App-ID 'hotmail' false positive?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

App-ID 'hotmail' false positive?

L1 Bithead

Hello,

after our recent newsletter distribution, we now see lots of blocked App-ID 'hotmail' in traffic directed to our web servers. Those are requests to HTML resources (images) just referred to from Hotmail website, most likely Hotmail users reading their mails via web frontend. Though it is indeed related to Hotmail, I doubt it should really be classified as hotmail application. What would it be about all the other web mail providers?

What do you think?

PCAP tracing decodes requests like this:

GET /imgs/mail/se_hdr_nav_misc.gif HTTP/1.1

Accept: */*

Referer: http://sn139w.snt139.mail.live.com/mail/InboxLight.aspx?n=1974317753

Accept-Language: de

User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; InfoPath.1; .NET4.0C; .NET4.0E; InfoPath.3)

Accept-Encoding: gzip

Host: www.lidl-shop.de

X-Forwarded-For: 217.69.228.161

x-chpd-loop: 1

Via: 1.1 PXY017-AMST.COTENDO.NET (chpd/4.04.0069)

Connection: Keep-Alive

11 REPLIES 11

L4 Transporter

I had the same problem, opened a case with support, and they told me that was as designed. That Hotmail was proxying some of the traffic. I think the problem is that the app is being triggered because of the referrer being hotmail.com/live.com, but I got tired of fighting and just allowed the app.

Thanks for the quick answer. So at least I'm not alone on this field nor making a general mistake.

Now I also explicitely allowed that app and as long as it was just Hotmail that's just ok. But if it was general policy by PAN to deduce an application from the HTTP Referer header, one has to allow hundreds of incoming applications (websites just linking to your own site), or rather just allow anything, thus losing one of PA's key features.

I kind of felt the same way.

Of course you could build your own HTTP app or use the App-Override function.

Try request app enhancement from the Apps and Threats Research Center.

http://www.paloaltonetworks.com/researchcenter/tools/

From there you can click on Submit an app and provide details there.

Hopefully they can use your PCAPs to make the hotmail app less false positive.

Thanks for your proposals.

@umphmharding: I already use application overrides for our SAP systems communications (SAP protocols are really poorly detected in PA), but doing so throws you back to classical address/port based firewalling. Especially for HTTP communication I'd prefer to have finer grained control on what's coming through the firewall, e. g. block WebDAV requests, which currently works fine. Explicitely denying unwanted apps would be too intricate and error-prone.

@mikand: I'd like to share the PCAPs with PA, but on your link I don't see a possibility to upload a PCAP file. I can only commit an URL and a comment. I wonder what this URL could be here?

I think in the main text you could ask a support engineer to contact you for PCAPs.

The URL I would guess would be the one you use for your server (hopefully they will not just blacklist your url from being detected as hotmail even if it would be a simple task).

Edit: Removed text regarding application override 😃

Edit2: Regarding blocking webdav and such you could create your own threat signatures to block anything that isnt HEAD/GET/POST or which http-methods you wish to allow (or create a custom app (using parent-app as SAP or whatever) where you define the same thing).

L2 Linker

Hello all,

After doing some research I think this is an expected behavior. Hotmail has a feature called "Active Views". This will trigger the Hotmail Application to download the Content for you, so you don't need to access the refered Servers. More Information here: How do Hotmail Active Views work? - Use Active Views

Hello sduvoisin,

thanks for your contribution. I think you may be right and this may be PANs intention, but in my opinion this is some wrong logic. When speaking of applications with regard to network communication I usually mean the *server* application and not the client application.

If I'd need to filter on client applications - and that is e. g. Hotmail Active Views - I'd need two configurations for applications: source (or client) application and destination (or server) application, just as I am able to filter on source addresses/ports and destination addresses/ports. Otherwise, how should an admin know, whether a request by Hotmail Active Views to some Flash file will be categorized as hotmail or as flash?

Don't get me wrong, I do see the sense of sometimes controlling on the client application, e. g. to block certain bots and crawlers, but even then I might want to differentiate on the target application too. And in those cases I'd rather do blacklisting for client applications while doing whitelisting for server applications.

Did you get any answer from the app enhancement team regarding this?

I fully agree with you... even if one most of the times tries to protect clients from doing bad stuff one will also end up using a PA to protect servers from being used for bad stuff (depending on the definition of bad).

L3 Networker

FYI - Here is the process for requesting new app-ids, reporting issues with existing app-ids:

  1. For making requests for NEW App-Ids only: Use the 'Submit an Application' web form at http://researchcenter.paloaltonetworks.com/submit-an-application/;
  2. For sharing/discussing Custom App-Ids only: Use the DevCenter forum;
  3. For reporting coverage issues with existing App-Ids: Open a ticket with technical support.

L0 Member

It looks like the traffic you're seeing is being flagged as "hotmail" based on the referrer (from a Hotmail web interface), but it's actually just image requests from users accessing their Hotmail inbox. This shouldn't be categorized as "hotmail" app traffic but rather regular web traffic. For other webmail providers, you might see similar patterns (e.g., Gmail or Yahoo), where the request comes from their web interface but involves accessing external resources like images.hotmail

  • 5469 Views
  • 11 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!