ID 3805790 and 3805788 DNS lookup

Reply
Highlighted
L3 Networker

ID 3805790 and 3805788 DNS lookup

Hello looking for more information on these Threat ID 3805790 and 3805788. 

In the monitor--> threat -->

Type Field is showing up as spyware

Attacker Field IP is private ip address 

Victim Field IP is public ip address. Victim Field public IP address is not the same and it does not match what shows up in the Name Field. 

The Victim Field IP addresses are clean from all the research I can find.

I would like to know, why palo alto keeps showing up with these ID  3805790 and 3805788. 

  

Tags (2)
L7 Applicator

Re: ID 3805790 and 3805788 DNS lookup

It looks like both of your threats are generic:weebcan.rapidsys.com identities. Your private address is in the attacker field because it is the "attacker" in this scenario, that information is probably correct. Both were released on 6-29 of this year. 

It's being identified because rapidsys is being identified as a hacked website at the moment which is why they pushed out the threat with WildFire. I imagine that someone is either accessing or you yourself are hosting a website using the service. It's a pretty sound signature from what I can see; so I don't see how it could really be a false positive. 

L3 Networker

Re: ID 3805790 and 3805788 DNS lookup

Thank you for the reply BPry

What I still do not understand is, why is there in Victim Field. IP addresses that do not show up as weebcan.rapidsys.com. For example I am seeing a dns server(private IP) request to a university (Public IP) list as spyware, name, ID all the same. I have many different examples for this issue. 

 

L7 Applicator

Re: ID 3805790 and 3805788 DNS lookup

That I'm not sure. It might be worth doing a packet capture and seeing specifically where that traffic is going and what it's doing. I haven't seen that signature throw a false positive on our 3020s or 200s but if you send the universities public IP address I could connect to it and see if it's something to do with the threat signature or if it's specific to your equipment. 

L3 Networker

Re: ID 3805790 and 3805788 DNS lookup

I can put a request in for a packet capture on this, is there a different way to look at this issue without packet capture. 

Here is unviersity IP address 192.58.125.30 and here is a another Public IP address 192.58.128.30.  

 

Thank you for help on this 

L4 Transporter

Re: ID 3805790 and 3805788 DNS lookup

Hi,

 

The "victim" here should be the DNS server that received the DNS request. Depending on where your firewall is located on your network, it can be your internal DNS server, or an external DNS server where the request got forwarded.

 

Benjamin

L3 Networker

Re: ID 3805790 and 3805788 DNS lookup

Well the victim shows up as a extrenal dns server.  When I use resolve hostname option on the palo alto device shows what I believe are showing a root dns servers. 

It seems that all dns lookups are showing as these ID numbers and the Public IP address are not those ID. So, I do not know what to think of this.

L7 Applicator

Re: ID 3805790 and 3805788 DNS lookup

I can't get to either of those IP address; but if you know the IP addresses for everything then you could make exceptions to them or disable that ID on your PA all together. I would recommend getting a packet capture done though because it sounds like something with your DNS server specifically that this signature doesn't like, and it could be that nobody else is really seeing the same issue. 

L3 Networker

Re: ID 3805790 and 3805788 DNS lookup

Thank you BPry

I know the palo alto has a option for packet capture. I do not have the rights to do one. Would you please provide some what kind of packet capture setting that I can put in the request for this?

 

If the packet capture is not need on the palo alto, where the packet capture should be take from with a few setting applied. 

 

L7 Applicator

Re: ID 3805790 and 3805788 DNS lookup

THIS will help you know what you need for a packet capture but essentially it will be source IP, destination IP, the application if it's reporting as the same one all the time, and then you can filter on further from there. Pass that PCAP along to your SE and they can start the process of either identifiying why it's being hit or getting the signature updated. In the mean time I would disable that signature and let the traffic pass as long as you are confident that the servers that you are connecting to are clean. 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!