Suspicious traffic from internal to External IP

Reply
Highlighted
L0 Member

Suspicious traffic from internal to External IP

Hi All,

 

Recently on my SIEM console. I could observe the web traffic from the internal host machine towards the blacklisted IP over the port 443. Alert was flagged by the PaSeries (Palo alto firewall). Two events I have observed 

1)  CryptoMiner.Gen Malicious Script Detection

2)Traffic End

 

First event contains below information

Application=web-browsing

proto=tcp|action=reset-both

ThreatID=CryptoMiner.Gen Malicious Script Detection(18024)

URLCategory=insufficient-content

Flags=0x81502000

 

Second event contains below information

Application=web-browsing

proto=tcp|action=allow

URLCategory=insufficient-content

totalBytes=25865|dstBytes=24296|srcBytes=1569|totalPackets=27

Flags=0x1500010.

 

Based on the above events I assume , From the web browser this traffic would have been generated because it was mentioned as (Application=web-browsing) and the threat Id contains CryptoMiner.Gen Malicious Script Detection , probably some js script will be present in browser which may cause this traffic.

 

On first event CryptoMiner.Gen Malicious Script Detection, action is mentioned as reset-both. it means that connection was unsuccessful ?

But on second event Traffic End, action is mentioned as allow but on my payload i am unable to view Session End Reason field to determine the actual reason of traffic end.

 

Since I am new to analyse the paloalto  logs. Please advise do i need to take any action for the above events.

 

Thanks in Advance

 

Highlighted
L7 Applicator

Re: Suspicious traffic from internal to External IP

Hello,

Reset-both means that the PAN send a rest packet to both the server and the client to terminate the connection, so yes the connection was successful but the PAN saw bad stuff and reset the connections. Also check the 'Type or Log Subtype', depends on which log you are looking at, column as it often also has useful info.

https://docs.paloaltonetworks.com/cortex/explore/explore-schema-reference/long-field-descriptions/pa...

 

Hope that helps. 

Highlighted
L0 Member

Re: Suspicious traffic from internal to External IP

Thank you for the clarification

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!