topic Re: DNS big text threat seems to bypass security rule in General Topics https://live.paloaltonetworks.com/t5/general-topics/dns-big-text-threat-seems-to-bypass-security-rule/m-p/67110#M39428 <P>Because it's DNS answer. Session initiator (DNS query) is probably one of your DNS servers so session is allowed and response can come back.</P> <P>&nbsp;</P> <P>&nbsp;</P> Thu, 22 Oct 2015 13:43:51 GMT santonic 2015-10-22T13:43:51Z DNS big text threat seems to bypass security rule https://live.paloaltonetworks.com/t5/general-topics/dns-big-text-threat-seems-to-bypass-security-rule/m-p/67096#M39426 <P>I have a strange circumstance here, I think. I've received several threats in my threat log for "DNS Answer Big TXT Record Response Anomaly" Threat ID <LABEL id="ext-gen2191" class="x-form-item-label" style="width: 80px;" for="ext-comp-2073"></LABEL>31580 (not sure if that's relevant or not, it just seems an odd similarity)</P> <P>&nbsp;</P> <P>So yesterday I had a few instances of this threat from a particular IP. My usual response (like it or not) when I see threats that come through with an action of "allow" or "alert" and I see multiple atempts from the same source IP (and I can't refute the assumption that this is a threat and not mis-classified normal traffic) is to add the IP as a recognized address and put it in a group for "blocked IP's." I have a security rule that says to deny from the source in the "blocked IP's" group and coming in on the L3-untrust zone (which is where this threat comes in) and to any destination on L3-trust zone (which is the destination on these threats). So that's my setup, and I went to add this IP that got through yesterday to the block list, but it's already in the block list. Busy day yesterday, so I forgot about it - if the same IP tries again, I'll see it the next day.</P> <P>&nbsp;</P> <P>So today I have the exact same circumstance with a different IP. So it seems that I have these threats that are for some reason ignoring the first security rule I have in place and making it through to the threat processor, where they're getting "allowed" or "alerted"</P> <P>&nbsp;</P> <P>Thoughts on how this could be happening? my only other thought at this point is to try rebooting the firewall, but that seems far-fetched - why are all my other security rules working, and it's just these two IP's with this common threat that's getting through?</P> Thu, 22 Oct 2015 13:29:30 GMT https://live.paloaltonetworks.com/t5/general-topics/dns-big-text-threat-seems-to-bypass-security-rule/m-p/67096#M39426 mkeller 2015-10-22T13:29:30Z Re: DNS big text threat seems to bypass security rule https://live.paloaltonetworks.com/t5/general-topics/dns-big-text-threat-seems-to-bypass-security-rule/m-p/67110#M39428 <P>Because it's DNS answer. Session initiator (DNS query) is probably one of your DNS servers so session is allowed and response can come back.</P> <P>&nbsp;</P> <P>&nbsp;</P> Thu, 22 Oct 2015 13:43:51 GMT https://live.paloaltonetworks.com/t5/general-topics/dns-big-text-threat-seems-to-bypass-security-rule/m-p/67110#M39428 santonic 2015-10-22T13:43:51Z