DOTW: Threat Log Spammed

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Community Team Member

threat-log-spam_LIVEcommunity-DOTW.jpg

 

Why is my threat log being spammed all of a sudden? This discussion from awhile back resurfaced because another user had the exact same thing happen to him. Since it's a returning issue, I thought it deserved a little more attention. See what it's all about and what can you do about it. Find your answers here on the LIVEcommunity.

 

The initial Threat Log Spammed discussion was posted in early 2020 by @Maxstr. He posted that since a couple of days his threat log was being spammed with the vulnerability type NON-RFC Compliant DNS Traffic on Port 53/5353.  He was concerned about this recent change in behavior and wanted to have more information and also wanted to know what he can do about it.

 

kiwi_1-1634721415676.png

 

He posted this message on January 9, 2020. As you can see from the threat vault information, Palo Alto Networks added this new Threat ID to their threatvault on January 7 (First Release).

 

 

kiwi_0-1634721331448.png

 

Sure enough, whenever a new threat ID is added it could cause a change of behavior. Traffic that seemed OK before, could be triggering new threats as they are added to the database.  In some cases those can be False Positives but, as our Cyber Elite @BPry pointed out back in 2020, this was a valid threat.

 

 

kiwi_2-1634722093970.png

 

 

He also proposed a way to prevent this from spamming the logs.  In some cases, even though the threat is valid, you might want to ignore this message.  For example, because the severity is just 'Informational' you may decide to accept the risk (not something you want to do with Critical severities) and just ignore these messages or prevent them from filling up your logs!

 

Earlier this week, user @felcor saw the exact same thing, on a slightly different threat ID -

 

kiwi_3-1634722674509.png

 

As our cyber elite @MP18 pointed out, this signature also has an informational severity.

 

Now, let's say you want to follow @BPry 's advice and make an exception on the vulnerability profile. You do that under Objects > Security Profiles > Vulnerability Protection Profile.  In your profile, you can go to the Exception tab to change the response to a specific signature. The default action for this specific threat ID is Alert but as pointed out in the reply, you could set it to Allow. (1)

 

Additionally, if you're unsure whether or not this is a false positive, you can choose to have a PCAP (Packet Capture) created. (2)

Don't forget to apply your security profile to a security policy or it won't do any good either.

 

 

kiwi_6-1634723922656.png

 

 

The PCAP can then be downloaded from the threat log and forwarded to TAC for analysis and confirmation on whether or not you're dealing with a false positive or not.

 

NOTE: Be extremely cautious when creating exceptions! Only create one if you are sure an identified virus is not a threat (false positive) or can safely be ignored. If you believe you have discovered a false positive, open a support case with TAC so Palo Alto Networks can analyze and fix the incorrect signatures.

 

Check out the original discussion and add your comments, suggestions, etc.: Threat log spammed with "Non-RFC Compliant DNS Traffic on Port 53/5353".

 

Thanks for taking time to read this blog.

Don't forget to hit that Like (thumbs up) button and don't forget to subscribe to the LIVEcommunity Blog.

 

Stay Secure,
Kiwi out!

 
  • 5282 Views
  • 0 comments
  • 0 Likes
Register or Sign-in
Labels