https://live.paloaltonetworks.com/t5/general-topics/vulnerability-protection-host-type-field/m-p/46283#M34014 <HTML><HEAD></HEAD><BODY><P>I am looking for clarification as to how the 'Host Type' field works in a vulnerability protection profile.</P><P></P><P>For instance, we have a profile configured to protect our DMZ with six rules as follows:</P><P></P><TABLE border="1" class="jiveBorder" style="border: 1px solid #000000; width: 100%;"><TBODY><TR><TH style="text-align: center; background-color: #6690bc; color: #ffffff; padding: 2px;" valign="middle"><STRONG>Rule</STRONG></TH><TH style="text-align: center; background-color: #6690bc; color: #ffffff; padding: 2px;" valign="middle"><STRONG>Threat Name</STRONG></TH><TH style="text-align: center; background-color: #6690bc; color: #ffffff; padding: 2px;" valign="middle"><STRONG>CVE</STRONG></TH><TH style="text-align: center; background-color: #6690bc; color: #ffffff; padding: 2px;" valign="middle">Host Type</TH><TH style="text-align: center; background-color: #6690bc; color: #ffffff; padding: 2px;" valign="middle">Severity</TH><TH style="text-align: center; background-color: #6690bc; color: #ffffff; padding: 2px;" valign="middle">Action</TH></TR><TR><TD style="padding: 2px;">client-critical</TD><TD style="padding: 2px;">any</TD><TD style="padding: 2px;">any</TD><TD style="padding: 2px;">client</TD><TD style="padding: 2px;">critical</TD><TD style="padding: 2px;">block</TD></TR><TR><TD style="padding: 2px;">client-high</TD><TD style="padding: 2px;">any</TD><TD style="padding: 2px;">any</TD><TD style="padding: 2px;">client</TD><TD style="padding: 2px;">high</TD><TD style="padding: 2px;">block</TD></TR><TR><TD style="padding: 2px;">client-medium</TD><TD style="padding: 2px;">any</TD><TD style="padding: 2px;">any</TD><TD style="padding: 2px;">client</TD><TD style="padding: 2px;">medium</TD><TD style="padding: 2px;">alert</TD></TR><TR><TD style="padding: 2px;">server-critical</TD><TD style="padding: 2px;">any</TD><TD style="padding: 2px;">any</TD><TD style="padding: 2px;">server</TD><TD style="padding: 2px;">critical</TD><TD style="padding: 2px;">block</TD></TR><TR><TD style="padding: 2px;">server-high</TD><TD style="padding: 2px;">any</TD><TD style="padding: 2px;">any</TD><TD style="padding: 2px;">server</TD><TD style="padding: 2px;">high</TD><TD style="padding: 2px;">alert</TD></TR><TR><TD style="padding: 2px;">server-medium</TD><TD style="padding: 2px;">any</TD><TD style="padding: 2px;">any</TD><TD style="padding: 2px;">server</TD><TD style="padding: 2px;">medium</TD><TD style="padding: 2px;">alert</TD></TR></TBODY></TABLE><P></P><P><SPAN style="color: #575757; font-family: arial, helvetica, sans-serif;">I've noticed in the threat logs a number of 'FTP: login Brute-force attempt'&nbsp; triggered from the outside to the DMZ with a source of some IP in China. Clicking the detail option beside the log entry shows a direction of 'client-to-server'. Based off the details of the threat ( see below ) I would assume the rule 'client-high' would catch the brute force attempt and 'block' the threat, however, it appears it is matching under the rule 'server-high' which takes an 'alert' action. In the help menus the 'Host' field has the description "Specify whether to limit the signatures for the rule to those that are client <SPAN style="font-size: 12px;">side, server side, or either (</SPAN><SPAN style="font-size: 12px;">any</SPAN></SPAN><SPAN style="color: #000000; font-family: 'Microsoft Sans Serif'; font-size: 12px;"><SPAN style="font-family: arial, helvetica, sans-serif; color: #575757;">)."&nbsp; </SPAN><SPAN style="color: #575757; font-family: arial, helvetica, sans-serif;">which to me is very vague.&nbsp; Could someone explain to me exactly what the 'host type' field does? </SPAN></SPAN></P><P></P><P><LABEL class="x-form-item-label" for="ext-comp-5433" style="padding: 3px 3px 3px 0; text-align: right !important;"><STRONG>Name</STRONG></LABEL></P><P>FTP: login Brute-force attempt</P><P class="x-form-item" style="margin-bottom: 4px; font-family: tahoma, helvetica, arial, sans-serif; font-size: 11px; color: #222222; background-color: #ebedee;"><LABEL class="x-form-item-label" for="ext-comp-5434" style="padding: 3px 3px 3px 0; text-align: right !important;"><STRONG>ID</STRONG></LABEL></P><P class="x-form-display-field" style="padding: 4px 0 0;">40001</P><P class="x-form-item" style="margin-bottom: 4px; font-family: tahoma, helvetica, arial, sans-serif; font-size: 11px; color: #222222; background-color: #ebedee;"><LABEL class="x-form-item-label" for="ext-comp-5435" style="padding: 3px 3px 3px 0; text-align: right !important;"><STRONG>Description</STRONG></LABEL></P><P class="x-form-display-field" style="padding: 4px 0 0;">This event indicates that someone is using a brute force attack to gain access to an ftp server. An FTP brute force attack is a method of defeating the cryptographic scheme by trying a large number of possible username and passwords.</P><P class="x-form-item" style="margin-bottom: 4px; font-family: tahoma, helvetica, arial, sans-serif; font-size: 11px; color: #222222; background-color: #ebedee;"><LABEL class="x-form-item-label" for="ext-comp-5436" style="padding: 3px 3px 3px 0; text-align: right !important;"><STRONG>Severity</STRONG></LABEL></P><P class="x-form-element" style="padding: 0 0 0 85px; font-family: Tahoma, Arial, Helvetica, sans-serif;"></P><DIV class="x-form-display-field" style="padding: 4px 0 0;"><IMG class="jiveImage" src="https://ip1.i.lithium.com/04e5bcbd72a27575dc762965a06976bdaab5f40e/68747470733a2f2f31302e302e32302e3232302f696d616765732f7468726561745f686967682e676966" /><P></P></DIV></BODY></HTML> Wed, 11 Dec 2013 18:16:09 GMT MikeBull 2013-12-11T18:16:09Z https://live.paloaltonetworks.com/t5/general-topics/vulnerability-protection-host-type-field/m-p/46283#M34014 <HTML><HEAD></HEAD><BODY><P>I am looking for clarification as to how the 'Host Type' field works in a vulnerability protection profile.</P><P></P><P>For instance, we have a profile configured to protect our DMZ with six rules as follows:</P><P></P><TABLE border="1" class="jiveBorder" style="border: 1px solid #000000; width: 100%;"><TBODY><TR><TH style="text-align: center; background-color: #6690bc; color: #ffffff; padding: 2px;" valign="middle"><STRONG>Rule</STRONG></TH><TH style="text-align: center; background-color: #6690bc; color: #ffffff; padding: 2px;" valign="middle"><STRONG>Threat Name</STRONG></TH><TH style="text-align: center; background-color: #6690bc; color: #ffffff; padding: 2px;" valign="middle"><STRONG>CVE</STRONG></TH><TH style="text-align: center; background-color: #6690bc; color: #ffffff; padding: 2px;" valign="middle">Host Type</TH><TH style="text-align: center; background-color: #6690bc; color: #ffffff; padding: 2px;" valign="middle">Severity</TH><TH style="text-align: center; background-color: #6690bc; color: #ffffff; padding: 2px;" valign="middle">Action</TH></TR><TR><TD style="padding: 2px;">client-critical</TD><TD style="padding: 2px;">any</TD><TD style="padding: 2px;">any</TD><TD style="padding: 2px;">client</TD><TD style="padding: 2px;">critical</TD><TD style="padding: 2px;">block</TD></TR><TR><TD style="padding: 2px;">client-high</TD><TD style="padding: 2px;">any</TD><TD style="padding: 2px;">any</TD><TD style="padding: 2px;">client</TD><TD style="padding: 2px;">high</TD><TD style="padding: 2px;">block</TD></TR><TR><TD style="padding: 2px;">client-medium</TD><TD style="padding: 2px;">any</TD><TD style="padding: 2px;">any</TD><TD style="padding: 2px;">client</TD><TD style="padding: 2px;">medium</TD><TD style="padding: 2px;">alert</TD></TR><TR><TD style="padding: 2px;">server-critical</TD><TD style="padding: 2px;">any</TD><TD style="padding: 2px;">any</TD><TD style="padding: 2px;">server</TD><TD style="padding: 2px;">critical</TD><TD style="padding: 2px;">block</TD></TR><TR><TD style="padding: 2px;">server-high</TD><TD style="padding: 2px;">any</TD><TD style="padding: 2px;">any</TD><TD style="padding: 2px;">server</TD><TD style="padding: 2px;">high</TD><TD style="padding: 2px;">alert</TD></TR><TR><TD style="padding: 2px;">server-medium</TD><TD style="padding: 2px;">any</TD><TD style="padding: 2px;">any</TD><TD style="padding: 2px;">server</TD><TD style="padding: 2px;">medium</TD><TD style="padding: 2px;">alert</TD></TR></TBODY></TABLE><P></P><P><SPAN style="color: #575757; font-family: arial, helvetica, sans-serif;">I've noticed in the threat logs a number of 'FTP: login Brute-force attempt'&nbsp; triggered from the outside to the DMZ with a source of some IP in China. Clicking the detail option beside the log entry shows a direction of 'client-to-server'. Based off the details of the threat ( see below ) I would assume the rule 'client-high' would catch the brute force attempt and 'block' the threat, however, it appears it is matching under the rule 'server-high' which takes an 'alert' action. In the help menus the 'Host' field has the description "Specify whether to limit the signatures for the rule to those that are client <SPAN style="font-size: 12px;">side, server side, or either (</SPAN><SPAN style="font-size: 12px;">any</SPAN></SPAN><SPAN style="color: #000000; font-family: 'Microsoft Sans Serif'; font-size: 12px;"><SPAN style="font-family: arial, helvetica, sans-serif; color: #575757;">)."&nbsp; </SPAN><SPAN style="color: #575757; font-family: arial, helvetica, sans-serif;">which to me is very vague.&nbsp; Could someone explain to me exactly what the 'host type' field does? </SPAN></SPAN></P><P></P><P><LABEL class="x-form-item-label" for="ext-comp-5433" style="padding: 3px 3px 3px 0; text-align: right !important;"><STRONG>Name</STRONG></LABEL></P><P>FTP: login Brute-force attempt</P><P class="x-form-item" style="margin-bottom: 4px; font-family: tahoma, helvetica, arial, sans-serif; font-size: 11px; color: #222222; background-color: #ebedee;"><LABEL class="x-form-item-label" for="ext-comp-5434" style="padding: 3px 3px 3px 0; text-align: right !important;"><STRONG>ID</STRONG></LABEL></P><P class="x-form-display-field" style="padding: 4px 0 0;">40001</P><P class="x-form-item" style="margin-bottom: 4px; font-family: tahoma, helvetica, arial, sans-serif; font-size: 11px; color: #222222; background-color: #ebedee;"><LABEL class="x-form-item-label" for="ext-comp-5435" style="padding: 3px 3px 3px 0; text-align: right !important;"><STRONG>Description</STRONG></LABEL></P><P class="x-form-display-field" style="padding: 4px 0 0;">This event indicates that someone is using a brute force attack to gain access to an ftp server. An FTP brute force attack is a method of defeating the cryptographic scheme by trying a large number of possible username and passwords.</P><P class="x-form-item" style="margin-bottom: 4px; font-family: tahoma, helvetica, arial, sans-serif; font-size: 11px; color: #222222; background-color: #ebedee;"><LABEL class="x-form-item-label" for="ext-comp-5436" style="padding: 3px 3px 3px 0; text-align: right !important;"><STRONG>Severity</STRONG></LABEL></P><P class="x-form-element" style="padding: 0 0 0 85px; font-family: Tahoma, Arial, Helvetica, sans-serif;"></P><DIV class="x-form-display-field" style="padding: 4px 0 0;"><IMG class="jiveImage" src="https://ip1.i.lithium.com/04e5bcbd72a27575dc762965a06976bdaab5f40e/68747470733a2f2f31302e302e32302e3232302f696d616765732f7468726561745f686967682e676966" /><P></P></DIV></BODY></HTML> Wed, 11 Dec 2013 18:16:09 GMT https://live.paloaltonetworks.com/t5/general-topics/vulnerability-protection-host-type-field/m-p/46283#M34014 MikeBull 2013-12-11T18:16:09Z https://live.paloaltonetworks.com/t5/general-topics/vulnerability-protection-host-type-field/m-p/46284#M34015 <HTML><HEAD></HEAD><BODY><P>In the example you have, the host is the Server, so it'll be a "server-high" with an action of Alert. If it was a server attacking a client, or a client-targeted vulnerability, it would be a "client-high" which does have an action of block.</P><P></P><P>Effectively, the host field is equivalent to the target.</P><P></P><P>Hope this helps,</P><P>Greg</P></BODY></HTML> Wed, 11 Dec 2013 18:47:55 GMT https://live.paloaltonetworks.com/t5/general-topics/vulnerability-protection-host-type-field/m-p/46284#M34015 gwesson 2013-12-11T18:47:55Z