https://live.paloaltonetworks.com/t5/general-topics/frustration-with-threats-from-pa/m-p/34057#M24971 <HTML><HEAD></HEAD><BODY><P>Thanks HULK, that does indeed help</P></BODY></HTML> Tue, 06 May 2014 13:43:16 GMT ericgearhart 2014-05-06T13:43:16Z https://live.paloaltonetworks.com/t5/general-topics/frustration-with-threats-from-pa/m-p/34055#M24969 <HTML><HEAD></HEAD><BODY><P>Is anyone else frustrated with PA's approach to threats and threat signatures?</P><P></P><P>Prime example: "Netbios Small Piece Data Evasion Attack Vulnerability" - signature ID 33511, link to the Threat Vault: <A href="https://threatvault.paloaltonetworks.com/Home/ThreatDetail/33511" title="https://threatvault.paloaltonetworks.com/Home/ThreatDetail/33511">https://threatvault.paloaltonetworks.com/Home/ThreatDetail/33511</A></P><P></P><P>Can we please get some kind of an idea of what the heck this is in reference to? A Microsoft KB? Some kind of hint about figuring out if this is a FP or not? Google searches for "Netbios Small Piece Data Evasion Attack Vulnerability" turn up a link to Microsoft KB that's no longer valid.</P></BODY></HTML> Mon, 05 May 2014 20:01:25 GMT https://live.paloaltonetworks.com/t5/general-topics/frustration-with-threats-from-pa/m-p/34055#M24969 ericgearhart 2014-05-05T20:01:25Z https://live.paloaltonetworks.com/t5/general-topics/frustration-with-threats-from-pa/m-p/34056#M24970 <HTML><HEAD></HEAD><BODY><P>The signature 33511 will be triggered if there are two <SPAN class="GINGER_SOFTWARE_mark">netbios</SPAN> packets which length is less than 4 bytes in one session. Some evasion techniques will use this method to get rid of detection, but this signature itself is not a vulnerability.&nbsp; </P><P>This is just an indicator that PAN find some evasion packet. It <SPAN class="GINGER_SOFTWARE_mark">not means</SPAN> it is malicious.</P><P></P><P>Hope this helps.</P><P></P><P>Thanks</P></BODY></HTML> Tue, 06 May 2014 07:38:24 GMT https://live.paloaltonetworks.com/t5/general-topics/frustration-with-threats-from-pa/m-p/34056#M24970 HULK 2014-05-06T07:38:24Z https://live.paloaltonetworks.com/t5/general-topics/frustration-with-threats-from-pa/m-p/34057#M24971 <HTML><HEAD></HEAD><BODY><P>Thanks HULK, that does indeed help</P></BODY></HTML> Tue, 06 May 2014 13:43:16 GMT https://live.paloaltonetworks.com/t5/general-topics/frustration-with-threats-from-pa/m-p/34057#M24971 ericgearhart 2014-05-06T13:43:16Z