topic Re: traffic logs as type - spyware and vulnerability -------session end reason threat in General Topics

traffic logs as type - spyware and vulnerability -------session end reason threat

MP18 — Sat, 06 Oct 2018 04:37:02 GMT

under unified logs i see the application DNS and when i click on detailed log view sometimes i see

type as vulnerability and action reset both session end reason threat

type as spyware and action as drop session end reason threat

Need to know type vulnerability and spyware are using this security profiles vulnerability and antispyware?

why DNS traffic shows as spyware?

also when we see that session end reason is threat does it mean PA drops the traffic ???

Re: traffic logs as type - spyware and vulnerability -------session end reason threat

BPry — Sun, 07 Oct 2018 15:44:37 GMT

@MP18,

DNS can be identified via a number of different vulnerabilities and spyware signatures, and the action would be dependent on the profile applied to this traffic.

More often then not when DNS traffic is identified with Spyware signatures it's due to the user requesting certain domains that have been identified and this traffic will almost always have an action of drop if you've left everything setup to default. With the action setup as Drop the client simply wouldn't be able to resolve the domain.

DNS traffic is actually failry reqularly seen under Vulnerability and some of them are simply informational ( 'DNS Zone Transfer AXFR Response' 'DNS Zone Transfer AXFR Attempt'). You'd either have to share the signature you are hitting or really look at your profile to figure out what's exactly going on here.

session_end_reason threat doesn't necissarily mean anything other then a threat was identified somewhere within the session traffic. Going into detailed log view will show you exactly what happended and what action was taken once the threat was identified.

Re: traffic logs as type - spyware and vulnerability -------session end reason threat

MP18 — Sun, 07 Oct 2018 16:23:18 GMT

strange thing is that under unified i only see traffic logs no threat logs.

when i go to threat logs i see this signature 18003.

unified logs does not show threat logs and threat id.

so it means that this signature as per threat vault is anti spyware signature.

how often this antispayware signature gets dynamic updates?

if i use app override for the dns application traffic then i will avoid the l4 to l7 inspection right?

Regards

Mike

Re: traffic logs as type - spyware and vulnerability -------session end reason threat

BPry — Sun, 07 Oct 2018 16:36:05 GMT

@MP18,

You can enable or disable what Log Types you wish to show in the Unified Logs, verify that you have Threat enabled. Click on the 'Effective Querries' icon to the left of the magnifying glass if using the GUI, then make sure the little check box by Threat is checked.

"unified logs does not show threat logs and threat id.

so it means that this signature as per threat vault is anti spyware signature."

- Correct, 18003 detects data infiltrations over DNS; I haven't known this signature to be wrong unless using certain antivirus products that actually update information via DNS. I would highly recommend you look into the machine that is getting identified and verify it isn't infected.

"how often this antispayware signature gets dynamic updates? Doesn't really have a set schedule, updates are pushed as needed. Once a month Palo Alto pushes new application signatures, but updates can be multiple times per week and even multiple per day.

if i use app override for the dns application traffic then i will avoid the l4 to l7 inspection right?"

Depends on how you build it out, if you override to DNS then no, inspections would still take place since DNS is a built-in application. Regardless, I really wouldn't recommend this as DNS is actively used to extract information.

Re: traffic logs as type - spyware and vulnerability -------session end reason threat

MP18 — Sun, 07 Oct 2018 17:12:54 GMT

i check on the left hand side and verify that show effective queries all is selected.

threat is also checked there.

does this mean it is antispy ware signature as we do not see this under unified logs?

on threat logs i see attack and victim.

and machines are dns server and proofpoint appliance.

so when i see attacker and victim how can i know which is source and destination ?

is victim always be the affected in threat logs?

Appoverride

i have built custom app with app dns and port tcp and udp 443.

then i created app override policy

then under security policy i have choose this custom app dns on tcp and udp port 443.

i have read that if you use app override then PA doet do anything afrom l5 to l7?

please confirm this?