characteristic of malware on a log

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

characteristic of malware on a log

L1 Bithead

I have a paloalto log file and I want to make a malware detection visualization. I am confused about the characteristics of a malware. is there any reference or can anyone help me to know the characteristics of a malware in logs?

 

this is asample file log :

 

Jun 7 10:40:02 10.10.10.47 PAN-PA-5050-xxxx/ 1,2017/06/07 10:40:02,002201003950,THREAT,url,1,2017/06/07 10:40:02,192.168.xxx.xxx,104.244.xxx.xxx,0.0.0.0,0.0.0.0,Rule-VWIRE-02,,,web-browsing,vsys1,trust-02,untrust-02,ethernet1/4,ethernet1/3,Log_palo,2017/06/07 10:40:02,34860278,1,21963,80,0,0,0x3000,tcp,block-url,"www.xxx",(9999),malware,informational,client-to-server,1771529966,0x0,192.168.0.0-192.168.255.255,US,0,,0,,,1,,,,,,,,0,0,0,0,0,,PAN-PA-5050-xxx,

 

4 REPLIES 4

Cyber Elite
Cyber Elite

hi @BaharudinYusuf

 

could you elaborate on what you are trying to accomplish?

 

your logfile indicates it was web-browsing that hit the malware URL category in a url filtering security profile

 

malware can be detected in several ways:

malware can be a file that's being downloaded that matches a signature

it can also be a website that has been categorized as malware in URL filtering (that means it is known to host malware files, so we block access even before the download is started)

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

@reaper I want to detect a malware in the log, which I need to detect a malware is a hallmark of malware. is there a special feature of a malware in the log. for example category with malware value or 63 or 64 or 60 is malware or seqno characteristic with malware value or any, or 0x0 or unknow is malware characteristic

well, it says malware in the log:

 

Jun 7 10:40:02 10.10.10.47 PAN-PA-5050-xxxx/ 1,2017/06/07 10:40:02,002201003950,THREAT,url,1,2017/06/07 10:40:02,192.168.xxx.xxx,104.244.xxx.xxx,0.0.0.0,0.0.0.0,Rule-VWIRE-02,,,web-browsing,vsys1,trust-02,untrust-02,ethernet1/4,ethernet1/3,Log_palo,2017/06/07 10:40:02,34860278,1,21963,80,0,0,0x3000,tcp,block-url,"www.xxx",(9999),malware,informational,client-to-server,1771529966,0x0,192.168.0.0-192.168.255.255,US,0,,0,,,1,,,,,,,,0,0,0,0,0,,PAN-PA-5050-xxx,

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

@BaharudinYusuf,

The log that you have indicated appears to simply be a URL-Filtering log, where the 'Malware' listing is simply the category that is being triggered. Filtering for Malware specifically would only give you those results. If I understand your request correctly then the simple answer is 'no', Palo Alto syslogs will not give you anything to really look at as a whole within the log to say "Yup, this was malware". 

Exceptions to this would be if something within the URL-Filtering logs specifically hits the 'Malware' category, like what you have displayed here. Another exception would be the WildFire Submissions log where the verdict field being 'Malicious' would also be a good indicator. 

 

If you are looking for something in particular that would indicate a host was infected with a virus there really isn't a log for that. If I had a host that was caught as downloading a 'Malicious' file according to WildFire, something that should be looked into regardless, along with a host getting hits with the URL-Filtering logs for hitting 'Malware' sites then I could be pretty confident that the host was infected. A host simply hitting a 'Malware' site once or twice throughout the day could likely be tied to ads and wouldn't necessary mean they were infected, and a computer downloading a malicious file according to WildFire would also not necessary mean it was infected. No one log source is going to mean a host is actually infected, the logs need to be digested as a whole using all of the logs available to you to actually make a determination of Malware being on the computer.

  • 1904 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!