https://live.paloaltonetworks.com/t5/general-topics/fragroute-evasion-attack-how-to-find-source-process-application/m-p/33461#M24536 <HTML><HEAD></HEAD><BODY><P>Hello</P><P></P><P>Last days one of my computer started generating strange&nbsp; traffic that is blocked by Thread Prevention (ID35111)</P><P><IMG alt="2014-06-17_212432.png" class="image-0 jive-image" src="https://live.paloaltonetworks.com/legacyfs/online/13981_2014-06-17_212432.png" style="height: 369px; width: 620px;" /></P><P>I have access to this computer, but how to find and remove this program that is genrating such traffic?</P><P></P><P></P><P>Regards</P><P>Slawek</P></BODY></HTML> Tue, 17 Jun 2014 19:28:41 GMT _slv_ 2014-06-17T19:28:41Z https://live.paloaltonetworks.com/t5/general-topics/fragroute-evasion-attack-how-to-find-source-process-application/m-p/33461#M24536 <HTML><HEAD></HEAD><BODY><P>Hello</P><P></P><P>Last days one of my computer started generating strange&nbsp; traffic that is blocked by Thread Prevention (ID35111)</P><P><IMG alt="2014-06-17_212432.png" class="image-0 jive-image" src="https://live.paloaltonetworks.com/legacyfs/online/13981_2014-06-17_212432.png" style="height: 369px; width: 620px;" /></P><P>I have access to this computer, but how to find and remove this program that is genrating such traffic?</P><P></P><P></P><P>Regards</P><P>Slawek</P></BODY></HTML> Tue, 17 Jun 2014 19:28:41 GMT https://live.paloaltonetworks.com/t5/general-topics/fragroute-evasion-attack-how-to-find-source-process-application/m-p/33461#M24536 _slv_ 2014-06-17T19:28:41Z https://live.paloaltonetworks.com/t5/general-topics/fragroute-evasion-attack-how-to-find-source-process-application/m-p/33462#M24537 <HTML><HEAD></HEAD><BODY><P>Slawek,</P><P>You might start by looking at the netstat output for the workstation with the source port 65409</P><P>This article will help for a Windows system - <A href="http://www.techrepublic.com/blog/the-enterprise-cloud/see-what-process-is-using-a-tcp-port-in-windows-server-2008/" title="http://www.techrepublic.com/blog/the-enterprise-cloud/see-what-process-is-using-a-tcp-port-in-windows-server-2008/">See what process is using a TCP port in Windows Server 2008 - TechRepublic</A></P><P>The SysInternals tools from Microsoft can also help - <A href="http://technet.microsoft.com/en-us/sysinternals/bb545021.aspx" title="http://technet.microsoft.com/en-us/sysinternals/bb545021.aspx">Windows Sysinternals: Documentation, downloads and additional resources</A></P><P>One issue that may arise is that modern malware tends to hide itself from the built in tools that could be used to identify it.</P><P>May your efforts be successful.</P><P>James</P></BODY></HTML> Wed, 18 Jun 2014 20:40:26 GMT https://live.paloaltonetworks.com/t5/general-topics/fragroute-evasion-attack-how-to-find-source-process-application/m-p/33462#M24537 jcostello 2014-06-18T20:40:26Z https://live.paloaltonetworks.com/t5/general-topics/fragroute-evasion-attack-how-to-find-source-process-application/m-p/33463#M24538 <HTML><HEAD></HEAD><BODY><P>Today I did execption in volnurability profile with pcpap option set.</P><P>In Thread log I see:</P><P><IMG alt="2014-06-24_212148.png" class="image-0 jive-image" src="https://live.paloaltonetworks.com/legacyfs/online/14092_2014-06-24_212148.png" style="height: 281px; width: 620px;" /></P><P>In Monitor&gt;Packe Capture &gt; Captured files there isn't such file.</P><P></P><P>How to save this information in .pcap format file?</P><P></P><P>How can I use this information for sending it for further analysis by other vendors?</P><P></P><P></P><P>With regards</P><P>SLawek</P></BODY></HTML> Tue, 24 Jun 2014 19:28:47 GMT https://live.paloaltonetworks.com/t5/general-topics/fragroute-evasion-attack-how-to-find-source-process-application/m-p/33463#M24538 _slv_ 2014-06-24T19:28:47Z https://live.paloaltonetworks.com/t5/general-topics/fragroute-evasion-attack-how-to-find-source-process-application/m-p/33464#M24539 <HTML><HEAD></HEAD><BODY><P>Hi slv,</P><P></P><P>To save the pcap you should use the 'Export' button provided:</P><P><IMG __jive_id="14117" alt="Screen Shot 2014-06-25 at 09.11.29.png" class="image-0 jive-image" src="https://live.paloaltonetworks.com/legacyfs/online/14117_Screen Shot 2014-06-25 at 09.11.29.png" style="color: #3b3b3b; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; height: auto;" /></P><P><SPAN style="color: #3b3b3b; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif;">In Monitor&gt;Packet Capture &gt; Captured files you will only find PCAP files which you have grabbed using the filters on that same page or via CLI using the 'debug dataplane packet-diag' command.</SPAN></P><P><SPAN style="color: #3b3b3b; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif;"><BR /></SPAN></P><P><SPAN style="color: #3b3b3b; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif;">Kind regards,</SPAN></P><P><SPAN style="color: #3b3b3b; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif;">-Kim.<BR /></SPAN></P></BODY></HTML> Wed, 25 Jun 2014 07:14:03 GMT https://live.paloaltonetworks.com/t5/general-topics/fragroute-evasion-attack-how-to-find-source-process-application/m-p/33464#M24539 kiwi 2014-06-25T07:14:03Z https://live.paloaltonetworks.com/t5/general-topics/fragroute-evasion-attack-how-to-find-source-process-application/m-p/33465#M24540 <HTML><HEAD></HEAD><BODY><P>Hello Kim</P><P></P><P><SPAN class="short_text" lang="en"><SPAN class="hps">oops</SPAN> <SPAN class="hps">I</SPAN> <SPAN class="hps">guess</SPAN> <SPAN class="hps">I was</SPAN> <SPAN class="hps">blind! </SPAN></SPAN></P><P><SPAN class="short_text" lang="en"><SPAN class="hps">Thx</SPAN></SPAN></P><P><SPAN class="short_text" lang="en"><SPAN class="hps"><BR /></SPAN></SPAN></P><P><SPAN class="short_text" lang="en"><SPAN class="hps"><BR /></SPAN></SPAN></P><P><SPAN class="short_text" lang="en"><SPAN class="hps">Slawek<BR /></SPAN></SPAN></P></BODY></HTML> Wed, 25 Jun 2014 09:48:49 GMT https://live.paloaltonetworks.com/t5/general-topics/fragroute-evasion-attack-how-to-find-source-process-application/m-p/33465#M24540 _slv_ 2014-06-25T09:48:49Z https://live.paloaltonetworks.com/t5/general-topics/fragroute-evasion-attack-how-to-find-source-process-application/m-p/33466#M24541 <HTML><HEAD></HEAD><BODY><P>FYI</P><P>This traffic was generated by <A href="http://www.ammyy.com/en/">AmmyAdmin </A></P><P>Unfortunetelly PAN doesnt detect this traffic as should be. AmmyADmin is well known for PAN OS aplication, but not properly detected on 6.0.2.</P><P>Case pending for update.</P><P></P><P></P><P>Slawek</P></BODY></HTML> Tue, 01 Jul 2014 10:26:08 GMT https://live.paloaltonetworks.com/t5/general-topics/fragroute-evasion-attack-how-to-find-source-process-application/m-p/33466#M24541 _slv_ 2014-07-01T10:26:08Z