topic Re: attacking site and PAN in General Topics

attacking site and PAN

_slv_ — Wed, 16 Apr 2014 07:48:02 GMT

Hello

Few days ago I discovered site with some information about VMware Update Manager. I had a problem with it and I was searching for solution.

This site is www.bourgelat.net/cannot-patch-definitions-vmware-19988

I have PA with all licences but PAN software doesnt detect any bad traffic

I asked PAN to change categorization to malware site, but today I got email : New category: computer-and-internet-info

This site still trying to hurt Your computer, and PAN doesnt responds to it - is it OK?

I have security policy with thread prevention/av - but it doesnt stops it, hopefully my Symnatec Endpoint protection detecting it and blocking.

You can try to open www.bourgelat.net - this isn't https so in my opinion PAN should react in some way to this traffic.

Do You agree with me?

How it's possible when IE 10 with default configuration recomends to not enter to this site while PAN recategorization is computer-and-internet-info ?

Regards

Slawek

Re: attacking site and PAN

_slv_ — Wed, 16 Apr 2014 12:37:28 GMT

small update, www.bourgelat.net is classified as malware site by BightCloud Service, and it's blocked if You are blocking access by url filter (block malware sites) but if you are using PA url database you are under risk!

Re: attacking site and PAN

dyang — Wed, 16 Apr 2014 18:22:07 GMT

Hi slv,

Can you provide more details about why you feel this site is malicious?

--Doris

Re: attacking site and PAN

_slv_ — Thu, 17 Apr 2014 19:19:02 GMT

My symantec endpoint pretection is detecting that this site try to attact my computer using "red export kit redirect" now.

Re: attacking site and PAN

gafrol — Thu, 17 Apr 2014 19:45:22 GMT

Are you referring to this threat Web Attack: Red Exploit Kit Redirect: Attack Signature - Symantec Corp. ?

If yes then --> CVE-2009-4324

CVE-2009-4324 is covered with nine Threat ID's

Are these nine Threat ID's all covered in your Vuln. Protection Profile ?

BTW, www.bourgelat.net/cannot-patch-definitions-vmware-19988 does not seem to be accessible at all

Re: attacking site and PAN

_slv_ — Thu, 17 Apr 2014 20:22:54 GMT

I can't verify it now, but probably - yes.

Today "www.bourgelat.net/cannot-patch-definitions-vmware-19988" isn't accessable but please try with www.bourgelat.net Please try with it.

I will check my security rules, but I'm sure that I blocing medium and critical threats.

Regards

SLawek

Re: attacking site and PAN

gafrol — Thu, 17 Apr 2014 20:26:21 GMT

I don't see anything threatening on www.bourgelat.net

Re: attacking site and PAN

gafrol — Thu, 17 Apr 2014 20:37:39 GMT

Although a google search for "www.bourgelat.net malware" shows very suspicious results...

Re: attacking site and PAN

_slv_ — Sat, 19 Apr 2014 16:04:33 GMT

Here You are report from today (SEP):

Wykryto zagrożenie

Czas zdarzenia:	19.04.2014 17:33:03
Czas rozpoczęcia:	19.04.2014 17:32:02
Czas zakończenia:	19.04.2014 17:32:02
Wystąpienie:	1
Nazwa sygnatury:	Web Attack: Red Exploit Kit Redirect 2
Identyfikator sygnatury:	26591
Podidentyfikator sygnatury:	71083
Adres URL włamania:	www.bourgelat.net/
Adres URL zawartości włamania:	N/D
Opis zdarzenia:	[Identyfikator SID: 26591] zablokowano atak Web Attack: Red Exploit Kit Redirect 2. Zablokowano ruch tej aplikacji: \DEVICE\HARDDISKVOLUME2\PROGRAM FILES\MOZILLA FIREFOX\FIREFOX.EXE
Typ zdarzenia:	Zapobieganie włamaniom
Typ hakingu:	0
Istotność:	Krytyczne
Nazwa aplikacji:	/DEVICE/HARDDISKVOLUME2/PROGRAM FILES/MOZILLA FIREFOX/FIREFOX.EXE
Protokół sieciowy:	TCP
Kierunek ruchu sieciowego:	Przychodzący
Adres IP komputera zdalnego:	91.121.93.111
Zdalny adres MAC:	N/D
Nazwa hosta zdalnego:	N/D
Alert:	1
Port lokalny:	55038
Port zdalny:	80

is it a false positive?

Regards

Slawek

Re: attacking site and PAN

HITSSEC — Sat, 19 Apr 2014 23:52:48 GMT

Slawek,

We deal with situation by having two custom URL categories:

1. Temporary-Blocked = this allows you to immediately block it while you wait for a reclassification request to be processed by Palo Alto.

2. Custom-Blocked = This allows you to override the Pan-DB or Brightcloud category. Additionally you can use it to block parts of an otherwise good website.

Hope this provides a way to react quicker. It works quite well for us.

Phil

Re: attacking site and PAN

_slv_ — Wed, 23 Apr 2014 12:22:17 GMT

Hi Gafrol

In my opinion I have all this 9 CVE covered. Security policy has:

And "strict" thread prevention profile is a default one:

I try today to open "bourgelat.net" and again only SEP blocked this traffic.

admin@PA-200> show session all filter source 192.168.1.35 destination 91.121.93.111

--------------------------------------------------------------------------------

ID Application State Type Flag Src[Sport]/Zone/Proto (translated IP[Port])

Vsys Dst[Dport]/Zone (translated IP[Port])

--------------------------------------------------------------------------------

19100 web-browsing ACTIVE FLOW NS 192.168.1.35[52183]/Lan_A/6 (x.x.x.x[52427])

vsys1 91.121.93.111[80]/untrust (91.121.93.111[80])

39182 web-browsing ACTIVE FLOW NS 192.168.1.35[52188]/Lan_A/6 (x.x.x.x[35161])

vsys1 91.121.93.111[80]/untrust (91.121.93.111[80])

34969 web-browsing ACTIVE FLOW NS 192.168.1.35[52196]/Lan_A/6 (x.x.x.x[16722])

vsys1 91.121.93.111[80]/untrust (91.121.93.111[80])

56342 web-browsing ACTIVE FLOW NS 192.168.1.35[52193]/Lan_A/6 (x.x.x.x[18863])

vsys1 91.121.93.111[80]/untrust (91.121.93.111[80])

admin@PA-200> show session id 19100

Session 19100

c2s flow:

source: 192.168.1.35 [Lan_A]

dst: 91.121.93.111

proto: 6

sport: 52183 dport: 80

state: ACTIVE type: FLOW

src user: contoso\slawek

dst user: unknown

qos node: ethernet1/1, qos member N/A Qid 0

s2c flow:

source: 91.121.93.111 [untrust]

dst: x.x.x.x

proto: 6

sport: 80 dport: 52427

state: ACTIVE type: FLOW

src user: unknown

dst user: contoso\slawek

qos node: ethernet1/4.1, qos member N/A Qid 0

start time : Wed Apr 23 14:11:42 2014

timeout : 60 sec

time to live : 10 sec

total byte count(c2s) : 621

total byte count(s2c) : 66

layer7 packet count(c2s) : 5

layer7 packet count(s2c) : 1

vsys : vsys1

application : web-browsing

rule : Lan_A NAT - monitoring

session to be logged at end : True

session in session ager : True

session synced from HA peer : False

address/port translation : source + destination

nat-rule : NAT_Lan_A(vsys1)

layer7 processing : enabled

URL filtering enabled : True

URL category : malware-sites

session via syn-cookies : False

session terminated on host : False

session traverses tunnel : False

captive portal session : False

ingress interface : ethernet1/4.1

egress interface : ethernet1/1

session QoS rule : N/A (class 4)

In monitor tab using filter "( threatid eq 34271) or ( threatid eq 34271) or ( threatid eq 33287) or ( threatid eq 33006) or ( threatid eq 32959) or ( threatid eq 32804) or ( threatid eq 32784) or ( threatid eq 32764) or ( threatid eq 32763)" I see nothing in thread logs.

What is wrong with my configuration?

Regards

Slawek

Re: attacking site and PAN

_slv_ — Wed, 23 Apr 2014 12:23:40 GMT

Hi Hitsec

Thank for clarification, but the clue is that PA refued to change classification to malware sites.

Re: attacking site and PAN

HITSSEC — Thu, 24 Apr 2014 15:01:32 GMT

Slawek,

I fully understand and have experienced the same situation.

Phil

Re: attacking site and PAN

_slv_ — Sat, 26 Apr 2014 07:32:25 GMT

Problem reported to support, I will let You know if we made any progress.

Could someone verify using other NGF than PA and endpoint protetection than Symantec that this site try to hurt your computer and post small report of tests?

Regards

Slawek