This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Bypassing application control on PAN-OS

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Bypassing application control on PAN-OS

ACieszkowski
L3 Networker

‎10-19-2012 06:39 AM

I stumbled upon a blog entry (http://www.what2code.net/?p=100) describing how to, sadly, bypass application control on Palo Alto Networks boxes.

Author does not provide the source code, but I believe the method is not the work of his imagination.

Any comment on this by PAN Team? Any possible cure for the virus? Smiley Wink

Labels:
0 Likes Likes
3 REPLIES 3

mikand
L6 Presenter

‎10-19-2012 11:51 AM

While we are waiting for someone from PA to show up on friday evening I have posted a reply in the other thread with similar question Smiley Happy

0 Likes Likes

Retired Member
Not applicable
In response to mikand

‎10-30-2012 12:30 PM

We do not feel that using client-server collusion by starting the connection as a permitted application and switching to another is genuine or valid test. The scheme devised in the test assumes both the client and server are already under the control of the attacker. We don't know of any real-world clients or servers that can talk HTTP initially and then switch to SSH. Our app-ID has coverage for many evasive real-world tunneling applications and we continue to add coverage for more as we discover them. In this instance, we are working to enhance checks in our HTTP decoder to identify this scheme and set the session to be unknown-tcp. We are targeting to make the fix available in the next 1-2 content updates.

0 Likes Likes

mikand
L6 Presenter
In response to Retired Member

‎10-30-2012 02:45 PM

I belive this is valid because its these methods that malware will use to break out of the internal network in order to phone home various of stuff it can get its hand on.

Compromised client: checked (usually its a matter of "when" not "if").

Compromised server: checked (just look at all botnets where most uses compromised servers to act as C&C).

and suddently we have a situation where both the client AND the server is compromised and can run whatever protocol they wish (specially when you take networks such as the internet into account).

  • 2703 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks