This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Threats log for denied packets

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Threats log for denied packets

axel.bodart
L1 Bithead

‎03-01-2010 04:49 AM

Dear all,

I currently have a generic rule which blocks netbios-like traffic to and from internet with a simple deny. As this traffic is very likely to be malware generated (at least in my context) I have enabled a simple alert-only antivirus profile on that rule, but I don't get any entries in the thread logs. On the other hand, when I turn the rule to be accept instead of deny, threads logs is filed with virus alert.

So, does the deny has precedence over the antivurs profile, dicarding the paket before it has a chance to be analysed ?

If so, what can I do to achieve the what I described ?

Thanks alot.

Labels:
0 Likes Likes
3 REPLIES 3

kbrazil
L4 Transporter

‎03-01-2010 07:37 AM

If your security rule is blocking by port number then the traffic will probably be dropped before any type of application ID can be done or threat can be detected.  If you are blocking by application signature then you will see the application in the traffic log, but the packets are being dropped before any threat can come through. In other words, you are seeing the application session initiation but no payload.

A rule of thumb is to never turn on any profiles for a deny rule.  There is no need since the packets are dropped by policy and not inspected any further.  Profiles are only useful for allowed traffic.

Kelly

rps
L3 Networker
In response to kbrazil

‎03-01-2010 10:33 AM

Could these rule of thumbs be compiled into a single pdf? 🙂

0 Likes Likes

axel.bodart
L1 Bithead
In response to kbrazil

‎03-02-2010 10:48 PM

Thank you for this quick answer, this is indeed what I had deduced too.

So is there a way to achieve this ? We are already generating an "odd behavioured machines" repport on allowed trafic, but having also the denied one would make this repport muich more usefull.

Any thoughts ?

0 Likes Likes
  • 3404 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks