Hello looking for more information on these Threat ID 3805790 and 3805788.
In the monitor--> threat -->
Type Field is showing up as spyware
Attacker Field IP is private ip address
Victim Field IP is public ip address. Victim Field public IP address is not the same and it does not match what shows up in the Name Field.
The Victim Field IP addresses are clean from all the research I can find.
I would like to know, why palo alto keeps showing up with these ID 3805790 and 3805788.
It looks like both of your threats are generic:weebcan.rapidsys.com identities. Your private address is in the attacker field because it is the "attacker" in this scenario, that information is probably correct. Both were released on 6-29 of this year.
It's being identified because rapidsys is being identified as a hacked website at the moment which is why they pushed out the threat with WildFire. I imagine that someone is either accessing or you yourself are hosting a website using the service. It's a pretty sound signature from what I can see; so I don't see how it could really be a false positive.
Thank you for the reply BPry
What I still do not understand is, why is there in Victim Field. IP addresses that do not show up as weebcan.rapidsys.com. For example I am seeing a dns server(private IP) request to a university (Public IP) list as spyware, name, ID all the same. I have many different examples for this issue.
That I'm not sure. It might be worth doing a packet capture and seeing specifically where that traffic is going and what it's doing. I haven't seen that signature throw a false positive on our 3020s or 200s but if you send the universities public IP address I could connect to it and see if it's something to do with the threat signature or if it's specific to your equipment.
Well the victim shows up as a extrenal dns server. When I use resolve hostname option on the palo alto device shows what I believe are showing a root dns servers.
It seems that all dns lookups are showing as these ID numbers and the Public IP address are not those ID. So, I do not know what to think of this.
I can't get to either of those IP address; but if you know the IP addresses for everything then you could make exceptions to them or disable that ID on your PA all together. I would recommend getting a packet capture done though because it sounds like something with your DNS server specifically that this signature doesn't like, and it could be that nobody else is really seeing the same issue.
Thank you BPry
I know the palo alto has a option for packet capture. I do not have the rights to do one. Would you please provide some what kind of packet capture setting that I can put in the request for this?
If the packet capture is not need on the palo alto, where the packet capture should be take from with a few setting applied.
THIS will help you know what you need for a packet capture but essentially it will be source IP, destination IP, the application if it's reporting as the same one all the time, and then you can filter on further from there. Pass that PCAP along to your SE and they can start the process of either identifiying why it's being hit or getting the signature updated. In the mean time I would disable that signature and let the traffic pass as long as you are confident that the servers that you are connecting to are clean.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!