https://live.paloaltonetworks.com/t5/general-topics/bypassing-application-control-on-pan-os/m-p/49561#M36519 <HTML><HEAD></HEAD><BODY><P>We do not feel that using client-server collusion by starting the connection as a permitted application and switching to another is genuine or valid test. The scheme devised in the test assumes both the client and server are already under the control of the attacker. We don't know of any real-world clients or servers that can talk HTTP initially and then switch to SSH. Our app-ID has coverage for many evasive real-world tunneling applications and we continue to add coverage for more as we discover them. In this instance, we are working to enhance checks in our HTTP decoder to identify this scheme and set the session to be unknown-tcp. We are targeting to make the fix available in the next 1-2 content updates.</P></BODY></HTML> Tue, 30 Oct 2012 19:30:47 GMT Retired Member 2012-10-30T19:30:47Z https://live.paloaltonetworks.com/t5/general-topics/bypassing-application-control-on-pan-os/m-p/49559#M36517 <HTML><HEAD></HEAD><BODY><P>I stumbled upon a blog entry (<A href="http://www.what2code.net/?p=100" title="http://www.what2code.net/?p=100">http://www.what2code.net/?p=100</A>) describing how to, sadly, bypass application control on Palo Alto Networks boxes.</P><P>Author does not provide the source code, but I believe the method is not the work of his imagination.</P><P>Any comment on this by PAN Team? Any possible cure for the virus? <img id="smileywink" class="emoticon emoticon-smileywink" src="https://live.paloaltonetworks.com/i/smilies/16x16_smiley-wink.png" alt="Smiley Wink" title="Smiley Wink" /></P></BODY></HTML> Fri, 19 Oct 2012 13:39:51 GMT https://live.paloaltonetworks.com/t5/general-topics/bypassing-application-control-on-pan-os/m-p/49559#M36517 Retired Member 2012-10-19T13:39:51Z https://live.paloaltonetworks.com/t5/general-topics/bypassing-application-control-on-pan-os/m-p/49560#M36518 <HTML><HEAD></HEAD><BODY><P>While we are waiting for someone from PA to show up on friday evening I have posted a reply in the other thread with similar question <A __default_attr="5509" __jive_macro_name="thread" class="jive_macro jive_macro_thread" href="https://live.paloaltonetworks.com/"></A> <img id="smileyhappy" class="emoticon emoticon-smileyhappy" src="https://live.paloaltonetworks.com/i/smilies/16x16_smiley-happy.png" alt="Smiley Happy" title="Smiley Happy" /></P></BODY></HTML> Fri, 19 Oct 2012 18:51:05 GMT https://live.paloaltonetworks.com/t5/general-topics/bypassing-application-control-on-pan-os/m-p/49560#M36518 mikand 2012-10-19T18:51:05Z https://live.paloaltonetworks.com/t5/general-topics/bypassing-application-control-on-pan-os/m-p/49561#M36519 <HTML><HEAD></HEAD><BODY><P>We do not feel that using client-server collusion by starting the connection as a permitted application and switching to another is genuine or valid test. The scheme devised in the test assumes both the client and server are already under the control of the attacker. We don't know of any real-world clients or servers that can talk HTTP initially and then switch to SSH. Our app-ID has coverage for many evasive real-world tunneling applications and we continue to add coverage for more as we discover them. In this instance, we are working to enhance checks in our HTTP decoder to identify this scheme and set the session to be unknown-tcp. We are targeting to make the fix available in the next 1-2 content updates.</P></BODY></HTML> Tue, 30 Oct 2012 19:30:47 GMT https://live.paloaltonetworks.com/t5/general-topics/bypassing-application-control-on-pan-os/m-p/49561#M36519 Retired Member 2012-10-30T19:30:47Z https://live.paloaltonetworks.com/t5/general-topics/bypassing-application-control-on-pan-os/m-p/49562#M36520 <HTML><HEAD></HEAD><BODY><P>I belive this is valid because its these methods that malware will use to break out of the internal network in order to phone home various of stuff it can get its hand on.</P><P></P><P>Compromised client: checked (usually its a matter of "when" not "if").</P><P>Compromised server: checked (just look at all botnets where most uses compromised servers to act as C&amp;C).</P><P></P><P>and suddently we have a situation where both the client AND the server is compromised and can run whatever protocol they wish (specially when you take networks such as the internet into account).</P></BODY></HTML> Tue, 30 Oct 2012 21:45:46 GMT https://live.paloaltonetworks.com/t5/general-topics/bypassing-application-control-on-pan-os/m-p/49562#M36520 mikand 2012-10-30T21:45:46Z