topic Re: ID 3805790 and 3805788 DNS lookup in General Topics

ID 3805790 and 3805788 DNS lookup

AdamCoombs — Tue, 12 Jul 2016 19:49:26 GMT

Hello looking for more information on these Threat ID 3805790 and 3805788.

In the monitor--> threat -->

Type Field is showing up as spyware

Attacker Field IP is private ip address

Victim Field IP is public ip address. Victim Field public IP address is not the same and it does not match what shows up in the Name Field.

The Victim Field IP addresses are clean from all the research I can find.

I would like to know, why palo alto keeps showing up with these ID 3805790 and 3805788.

Re: ID 3805790 and 3805788 DNS lookup

BPry — Tue, 12 Jul 2016 20:24:49 GMT

It looks like both of your threats are generic:weebcan.rapidsys.com identities. Your private address is in the attacker field because it is the "attacker" in this scenario, that information is probably correct. Both were released on 6-29 of this year.

It's being identified because rapidsys is being identified as a hacked website at the moment which is why they pushed out the threat with WildFire. I imagine that someone is either accessing or you yourself are hosting a website using the service. It's a pretty sound signature from what I can see; so I don't see how it could really be a false positive.

Re: ID 3805790 and 3805788 DNS lookup

AdamCoombs — Wed, 13 Jul 2016 16:26:28 GMT

Thank you for the reply BPry

What I still do not understand is, why is there in Victim Field. IP addresses that do not show up as weebcan.rapidsys.com. For example I am seeing a dns server(private IP) request to a university (Public IP) list as spyware, name, ID all the same. I have many different examples for this issue.

Re: ID 3805790 and 3805788 DNS lookup

BPry — Wed, 13 Jul 2016 16:57:28 GMT

That I'm not sure. It might be worth doing a packet capture and seeing specifically where that traffic is going and what it's doing. I haven't seen that signature throw a false positive on our 3020s or 200s but if you send the universities public IP address I could connect to it and see if it's something to do with the threat signature or if it's specific to your equipment.

Re: ID 3805790 and 3805788 DNS lookup

AdamCoombs — Wed, 13 Jul 2016 19:01:37 GMT

I can put a request in for a packet capture on this, is there a different way to look at this issue without packet capture.

Here is unviersity IP address 192.58.125.30 and here is a another Public IP address 192.58.128.30.

Thank you for help on this

Re: ID 3805790 and 3805788 DNS lookup

BenjAudy.MTL — Wed, 13 Jul 2016 20:34:27 GMT

Hi,

The "victim" here should be the DNS server that received the DNS request. Depending on where your firewall is located on your network, it can be your internal DNS server, or an external DNS server where the request got forwarded.

Benjamin

Re: ID 3805790 and 3805788 DNS lookup

AdamCoombs — Wed, 13 Jul 2016 20:55:59 GMT

Well the victim shows up as a extrenal dns server. When I use resolve hostname option on the palo alto device shows what I believe are showing a root dns servers.

It seems that all dns lookups are showing as these ID numbers and the Public IP address are not those ID. So, I do not know what to think of this.

Re: ID 3805790 and 3805788 DNS lookup

BPry — Thu, 14 Jul 2016 13:07:18 GMT

I can't get to either of those IP address; but if you know the IP addresses for everything then you could make exceptions to them or disable that ID on your PA all together. I would recommend getting a packet capture done though because it sounds like something with your DNS server specifically that this signature doesn't like, and it could be that nobody else is really seeing the same issue.

Re: ID 3805790 and 3805788 DNS lookup

AdamCoombs — Thu, 14 Jul 2016 16:15:24 GMT

Thank you BPry

I know the palo alto has a option for packet capture. I do not have the rights to do one. Would you please provide some what kind of packet capture setting that I can put in the request for this?

If the packet capture is not need on the palo alto, where the packet capture should be take from with a few setting applied.

Re: ID 3805790 and 3805788 DNS lookup

BPry — Thu, 14 Jul 2016 18:03:06 GMT

THIS will help you know what you need for a packet capture but essentially it will be source IP, destination IP, the application if it's reporting as the same one all the time, and then you can filter on further from there. Pass that PCAP along to your SE and they can start the process of either identifiying why it's being hit or getting the signature updated. In the mean time I would disable that signature and let the traffic pass as long as you are confident that the servers that you are connecting to are clean.

Re: ID 3805790 and 3805788 DNS lookup

AdamCoombs — Thu, 14 Jul 2016 18:50:34 GMT

Thank you BPry for help on this and I will check this out and hope to get back to you on why this is happening

Re: ID 3805790 and 3805788 DNS lookup

AdamCoombs — Fri, 15 Jul 2016 13:49:47 GMT

Last night I got the packet capture setup, I check the montior --->threat --> nothing show up there on these ID's

So, I check the PANW Threat Vault on these ID they have been udpated now.

Anyone now what change ???