topic Re: malware using encrypted (SSH) transfer over tcp/443 in General Topics

malware using encrypted (SSH) transfer over tcp/443

jmayne — Wed, 03 Jul 2013 16:46:15 GMT

Does Palo Alto have a signature to detect the use of ssh on non-standard ports like 443? I did not see anything in the threat database.

Thanks,

Jim

Re: malware using encrypted (SSH) transfer over tcp/443

Retired Member — Wed, 03 Jul 2013 18:15:47 GMT

I don't see a signature for that.

you can use security rule with application default to allow only it's default port for ssh or using services with that rule for other ports.

Re: malware using encrypted (SSH) transfer over tcp/443

jmayne — Wed, 03 Jul 2013 18:19:13 GMT

Thanks. I will give that a try. Is it possible to request new signatures and if so how would I do that?

Thanks,

Jim

Re: malware using encrypted (SSH) transfer over tcp/443

Retired Member — Wed, 03 Jul 2013 18:24:51 GMT

you need to packet capture the traffic for that.

if you can, it is possible to add custom signature from objects/custom signature tab.

Re: malware using encrypted (SSH) transfer over tcp/443

rgraves — Wed, 03 Jul 2013 20:58:44 GMT

As panos said, that's a rule not a signature. Going back, you can go to Monitor->Traffic and search for (port eq 443) and (app neq ssl) or perhaps (port neq 22) and (app eq ssh).

While you're in the neighborhood, if you have a loose policy and are creating denies, also consider a rule to deny things like crossloop, gre, hamachi, ipsec, ipv6, teredo, and an application filter that looks for subcategory=proxy.

Re: malware using encrypted (SSH) transfer over tcp/443

jmayne — Fri, 05 Jul 2013 12:44:52 GMT

Great advise. Thanks!