Advanced Threat Prevention Discussions

Welcome to the Threat & Vulnerability Discussions!

To make this forum valuable and enjoyable for everyone, please review the following guidelines before participating: Rules and Best Practices Be Respectful: Treat fellow community members with professionalism and courtesy. Constructive discussions are encouraged; disrespectful or inflammatory comments are not. Stay On-Topic: This board is d...

Completely puzzled - Unique Threat ID: 193986039

hi, Did anyone had WildFire Threat events with the following Unique Threat ID: 193986039? Threat Vault provided me the following information:Signature Release Domain Name Type Name: generic:ecompassesfarringdon.comUnique Threat ID: 193986039Create Time: 2018-01-18 10:45:23 (UTC)Threat ID: 4035508Current Release: 2497 (2018-01-19 UTC)First Releas...

Threat & Vulnerability PA Vs FTD & Fortinet

Dear Team, i want to need the difference between the Threat and Vulnerability detail as we have the PA 5000 Series box please share the solution difference which vendor have the most power full Threat and vulnerability solutions ?

Resolved! How does PA identity an application as "Threat"

Hello guys, We have an application - "sina-weibo-base" is allowed to be accessed for internet access policy, but when user access to it, PA block it and the "Session End Reason" is "Threat". Does this mean PA consider this application a threat? Thanks

Resolved! WildFire not Blocking File with 'malicious' Verdict

Hi,I am playing in lab with wildfire and i would like to drop file downloads that are analyzed by wildfire as malicious verdict.I have configured the follwong wildfire submission profile. i created a wildfire profile (copy of the default)admin@PA-220# showwildfire {rules {default {application any;file-type any;direction both;analysis public-clou...

Schermafbeelding 2018-03-06 om 17.20.14.png

Mass unsubscribe

I work for an email marketing company. We have a sender who sent out 3 separate emails blast to over 1 million contacts. They had a very high unsubscribe rate. After our engineering team looked at the logs, we see that all the unsubscribes happened seconds apart but were all different domains. We noticed that they were coming from these IP'...

Resolved! IP blcoking on ip scan

I wonder if there is dynamic blocking IP if on short period of time that IP did ip scan or try the same vulnerability attack on our IP range, becuse the attack was once on each policy rule it doesn't reach the vulnerability protection limit for blocking the IP. So if the monitor logs show the same IP on diffrerent policy rules in short period it...

Resolved! Youtube risk

Hi guys. In Palo Alto Firewall 7.1.8 version, Youtube-base application is categorized with risk 4, because is Used by Malware and Has Known Vulnerabilities. I try to search for information about it but I couldn't find it yet. There is some information in https://live.paloaltonetworks.com/t5/General-Topics/RIYADH/m-p/168130#M53616, but it doesn't...

Resolved! How to block Crypto Miner (javascript)

This week I noticed a "CoinHive Javascript Detection" in the logs of our Palo Alto.When reading on the subject I noticed that there are websites around that use Javascript to start mining Crypto coins on the users' computer. https://live.paloaltonetworks.com/t5/Community-Blog/Unauthorized-Coin-Mining-in-the-Browser/ba-p/183457 Detailed descripti...

Threat Protection

Hi All, If threat protection is enabled (subscribed) is it by default a global protection or can it be applied per interface? Thank you in advance.

Meltdown and Spectre Vulnerability

Are PA devices effected by the meltdown and spectre vulnerability and if so, are these signatures known yet by PA?

Command & Control or Just Ads?

In the last few days I have seen alerts for berbew.jb C2 traffic(192730665) and dynamer.bayo C2 traffic(192442683). The odd thing here is that in the alert the same url is being accessed (ad.afy11.net/ad?mode=7&publisher_dsp_id=67&external_user_id=XXXXXXXXXXXXXXXXXXX) and this seems like it should just be web advertising. I have checke...

Resolved! Threat ID 39341 - Metasploit Windows Meterpreter Reverse HTTPS Detection

Hi, Does anyone know if this signature is expected to trigger based on *unencrypted* SSL traffic, or on a Meterpreter session in a decrypted session? Obviously the former would be useful (to say the least) - but assume it will be trying to detect based on aspects of the certifcate being used (assuming no custom cert has been injected into the st...

Palo Alto not flagging dangerous/malicious IP addresses as such?

Hi, Today I sent two requests to get 2 IPs categorized as malicious (Command and Control) to Palo Alto. The IPs are: 45.33.9.234199.59.242.150 The current category for both of them is: insufficient-content However, these IPs are being associated with botnet/command and control behavior by our SIEM and flagged as such, as our Palo Alto Networks a...

Resolved! SMB login attempt - server initiated

Is it normal for DC trying o reach systems on 445 and 139I get bruteforce alerts for only 1 system, even though DC is trying to reach almost every system in that zone on 445/smb

Resolved! Daily Shodan scan?

Hello all, We just recently made the Shodan wall of fame and I'm now getting their scan showing up every day in my Threat log. Our action is set to reset. What do you typically do in this case? Should I ignore this and accept I will be seeing this scan every day from now on? Threat NameGh0st.Gen Command and Control TrafficAttacker66.240.205.34

Discussions

Welcome to the Threat & Vulnerability Discussions!

Completely puzzled - Unique Threat ID: 193986039

Threat & Vulnerability PA Vs FTD & Fortinet

Resolved! How does PA identity an application as "Threat"

Resolved! WildFire not Blocking File with 'malicious' Verdict