09-25-2017 02:05 AM
I have a paloalto log file and I want to make a malware detection visualization. I am confused about the characteristics of a malware. is there any reference or can anyone help me to know the characteristics of a malware in logs?
this is asample file log :
Jun 7 10:40:02 10.10.10.47 PAN-PA-5050-xxxx/ 1,2017/06/07 10:40:02,002201003950,THREAT,url,1,2017/06/07 10:40:02,192.168.xxx.xxx,104.244.xxx.xxx,0.0.0.0,0.0.0.0,Rule-VWIRE-02,,,web-browsing,vsys1,trust-02,untrust-02,ethernet1/4,ethernet1/3,Log_palo,2017/06/07 10:40:02,34860278,1,21963,80,0,0,0x3000,tcp,block-url,"www.xxx",(9999),malware,informational,client-to-server,1771529966,0x0,192.168.0.0-192.168.255.255,US,0,,0,,,1,,,,,,,,0,0,0,0,0,,PAN-PA-5050-xxx,
09-25-2017 02:13 AM
could you elaborate on what you are trying to accomplish?
your logfile indicates it was web-browsing that hit the malware URL category in a url filtering security profile
malware can be detected in several ways:
malware can be a file that's being downloaded that matches a signature
it can also be a website that has been categorized as malware in URL filtering (that means it is known to host malware files, so we block access even before the download is started)
09-25-2017 02:29 AM
@reaper I want to detect a malware in the log, which I need to detect a malware is a hallmark of malware. is there a special feature of a malware in the log. for example category with malware value or 63 or 64 or 60 is malware or seqno characteristic with malware value or any, or 0x0 or unknow is malware characteristic
09-25-2017 02:32 AM
well, it says malware in the log:
Jun 7 10:40:02 10.10.10.47 PAN-PA-5050-xxxx/ 1,2017/06/07 10:40:02,002201003950,THREAT,url,1,2017/06/07 10:40:02,192.168.xxx.xxx,104.244.xxx.xxx,0.0.0.0,0.0.0.0,Rule-VWIRE-02,,,web-browsing,vsys1,trust-02,untrust-02,ethernet1/4,ethernet1/3,Log_palo,2017/06/07 10:40:02,34860278,1,21963,80,0,0,0x3000,tcp,block-url,"www.xxx",(9999),malware,informational,client-to-server,1771529966,0x0,192.168.0.0-192.168.255.255,US,0,,0,,,1,,,,,,,,0,0,0,0,0,,PAN-PA-5050-xxx,
09-25-2017 06:13 AM
The log that you have indicated appears to simply be a URL-Filtering log, where the 'Malware' listing is simply the category that is being triggered. Filtering for Malware specifically would only give you those results. If I understand your request correctly then the simple answer is 'no', Palo Alto syslogs will not give you anything to really look at as a whole within the log to say "Yup, this was malware".
Exceptions to this would be if something within the URL-Filtering logs specifically hits the 'Malware' category, like what you have displayed here. Another exception would be the WildFire Submissions log where the verdict field being 'Malicious' would also be a good indicator.
If you are looking for something in particular that would indicate a host was infected with a virus there really isn't a log for that. If I had a host that was caught as downloading a 'Malicious' file according to WildFire, something that should be looked into regardless, along with a host getting hits with the URL-Filtering logs for hitting 'Malware' sites then I could be pretty confident that the host was infected. A host simply hitting a 'Malware' site once or twice throughout the day could likely be tied to ads and wouldn't necessary mean they were infected, and a computer downloading a malicious file according to WildFire would also not necessary mean it was infected. No one log source is going to mean a host is actually infected, the logs need to be digested as a whole using all of the logs available to you to actually make a determination of Malware being on the computer.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
