Suspicious DNS Query Pan-DB and BrightCloud

Reply
Highlighted
L1 Bithead

Suspicious DNS Query Pan-DB and BrightCloud

We are using the BrightCloud URL DB for URL Filtering. Last week we had discovered an issue that users can’t access the URL http(s)://www.haalmeeruitjecard.nl

Searching the PaloAlto we see that is not blocked by the URL Log. BrightCloud says as URL Category “business-and-economy” and that is allowed.

Still the session can’t be setup and we did not see any block page at all.

Further looking we discovered that is blocked by the Anti-Spyware Rule with the Suspicious DNS Query action. We block Suspicious DNS Query query’s.

In the Thread log was reported : Suspicious DNS Query (www.haalmeeruitjecard.nl)!! Uuh this is a normal site here in the Netherlands.

So is it the Threat DB that this is causing??? NO, found out that the URL is marked in the PAN-DB Url Database as malware.

Requested a change for Pan-DB and after this was changed we had no more Suspicious DNS Query’s  for this url.

URL: www.haalmeeruitjecard.nl

Previous category: malware

You suggested: financial-services

New category: financial-services

The new categorization is available starting with URL DB version: 2014.09.22.221

Does this mean that the PaloAlto Device is using both URL database’s to provide protection?

Is it than maybe better to migrate to PAN-DB URL Database so that all information is provided from 1 DB?

Thanks for your responses.

Osman Bor

L7 Applicator

Re: Suspicious DNS Query Pan-DB and BrightCloud

Hello Osman,

PAN firewall is having multiple layer of protection on it. Example: The content/packet will be inspected by:

--- URL filtering database ( Bright Cloud or PAN DB) for categorization.

--- Application & Threat database for Vulnerability/DNS signature checking.

--- Antivirus database for virus /ANtispyware checking.

So, if any packet identified with malicious in nature, will be blocked by  the above mentioned database.

Thanks

L6 Presenter

Re: Suspicious DNS Query Pan-DB and BrightCloud

Hi Obor,

Please find Virus Total analysis for web site .haalmeeruitjecard.nl, it confirms its not malicious.

Scan report for http://haalmeeruitjecard.nl/ at2014-09-23 13:06:14 UTC - VirusTotal

Make sure your are on latest content. If issue still occurs than please open a case with TAC for false positive. They should fix it.

Changes will be reflected in next couple of days.

Regards,

Hardik Shah

L5 Sessionator

Re: Suspicious DNS Query Pan-DB and BrightCloud

Hi Osman,

Yes you are right, PA firewall uses both DB to protect your network. In your example, even though brightcloud categorizes the traffic as business-and-economy, URL in question was categorized as suspicious by PANDB (which turned out to be false positive in this case) and was blocked by our Spyware engine.

Migrating to PANDB might be a good option as we have total control over it, resulting in faster resolution for URL DB issues. Hope that helps. Thank you.

L1 Bithead

Re: Suspicious DNS Query Pan-DB and BrightCloud

Hulk,

Yes it correct what your saying and with the answer of ssharma it looks like this now:

--- URL filtering database ( Bright Cloud or PAN DB) for categorization.

--- Application & Threat database & PAN DB for Vulnerability/DNS signature checking.

--- Antivirus database for virus /ANtispyware checking.

Regards,

Osman Bor

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!