05-02-2012 07:55 AM
Hello,
after our recent newsletter distribution, we now see lots of blocked App-ID 'hotmail' in traffic directed to our web servers. Those are requests to HTML resources (images) just referred to from Hotmail website, most likely Hotmail users reading their mails via web frontend. Though it is indeed related to Hotmail, I doubt it should really be classified as hotmail application. What would it be about all the other web mail providers?
What do you think?
PCAP tracing decodes requests like this:
GET /imgs/mail/se_hdr_nav_misc.gif HTTP/1.1
Accept: */*
Referer: http://sn139w.snt139.mail.live.com/mail/InboxLight.aspx?n=1974317753
Accept-Language: de
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; InfoPath.1; .NET4.0C; .NET4.0E; InfoPath.3)
Accept-Encoding: gzip
Host: www.lidl-shop.de
X-Forwarded-For: 217.69.228.161
x-chpd-loop: 1
Via: 1.1 PXY017-AMST.COTENDO.NET (chpd/4.04.0069)
Connection: Keep-Alive
05-02-2012 08:53 AM
I had the same problem, opened a case with support, and they told me that was as designed. That Hotmail was proxying some of the traffic. I think the problem is that the app is being triggered because of the referrer being hotmail.com/live.com, but I got tired of fighting and just allowed the app.
05-02-2012 09:23 AM
Thanks for the quick answer. So at least I'm not alone on this field nor making a general mistake.
Now I also explicitely allowed that app and as long as it was just Hotmail that's just ok. But if it was general policy by PAN to deduce an application from the HTTP Referer header, one has to allow hundreds of incoming applications (websites just linking to your own site), or rather just allow anything, thus losing one of PA's key features.
05-02-2012 09:31 AM
I kind of felt the same way.
Of course you could build your own HTTP app or use the App-Override function.
05-02-2012 02:24 PM
Try request app enhancement from the Apps and Threats Research Center.
http://www.paloaltonetworks.com/researchcenter/tools/
From there you can click on Submit an app and provide details there.
Hopefully they can use your PCAPs to make the hotmail app less false positive.
05-03-2012 01:31 AM
Thanks for your proposals.
@umphmharding: I already use application overrides for our SAP systems communications (SAP protocols are really poorly detected in PA), but doing so throws you back to classical address/port based firewalling. Especially for HTTP communication I'd prefer to have finer grained control on what's coming through the firewall, e. g. block WebDAV requests, which currently works fine. Explicitely denying unwanted apps would be too intricate and error-prone.
@mikand: I'd like to share the PCAPs with PA, but on your link I don't see a possibility to upload a PCAP file. I can only commit an URL and a comment. I wonder what this URL could be here?
05-03-2012 01:47 AM
I think in the main text you could ask a support engineer to contact you for PCAPs.
The URL I would guess would be the one you use for your server (hopefully they will not just blacklist your url from being detected as hotmail even if it would be a simple task).
Edit: Removed text regarding application override 😃
Edit2: Regarding blocking webdav and such you could create your own threat signatures to block anything that isnt HEAD/GET/POST or which http-methods you wish to allow (or create a custom app (using parent-app as SAP or whatever) where you define the same thing).
09-07-2012 09:31 AM
Hello all,
After doing some research I think this is an expected behavior. Hotmail has a feature called "Active Views". This will trigger the Hotmail Application to download the Content for you, so you don't need to access the refered Servers. More Information here: How do Hotmail Active Views work? - Use Active Views
09-24-2012 05:52 AM
Hello sduvoisin,
thanks for your contribution. I think you may be right and this may be PANs intention, but in my opinion this is some wrong logic. When speaking of applications with regard to network communication I usually mean the *server* application and not the client application.
If I'd need to filter on client applications - and that is e. g. Hotmail Active Views - I'd need two configurations for applications: source (or client) application and destination (or server) application, just as I am able to filter on source addresses/ports and destination addresses/ports. Otherwise, how should an admin know, whether a request by Hotmail Active Views to some Flash file will be categorized as hotmail or as flash?
Don't get me wrong, I do see the sense of sometimes controlling on the client application, e. g. to block certain bots and crawlers, but even then I might want to differentiate on the target application too. And in those cases I'd rather do blacklisting for client applications while doing whitelisting for server applications.
09-24-2012 09:04 PM
Did you get any answer from the app enhancement team regarding this?
I fully agree with you... even if one most of the times tries to protect clients from doing bad stuff one will also end up using a PA to protect servers from being used for bad stuff (depending on the definition of bad).
07-05-2013 11:16 AM
FYI - Here is the process for requesting new app-ids, reporting issues with existing app-ids:
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
