We got the below threat alert from the panorama and not able to understand the most of the part , like source and Destination . Both IP looks the outside my network but still its showing the rule: Outbound_Default_URL_IPS . One of my outbound policy with threat prevention rule. Can any one please explain me this .
Wondering How can an external IP be the source IP on an internal interface of the firewall?
THREAT ALERT : high : 169.254.254.238 -> 169.254.255.255 Microsoft Windows NAT Helper DNS Query Denial of Service(31339) alert
receive_time: 2014/08/13 03:10:35
time_generated: 2014/08/13 03:10:30
time_received: 2014/08/13 03:10:34
threatid: Microsoft Windows NAT Helper DNS Query Denial of Service(31339)
The address is not outside your network, these are the reserved addresses for DHCP local link autoconfiguration when no DHCP server is seen by a client requesting a DHCP address. You can see the RFC and a general description on the web sites here.
For any threat the place to go is search of the threat vault for the detail. Take the threat number and plug it into the search form here.
And the detail on this threat is then here.
the result is that this is an attack on windows servers in your environment. So the challenge now is to see which of your workstations are responsible for sending out these packets. This will be a manual process since all you have here in the logs is the bogus DHCP link local address. You will need to trace back to the switches to see if you can associate this traffic with mac addresses as some point in the chain.
Once you find the computers responsible you will need to clean whatever malware on them is creating this traffic.
I hate to sound like a wet blanket, but we see a lot of false positives from PA's threat signature engine. So tiwara I would suggest you be careful in "jumping the gun" and assuming the client is infected... it might just be normal Windows behavior
We again got the same alert from the PA threat engine , however we are not able to find the IP in the network , also its not associated to any of the web server. If its a false positive how we can stop these alerts top generate.
You can create a threat exception by clicking on the name of the threat in the threat log. The pop-up window will allow you to select which security profile to add the exemption and also add an IP address if you only want to turn the signature off for a specific IP address as opposed to turning the signature off for the entire security profile.
Awesome ... Completed. Thanks Everyone :smileyhappy:
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!