topic Re: Investigation of possible threats in General Topics

Investigation of possible threats

phxcpv — Sat, 05 Nov 2016 14:42:59 GMT

My company has a PA3050. I am new to this device. It is currently setup to mirror/monitor port on current Cisco firewall. The device is reporting that it is finding suspicous files and various other vulnerabilities. There is concern that this is showing that there is active hacker activity on the network. Is there a way to tell the difference between this being active hacker activity or if this is just logging possible vulnerabilities on the network?

Re: Investigation of possible threats

reaper — Mon, 07 Nov 2016 10:39:02 GMT

there a way for you to share logs so we can get a feel for what you are looking at ?

the threat logs are oriented so they try to identify the 'attacker'. there is a magnifying glass at the very left of the log that shows you more details about the underlying session (traffic log + threat log correlation) which should give you an idea of where the session is coming from and where the threat is coming from (session could be client to server-http, threat could be server-http to client, which is a traditional 'download')

Re: Investigation of possible threats

phxcpv — Mon, 07 Nov 2016 16:17:02 GMT

Attached is one of the screenshots from our security team. There are others showing suspicious files or other vulnerabilities.

Re: Investigation of possible threats

phxcpv — Wed, 09 Nov 2016 18:01:59 GMT

Bump. What I am wondering is if this report is telling us there are comprimised hosts or if it is just seeing vulnerabilties that may be on some of the internal hosts and that if we patch those vulnerabilities that it would disappear.

Re: Investigation of possible threats

BPry — Wed, 09 Nov 2016 19:53:52 GMT

I'm not sure if everybody else is having the same issue but I can't actually view your image without it getting really distorted to the point I can't actually read anything.

Re: Investigation of possible threats

santonic — Thu, 10 Nov 2016 07:55:32 GMT

Yes, pic is very distorted. But I think we are talking about this signature:

Name:	OpenSSL AES-NI CBC Information Disclosure Vulnerability
ID:	39257
Description:	OpenSSL is prone to a information leak vulnerability while parsing certain crafted SSL requests. The vulnerability is due to the implementation of AES-NI. An attacker could exploit the vulnerability by using a padding oracle attack to decrypt traffic. A successful attack could lead to leak of the server sensitive information.
Severity:
CVE:	CVE-2016-2107

The description is a bit unclear whether this signature actually detects a request which could exploit this vulnerability or just notifies of use AES-NI instruction set in OpenSSL. As the severity is informational I'd assume it's just use of vulnerable instuction set.

Re: Investigation of possible threats

BPry — Thu, 10 Nov 2016 21:52:40 GMT

I was actually seeing that alert quite a bit a couple months ago; I've since stopped but I was told that it wasn't that the servers were still vulnerable to it so I imagine that it actually identifies a potential attack. Ask whoever is managing your servers if they have updated them since May, I'm guessing that they have.