06-13-2024 01:16 AM
I'm a SOC analyst, and we receive firewall logs regarding DNS sinkhole alerts. I'm trying to understand them better.
I have received multiple logs of this type, and I want to make sure I understand them correctly.
In this log, the domain that was queried was "s.w.org," right? I received multiple logs, and "generic:sr7pv7n5x.com" was present in all of them after the domain. What does this represent?
Also, does the sinkhole work only based on known databases of domains that have been flagged as malicious? Or will it also flag domains that appear suspicious, like "3123fsda11.xyz"?
Thank you so much; I appreciate it.
one of the logs we received :
<12>Jun 10 12:55:39 PA-FW-1-SDM.spectrum-dynamics.local 1,2024/06/10 12:55:39,026701011826,THREAT,spyware,2816,2024/06/10 12:55:39,{redacted},{redacted},0.0.0.0,0.0.0.0,Trust_Users_To_Servers,{redacted},,dns-base,vsys1,Trust,Trust,ae2.13,ae2.12,Syslog,2024/06/10 12:55:39,457116,1,51705,53,0,0,0x2000,udp,sinkhole,"s.w.org",Suspicious DNS Query (generic:sr7pv7n5x.com)(638487393),any,medium,client-to-server,7358805422319350092,0x0,192.168.0.0-192.168.255.255,192.168.0.0-192.168.255.255,,,0,,,0,,,,,,,,0,0,0,0,0,,PA-FW-1-SDM,,,,,0,,0,,N/A,dns,AppThreat-4844-5362,0x0,0,4294967295,,,b51647d4-1ebe-4f5e-b7a8-32635ee2b34e,0,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0,2024-06-10T12:55:39.509+03:00,,,,infrastructure,networking,network-protocol,3,"used-by-malware,has-known-vulnerability,pervasive-use",dns,dns-base,no,no,,,NonProxyTraffic
<12>Jun 10 12:57:03 PA-FW-1-SDM.spectrum-dynamics.local 1,2024/06/10 12:57:03,026701011826,THREAT,spyware,2816,2024/06/10 12:57:03,{redacted},{redacted},0.0.0.0,0.0.0.0,Trust_Users_To_Servers,{redacted},,dns-base,vsys1,Trust,Trust,ae2.13,ae2.12,Syslog,2024/06/10 12:57:03,730181,1,62138,53,0,0,0x2000,udp,sinkhole,"i.ytimg.com",Suspicious DNS Query (generic:sr7pv7n5x.com)(638487393),any,medium,client-to-server,7358805422319350559,0x0,192.168.0.0-192.168.255.255,192.168.0.0-192.168.255.255,,,0,,,0,,,,,,,,0,0,0,0,0,,PA-FW-1-SDM,,,,,0,,0,,N/A,dns,AppThreat-4844-5362,0x0,0,4294967295,,,b51647d4-1ebe-4f5e-b7a8-32635ee2b34e,0,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0,2024-06-10T12:57:03.901+03:00,,,,infrastructure,networking,network-protocol,3,"used-by-malware,has-known-vulnerability,pervasive-use",dns,dns-base,no,no,,,NonProxyTraffic
06-13-2024 11:34 AM - edited 06-13-2024 11:57 AM
Hi @DavidMankivsky ,
The functionality of DNS sinkhole depends on the subscriptions on your firewall. With a threat prevention license, your firewall can sinkhole DNS requests using a predefined list of malicious domains provided by Palo Alto Networks.
However, if you have a DNS Security subscription in addition to the threat prevention license, that's where you have access to real-time protection. This includes advanced predictive analytics that can identify and flag not only known malicious domains but also suspicious domains that exhibit characteristics similar to those used by attackers, such as '3123fsda11.xyz
For the logs, it looks to me that there are two domains that the client is trying to resolve (I would double-check with the actual logs populated on the firewall):
1. "s.w.org"
2. "i.ytimg.com"
The (generic:sr7pv7n5x.com)(638487393) looks to be the (Threat Signature Name)(Unique Threat ID). You can access the Palo Alto Networks Threat Vault and search for that unique threat ID.
Hope this helps!
06-13-2024 11:34 AM - edited 06-13-2024 11:57 AM
Hi @DavidMankivsky ,
The functionality of DNS sinkhole depends on the subscriptions on your firewall. With a threat prevention license, your firewall can sinkhole DNS requests using a predefined list of malicious domains provided by Palo Alto Networks.
However, if you have a DNS Security subscription in addition to the threat prevention license, that's where you have access to real-time protection. This includes advanced predictive analytics that can identify and flag not only known malicious domains but also suspicious domains that exhibit characteristics similar to those used by attackers, such as '3123fsda11.xyz
For the logs, it looks to me that there are two domains that the client is trying to resolve (I would double-check with the actual logs populated on the firewall):
1. "s.w.org"
2. "i.ytimg.com"
The (generic:sr7pv7n5x.com)(638487393) looks to be the (Threat Signature Name)(Unique Threat ID). You can access the Palo Alto Networks Threat Vault and search for that unique threat ID.
Hope this helps!
06-16-2024 11:03 PM
Thank you Jay! you helped me a lot
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
