https://live.paloaltonetworks.com/t5/general-topics/uptick-in-rfc2397-data-url-scheme-usage-detected-30419/m-p/66603#M39244 <P>let us know what the outcome is, we're getting these daily whereas we've never had them prior to about a month or so ago</P> Wed, 14 Oct 2015 17:35:35 GMT ulti 2015-10-14T17:35:35Z https://live.paloaltonetworks.com/t5/general-topics/uptick-in-rfc2397-data-url-scheme-usage-detected-30419/m-p/65104#M38922 <P>Before I go on a wild goose chase, has anyone seen an increase in threat 30419 (RFC2397 Data URL Scheme Usage Detected)?</P><P>&nbsp;</P><P>It seems like these things trip for a while until PA figures out someone's using something novel in a new App. A new application sig comes out and the alerts go away...</P> Fri, 25 Sep 2015 13:29:30 GMT https://live.paloaltonetworks.com/t5/general-topics/uptick-in-rfc2397-data-url-scheme-usage-detected-30419/m-p/65104#M38922 MCmgt 2015-09-25T13:29:30Z https://live.paloaltonetworks.com/t5/general-topics/uptick-in-rfc2397-data-url-scheme-usage-detected-30419/m-p/65127#M38936 <P>thank goodness - its not just me. yes, we've seen a huge increase in these and wasn't sure if we should negate these in the policy or if Palo's threat team jacked with the settings in a recent db update. (known to happen)</P><P>&nbsp;</P> Fri, 25 Sep 2015 21:16:10 GMT https://live.paloaltonetworks.com/t5/general-topics/uptick-in-rfc2397-data-url-scheme-usage-detected-30419/m-p/65127#M38936 ulti 2015-09-25T21:16:10Z https://live.paloaltonetworks.com/t5/general-topics/uptick-in-rfc2397-data-url-scheme-usage-detected-30419/m-p/66355#M39173 <P>anyone have thoughts on this? seems noisy for us. Can't tell if Palo changed it in threat db or if there's just a huge increase of it on net.</P> Fri, 09 Oct 2015 15:51:44 GMT https://live.paloaltonetworks.com/t5/general-topics/uptick-in-rfc2397-data-url-scheme-usage-detected-30419/m-p/66355#M39173 ulti 2015-10-09T15:51:44Z https://live.paloaltonetworks.com/t5/general-topics/uptick-in-rfc2397-data-url-scheme-usage-detected-30419/m-p/66602#M39243 <P>I opened a case (<SPAN>00389881) yesterday. They've heard rumblings from customers but hadn't received any pcaps yet.</SPAN></P> <P>&nbsp;</P> <P><SPAN>By chance, I stumbled across someone tripping the sig and called them. They got red-faced when I asked them what they had just done...visited okmagazine.com. Sure enough, I was able to reproduce it and support has a pcap to look at.</SPAN></P> Wed, 14 Oct 2015 17:28:51 GMT https://live.paloaltonetworks.com/t5/general-topics/uptick-in-rfc2397-data-url-scheme-usage-detected-30419/m-p/66602#M39243 MCmgt 2015-10-14T17:28:51Z https://live.paloaltonetworks.com/t5/general-topics/uptick-in-rfc2397-data-url-scheme-usage-detected-30419/m-p/66603#M39244 <P>let us know what the outcome is, we're getting these daily whereas we've never had them prior to about a month or so ago</P> Wed, 14 Oct 2015 17:35:35 GMT https://live.paloaltonetworks.com/t5/general-topics/uptick-in-rfc2397-data-url-scheme-usage-detected-30419/m-p/66603#M39244 ulti 2015-10-14T17:35:35Z https://live.paloaltonetworks.com/t5/general-topics/uptick-in-rfc2397-data-url-scheme-usage-detected-30419/m-p/66604#M39245 <P>This particular instance was <SPAN>a TTF (TrueType Font) file, and that the purpose of the javascript containing it looked to be css/style/ad delivery using JWPLAYER.</SPAN></P> <P>&nbsp;</P> <P><SPAN>Advertising...</SPAN></P> <P>&nbsp;</P> <P><SPAN>YMMV.</SPAN></P> Wed, 14 Oct 2015 18:56:37 GMT https://live.paloaltonetworks.com/t5/general-topics/uptick-in-rfc2397-data-url-scheme-usage-detected-30419/m-p/66604#M39245 MCmgt 2015-10-14T18:56:37Z https://live.paloaltonetworks.com/t5/general-topics/uptick-in-rfc2397-data-url-scheme-usage-detected-30419/m-p/67604#M39610 <P>Did you mark it as exception and allow or are you still alerting on it?</P> Tue, 03 Nov 2015 16:35:06 GMT https://live.paloaltonetworks.com/t5/general-topics/uptick-in-rfc2397-data-url-scheme-usage-detected-30419/m-p/67604#M39610 ulti 2015-11-03T16:35:06Z https://live.paloaltonetworks.com/t5/general-topics/uptick-in-rfc2397-data-url-scheme-usage-detected-30419/m-p/68354#M39881 <P>We've been getting a lot of hits on this Threat ID as well. &nbsp;I think if anything, this ID should be set to Informational or Low.</P> Wed, 18 Nov 2015 22:05:24 GMT https://live.paloaltonetworks.com/t5/general-topics/uptick-in-rfc2397-data-url-scheme-usage-detected-30419/m-p/68354#M39881 jambulo 2015-11-18T22:05:24Z