Advanced Threat Prevention Discussions

Welcome to the Threat & Vulnerability Discussions!

To make this forum valuable and enjoyable for everyone, please review the following guidelines before participating:

Rules and Best Practices

Be Respectful: Treat fellow community members with professionalism and courtesy. Constructive discussion

...

Resolved! IP blcoking on ip scan

I wonder if there is dynamic blocking IP if on short period of time that IP did ip scan or try the same vulnerability attack on our IP range, becuse the attack was once on each policy rule it doesn't reach the vulnerability protection limit for block

...

Resolved! Youtube risk

Hi guys.

In Palo Alto Firewall 7.1.8 version, Youtube-base application is categorized with risk 4, because is Used by Malware and Has Known Vulnerabilities. I try to search for information about it but I couldn't find it yet. There is some informatio

...

Resolved! How to block Crypto Miner (javascript)

This week I noticed a "CoinHive Javascript Detection" in the logs of our Palo Alto.

When reading on the subject I noticed that there are websites around that use Javascript to start mining Crypto coins on the users' computer.

https://live.paloaltonetw

...

Threat Protection

Hi All,

If threat protection is enabled (subscribed) is it by default a global protection or can it be applied per interface?

Thank you in advance.

Meltdown and Spectre Vulnerability

Are PA devices effected by the meltdown and spectre vulnerability and if so, are these signatures known yet by PA?

Command & Control or Just Ads?

In the last few days I have seen alerts for berbew.jb C2 traffic(192730665) and dynamer.bayo C2 traffic(192442683). The odd thing here is that in the alert the same url is being accessed (ad.afy11.net/ad?mode=7&publisher_dsp_id=67&external_user_id=X

...

Resolved! Threat ID 39341 - Metasploit Windows Meterpreter Reverse HTTPS Detection

Hi,

Does anyone know if this signature is expected to trigger based on *unencrypted* SSL traffic, or on a Meterpreter session in a decrypted session?

Obviously the former would be useful (to say the least) - but assume it will be trying to detect bas

...

Palo Alto not flagging dangerous/malicious IP addresses as such?

Hi,

Today I sent two requests to get 2 IPs categorized as malicious (Command and Control) to Palo Alto. The IPs are:

45.33.9.234

199.59.242.150

The current category for both of them is: insufficient-content

However, these IPs are being associated with

...

Resolved! SMB login attempt - server initiated

Is it normal for DC trying o reach systems on 445 and 139

I get bruteforce alerts for only 1 system, even though DC is trying to reach almost every system in that zone on 445/smb

Resolved! Daily Shodan scan?

Hello all,

We just recently made the Shodan wall of fame and I'm now getting their scan showing up every day in my Threat log. Our action is set to reset. What do you typically do in this case? Should I ignore this and accept I will be seeing this sc

...

Strange TCP traffic from PAN Firewall management IP going to Japan

Hi All,

I've noticed an strange event in our network. We have PAN 5020 and other PAN firewalls. The issue is from the management IP from one of them there is TCP traffic going to a Japanese server on port 135 (MSRPC). One of our Sensors detects it as

...

URL Filtering Implementation Best Practice

Hell everyone,

I have a vendor that is going to work on deploying the URL Filtering service in our Pan3020 but I wanted to undersandt/learn what the best approach is in order for to come up with an outcome that is manageable once they leave us. As o

...

RSA TLS crypto attack, ROBOT—short for "Return Of Bleichenbacher's Oracle Threat

Recent article talks about a newly discovered (but old) vulnerability:

https://arstechnica.com/information-technology/2017/12/a-worrying-number-of-sites-remain-open-to-major-crypto-flaw-from-1998/?comments=1&start=40

You can test your links her

...

Threat ID for Unsafe Characters in URLs

Is there a Threat signature to detect Unsafe/ Illegal characters in an URL? I've searched the ThreatVault but I couldn't find any unfortunately.

For clarity this is what I'm talking about - https://perishablepress.com/stop-using-unsafe-characters-in-

...

Suspicious Abnormal HTTP Response Found

My customers are complaing that they're not able to open the website www.sligrofoodgroup.nl

Our "Antvirus / Anti Spyware Block Page" kicks in, and in the threat monitor i see it's blocked cause off the vulnerability "Suspicious Abnormal HTTP Response

...

Discussions

Welcome to the Threat & Vulnerability Discussions!

Rules and Best Practices

Resolved! IP blcoking on ip scan

Resolved! Youtube risk

Resolved! How to block Crypto Miner (javascript)

Threat Protection

Meltdown and Spectre Vulnerability

Command & Control or Just Ads?

Resolved! Threat ID 39341 - Metasploit Windows Meterpreter Reverse HTTPS Detection

Palo Alto not flagging dangerous/malicious IP addresses as such?

Resolved! SMB login attempt - server initiated

Resolved! Daily Shodan scan?

Strange TCP traffic from PAN Firewall management IP going to Japan

URL Filtering Implementation Best Practice

RSA TLS crypto attack, ROBOT—short for "Return Of Bleichenbacher's Oracle Threat

Threat ID for Unsafe Characters in URLs

Suspicious Abnormal HTTP Response Found

PAN-OS logs

Are there signature release for following vulnerabilities?

Cannot update Adobe Creative Cloud

App & Threat Content Comparison Utility

Wildfire False Positive for THREAT-ID 614284446

Unlock your full community experience!

Rules and Best Practices

Resolved! IP blcoking on ip scan

Resolved! Youtube risk

Resolved! How to block Crypto Miner (javascript)

Resolved! Threat ID 39341 - Metasploit Windows Meterpreter Reverse HTTPS Detection

Resolved! SMB login attempt - server initiated

Resolved! Daily Shodan scan?