https://live.paloaltonetworks.com/t5/general-topics/suspicious-http-response-found-id-54319-after-updated-to-8029/m-p/217298#M62872 <P>Try to understand "<SPAN>suspicious HTTP response" means from PAN point of view, it will be nice to have a more descriptive explaination.&nbsp; It is a low&nbsp;severity, but why is it set to alert?</SPAN></P><P>&nbsp;</P><P>&nbsp;</P> Sun, 10 Jun 2018 14:42:13 GMT nextgenhappines 2018-06-10T14:42:13Z https://live.paloaltonetworks.com/t5/general-topics/suspicious-http-response-found-id-54319-after-updated-to-8029/m-p/217277#M62870 <P>Hi,</P><P>&nbsp;</P><P>Anyone else&nbsp; notices increase amount of&nbsp;<SPAN>Suspicious HTTP Response Found ID 54319 after installed AppID 8029-4784?.</SPAN></P><P>&nbsp;</P><P><SPAN>The threat vault description&nbsp;This signature detects a suspicious HTTP response</SPAN></P><P><SPAN>Category protocol anomaly</SPAN></P><P><SPAN>PANOS Min version 8.0.0</SPAN></P><P><SPAN>Severity low</SPAN></P><P><SPAN>Action Alert</SPAN></P><P><SPAN>Fire release 785</SPAN></P><P>&nbsp;</P><P><SPAN>Want to see if others are seeing the same thing on their firewall?&nbsp; It looks like it is catching http get file transfer.&nbsp; What makes it suspicious?</SPAN></P><P>&nbsp;</P><P><SPAN><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="54319.png" style="width: 800px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/15441iC29DB06D7964A522/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="54319.png" alt="54319.png" /></span></SPAN></P><P>&nbsp;</P><P>&nbsp;</P> Sat, 09 Jun 2018 14:52:18 GMT https://live.paloaltonetworks.com/t5/general-topics/suspicious-http-response-found-id-54319-after-updated-to-8029/m-p/217277#M62870 nextgenhappines 2018-06-09T14:52:18Z https://live.paloaltonetworks.com/t5/general-topics/suspicious-http-response-found-id-54319-after-updated-to-8029/m-p/217284#M62871 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/23897">@nextgenhappines</a>,</P><P>I've noticed an uptick, but it's something that I notice quite a lot anyways with our users.&nbsp;</P> Sun, 10 Jun 2018 02:04:35 GMT https://live.paloaltonetworks.com/t5/general-topics/suspicious-http-response-found-id-54319-after-updated-to-8029/m-p/217284#M62871 BPry 2018-06-10T02:04:35Z https://live.paloaltonetworks.com/t5/general-topics/suspicious-http-response-found-id-54319-after-updated-to-8029/m-p/217298#M62872 <P>Try to understand "<SPAN>suspicious HTTP response" means from PAN point of view, it will be nice to have a more descriptive explaination.&nbsp; It is a low&nbsp;severity, but why is it set to alert?</SPAN></P><P>&nbsp;</P><P>&nbsp;</P> Sun, 10 Jun 2018 14:42:13 GMT https://live.paloaltonetworks.com/t5/general-topics/suspicious-http-response-found-id-54319-after-updated-to-8029/m-p/217298#M62872 nextgenhappines 2018-06-10T14:42:13Z https://live.paloaltonetworks.com/t5/general-topics/suspicious-http-response-found-id-54319-after-updated-to-8029/m-p/217510#M62923 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/23897">@nextgenhappines</a>,</P><P>Unfortunately they kind of stopped publishing exactly what the signature in question is looking for, however all of the Suspicious HTTP Response Found signatures all focus on looking for different characters in the HTTP response header. For example '40400' looks for "x00". They essentially are looking for a character set that shouldn't actually exist in the response header.&nbsp;</P><P>The real issue is that most people don't take the standard seriously and include whatever they want within the response header because generally it doesn't cause any issues. Its set to alert because you can actually use the response header to give commands to infected machines. So if an infected machine reaches out to a CnC server it can put control information within a response header.&nbsp;</P><P>&nbsp;</P><P>I'll clarify this by saying that there is a&nbsp;<STRONG>lot</STRONG> of services that don't actually respect RFC 2616 or the further defined RFC 7230. Slack&nbsp;is one that I can think of at the moment that is horribly out of scope and is rightfully identified but is a known application.&nbsp;</P> Tue, 12 Jun 2018 13:06:39 GMT https://live.paloaltonetworks.com/t5/general-topics/suspicious-http-response-found-id-54319-after-updated-to-8029/m-p/217510#M62923 BPry 2018-06-12T13:06:39Z