topic Re: Domain is pointed as Malware in General Topics

Domain is pointed as Malware

wolfrene — Mon, 05 Aug 2013 15:32:19 GMT

Hello,

today we had a suspicious DNS Query warning because we tried to reslove a domain (pandaro.be).

So Palo Alto gets information about domains and checks some information about these domeains.

My questions about this:

1/ What is PA using to decide which status a domain gets

2/ What is PA checking at a domain to decide about the status

2/ If a domain is known as Malware what has to be done to get it clean

Thanks and Greetings,

Rene

Re: Domain is pointed as Malware

craymond — Mon, 05 Aug 2013 15:59:58 GMT

The Websites are categorized by Brightcloud if you have that subscription or by Palo if you are using Palo's. If this was a threat (shows up in the threat log), then it matches a signature defined as a threat/vulnerability. All (decent) firewall's use "signatures" or criteria that defines legit from illegitimate or questionable traffic. Most threats/vulnerabilities are already recognized/categorized by varying groups including the software makers themselves, and are submitted to the MITRE and is included in the NVD called CVEs (Computer Vulnerabilities & Exposures). If I understand you correctly you saw the following threat:

DNS ANY Suspicious Query

Overview

Attack Name	DNS ANY Suspicious Query
Description	This alert indicates a suspicious specific DNS ANY reques.
Threat ID	35184
References	https://isc.sans.edu/diary.html?storyid=13261
Severity	medium
Category	info-leak

Re: Domain is pointed as Malware

Chatri — Mon, 05 Aug 2013 16:43:05 GMT

Hello Wolfrene,

PA is using a combination of the category of the URL, Known CVE IDs that may be associated with a domain.

The Palo Alto content team constantly keeps monitoring and reevaluating the malicious or benign nature of such URLs.

The best way to get a domain clean that has been categorized as Malware is to have a TAC case opened up with pcaps of the threat traffic ( this can be done by enabling pcap on the threat profile that triggered this threat log), screen shot of the threat log and the tech support file.

The TAC will have this domain re-evaluated by the Content team and if changes are made to this threat signature then push the change with the next content release.