topic Re: Suspicious TLS Evasion Found(14978) in General Topics

Suspicious TLS Evasion Found(14978)

Jafar_Hussain — Mon, 13 Sep 2021 13:29:13 GMT

Dear Team,

I have configured the web service behind PA. and attached the security profile . i can see in the thread logs the thread is generating "Suspicious TLS Evasion Found(14978)".

i have gone through the below KB but didn't understand

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000HBwCCAW&lang=en_US%E2%80%A9

moreover, I can see the thread signature is showing in excpetion so I have enabled this and put the action is alert. the severity is informational. do i need to take any action on this?

the severity is informational

Re: Suspicious TLS Evasion Found(14978)

LAYER_8 — Mon, 13 Sep 2021 17:55:29 GMT

Please see our best practices guide here, in which we recommend changing the default alert behavior to drop.

Re: Suspicious TLS Evasion Found(14978)

BPry — Mon, 13 Sep 2021 20:58:40 GMT

@Jafar_Hussain,

The piece that is actually relevant to your alert:

Evasion signatures that detect crafted HTTP or TLS requests can send alerts when clients connect to a domain other than the domain specified in the original DNS request. Make sure to configure DNS proxy before you enable evasion signatures. Without DNS proxy, evasion signatures can trigger alerts when a DNS server in the DNS load balancing configuration returns different IP addresses—for servers hosting identical resources—to the firewall and client in response to the same DNS request.

If you haven't used a DNS proxy object you can ignore these alerts, or override the action to allow so you don't have them filling up your threat logs. By default the 14978 signature is actually already set to allow, so you've actually modified the default action or setup a policy that otherwise overrides the default action for simple-informational alerts to receive any notice about these threats to begin with.

I'd recommend that you either configure the dns proxy object and get that setup so the signature actually functions correctly, or you set the action back to allow. Without the DNS proxy configured they aren't going to work effectively, which is why they are setup as informational allowed threats.

Re: Suspicious TLS Evasion Found(14978)

Jafar_Hussain — Tue, 14 Sep 2021 06:29:56 GMT

@BPryI have checked, according to the below documents the best practice is we should set the action drop for the evasion signature 14978.

https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/threat-prevention/best-practices-for-securing-your-network-from-layer-4-and-layer-7-evasions.html

moreover, if i set the action drop so the service is stopped and drop all the traffic for my server, that I have attached the antispyware profile.

i have configured below antispyware profile:-

so now, i want to allow the traffic but an alert should not come. what i need to do.

- Do i need to allow the traffic instead of alert in the exception?

- If alerts are coming so i can ignore?

- or to work properly do i need to configure the DNS proxy. i believe if i configure the DNS proxy and if i will put in the antispyware rule and exception all the things is drop. it will work or not?

Re: Suspicious TLS Evasion Found(14978)

LAYER_8 — Wed, 15 Sep 2021 16:13:32 GMT

DNS Proxy just allows the firewall to cache DNS responses and forward to your internal server, if you choose. See here. You *must* configure a DNS proxy for the TLS evasion blocks to work properly.