for false positive. They should fix it.

Changes will be reflected in next couple of days.

Regards,

Hardik Shah

Re: Suspicious DNS Query Pan-DB and BrightCloud

ssharma — Tue, 23 Sep 2014 20:53:01 GMT

Hi Osman,

Yes you are right, PA firewall uses both DB to protect your network. In your example, even though brightcloud categorizes the traffic as business-and-economy, URL in question was categorized as suspicious by PANDB (which turned out to be false positive in this case) and was blocked by our Spyware engine.

Migrating to PANDB might be a good option as we have total control over it, resulting in faster resolution for URL DB issues. Hope that helps. Thank you.

Re: Suspicious DNS Query Pan-DB and BrightCloud

obor — Wed, 24 Sep 2014 09:32:23 GMT

Hulk,

Yes it correct what your saying and with the answer of ssharma it looks like this now:

--- URL filtering database ( Bright Cloud or PAN DB) for categorization.

--- Application & Threat database & PAN DB for Vulnerability/DNS signature checking.

--- Antivirus database for virus /ANtispyware checking.

Regards,

Osman Bor