This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

attacking site and PAN

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

attacking site and PAN

_slv_
L4 Transporter

‎04-16-2014 12:48 AM

Hello

Few days ago I discovered site with some information about VMware Update Manager. I had a problem with it and I was searching for solution.

This site is www.bourgelat.net/cannot-patch-definitions-vmware-19988

I have PA with all licences but PAN software doesnt detect any bad traffic Smiley Sad

I asked PAN to change categorization to malware site, but today I got email : New category: computer-and-internet-info

This site still trying to hurt Your computer, and PAN doesnt responds to it - is it OK?

I have security policy with thread prevention/av - but it doesnt stops it, hopefully my Symnatec Endpoint protection detecting it and blocking.

You can try to open www.bourgelat.net - this isn't https so in my opinion PAN should react in some way to this traffic.

Do You agree with me?

How it's possible when IE 10 with default configuration recomends to not enter to this site while PAN recategorization is computer-and-internet-info ?

Regards

Slawek

Labels:
0 Likes Likes
13 REPLIES 13

_slv_
L4 Transporter

‎04-16-2014 05:37 AM

small update, www.bourgelat.net is classified as malware site by BightCloud Service, and it's blocked if You are blocking access by url filter (block malware sites) but if you are using PA url database you are under risk!

0 Likes Likes

dyang
L5 Sessionator

‎04-16-2014 11:22 AM

Hi slv,

Can you provide more details about why you feel this site is malicious? 

--Doris

0 Likes Likes

_slv_
L4 Transporter
In response to dyang

‎04-17-2014 12:19 PM

My symantec endpoint pretection is detecting that this site try to attact my computer using "red export kit redirect" now.

0 Likes Likes

gafrol
L4 Transporter
In response to _slv_

‎04-17-2014 12:45 PM

Are you referring to this threat Web Attack: Red Exploit Kit Redirect: Attack Signature - Symantec Corp. ?

If yes then --> CVE-2009-4324

CVE-2009-4324 is covered with nine Threat ID's

Capture.JPG.jpg

Are these nine Threat ID's all covered in your Vuln. Protection Profile ?

BTW, www.bourgelat.net/cannot-patch-definitions-vmware-19988 does not seem to be accessible at all

Capture.JPG.jpg

0 Likes Likes

_slv_
L4 Transporter

‎04-17-2014 01:22 PM

I can't verify it now, but probably - yes.

Today "www.bourgelat.net/cannot-patch-definitions-vmware-19988" isn't accessable but please try with www.bourgelat.net  Please try with it.

I will check my security rules, but I'm sure that I blocing medium and critical threats.

Regards

SLawek

0 Likes Likes

gafrol
L4 Transporter
In response to _slv_

‎04-17-2014 01:26 PM

I don't see anything threatening on www.bourgelat.net

0 Likes Likes

gafrol
L4 Transporter
In response to gafrol

‎04-17-2014 01:37 PM

Although a google search for "www.bourgelat.net malware" shows very suspicious results...

0 Likes Likes

_slv_
L4 Transporter
In response to gafrol

‎04-19-2014 09:04 AM

Here You are report from today (SEP):

Wykryto zagrożenie
Czas zdarzenia:19.04.2014 17:33:03
Czas rozpoczęcia:19.04.2014 17:32:02
Czas zakończenia:19.04.2014 17:32:02
Wystąpienie:1
Nazwa sygnatury:Web Attack: Red Exploit Kit Redirect 2
Identyfikator sygnatury:26591
Podidentyfikator sygnatury:71083
Adres URL włamania:www.bourgelat.net/
Adres URL zawartości włamania:N/D
Opis zdarzenia:[Identyfikator SID: 26591] zablokowano atak Web Attack: Red Exploit Kit Redirect 2. Zablokowano ruch tej aplikacji: \DEVICE\HARDDISKVOLUME2\PROGRAM FILES\MOZILLA FIREFOX\FIREFOX.EXE
Typ zdarzenia:Zapobieganie włamaniom
Typ hakingu:0
Istotność:Krytyczne
Nazwa aplikacji:/DEVICE/HARDDISKVOLUME2/PROGRAM FILES/MOZILLA FIREFOX/FIREFOX.EXE
Protokół sieciowy:TCP
Kierunek ruchu sieciowego:Przychodzący
Adres IP komputera zdalnego:91.121.93.111
Zdalny adres MAC:N/D
Nazwa hosta zdalnego:N/D
Alert:1
Port lokalny:55038
Port zdalny:80

is it a false positive?

Regards

Slawek

0 Likes Likes

HITSSEC
L4 Transporter

‎04-19-2014 04:52 PM

Slawek,


We deal with situation by having two custom URL categories:


1. Temporary-Blocked = this allows you to immediately block it while you wait for a reclassification request to be processed by Palo Alto.

2. Custom-Blocked = This allows you to override the Pan-DB or Brightcloud category.  Additionally you can use it to block parts of an otherwise good website.


Hope this provides a way to react quicker.  It works quite well for us.


Phil

0 Likes Likes

_slv_
L4 Transporter
In response to gafrol

‎04-23-2014 05:22 AM

Hi Gafrol

In my opinion I have all this 9 CVE covered. Security policy has:

2014-04-23_141826.png

And "strict" thread  prevention profile is a default one:

2014-04-23_141905.png

I try today to open "bourgelat.net" and again only SEP blocked this traffic.

admin@PA-200> show session all filter source 192.168.1.35 destination 91.121.93.111

--------------------------------------------------------------------------------

ID      Application    State   Type Flag  Src[Sport]/Zone/Proto (translated IP[Port])

Vsys                                      Dst[Dport]/Zone (translated IP[Port])

--------------------------------------------------------------------------------

19100   web-browsing   ACTIVE  FLOW  NS   192.168.1.35[52183]/Lan_A/6  (x.x.x.x[52427])

vsys1                                     91.121.93.111[80]/untrust  (91.121.93.111[80])

39182   web-browsing   ACTIVE  FLOW  NS   192.168.1.35[52188]/Lan_A/6  (x.x.x.x[35161])

vsys1                                     91.121.93.111[80]/untrust  (91.121.93.111[80])

34969   web-browsing   ACTIVE  FLOW  NS   192.168.1.35[52196]/Lan_A/6  (x.x.x.x[16722])

vsys1                                     91.121.93.111[80]/untrust  (91.121.93.111[80])

56342   web-browsing   ACTIVE  FLOW  NS   192.168.1.35[52193]/Lan_A/6  (x.x.x.x[18863])

vsys1                                     91.121.93.111[80]/untrust  (91.121.93.111[80])

admin@PA-200> show session id 19100

Session           19100

        c2s flow:

                source:      192.168.1.35 [Lan_A]

                dst:         91.121.93.111

                proto:       6

                sport:       52183           dport:      80

                state:       ACTIVE          type:       FLOW

                src user:    contoso\slawek

                dst user:    unknown

                qos node:    ethernet1/1, qos member N/A Qid 0

        s2c flow:

                source:      91.121.93.111 [untrust]

                dst:         x.x.x.x

                proto:       6

                sport:       80              dport:      52427

                state:       ACTIVE          type:       FLOW

                src user:    unknown

                dst user:    contoso\slawek

                qos node:    ethernet1/4.1, qos member N/A Qid 0

        start time                    : Wed Apr 23 14:11:42 2014

        timeout                       : 60 sec

        time to live                  : 10 sec

        total byte count(c2s)         : 621

        total byte count(s2c)         : 66

        layer7 packet count(c2s)      : 5

        layer7 packet count(s2c)      : 1

        vsys                          : vsys1

        application                   : web-browsing

        rule                          : Lan_A NAT - monitoring

        session to be logged at end   : True

        session in session ager       : True

        session synced from HA peer   : False

        address/port translation      : source + destination

        nat-rule                      : NAT_Lan_A(vsys1)

        layer7 processing             : enabled

        URL filtering enabled         : True

        URL category                  : malware-sites

        session via syn-cookies       : False

        session terminated on host    : False

        session traverses tunnel      : False

        captive portal session        : False

        ingress interface             : ethernet1/4.1

        egress interface              : ethernet1/1

        session QoS rule              : N/A (class 4)

In monitor tab using filter "( threatid eq 34271) or ( threatid eq 34271) or ( threatid eq 33287) or ( threatid eq 33006) or ( threatid eq 32959) or ( threatid eq 32804) or ( threatid eq 32784) or ( threatid eq 32764) or ( threatid eq 32763)" I see nothing in thread logs.

What is wrong with my configuration?

Regards

Slawek

0 Likes Likes

_slv_
L4 Transporter
In response to HITSSEC

‎04-23-2014 05:23 AM

Hi Hitsec

Thank for clarification, but the clue is that PA refued to change classification to malware sites.

0 Likes Likes

HITSSEC
L4 Transporter
In response to _slv_

‎04-24-2014 08:01 AM

Slawek,

I fully understand and have experienced the same situation.

Phil

0 Likes Likes

_slv_
L4 Transporter
In response to HITSSEC

‎04-26-2014 12:32 AM

Problem reported to support, I will let You know if we made any progress.

Could someone verify using other NGF than PA and endpoint protetection than Symantec that this site try to hurt your computer and post small report of tests?

Regards

Slawek

0 Likes Likes
  • 4542 Views
  • 13 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks