Pan OS 5.0

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Pan OS 5.0

Not applicable

i have set up Palo Alto to send logs to syslog server.

Yesterday i have seen something unusual in THREAT,url log?

The length of the URL is 1044 bytes but in the Palo Alto log i can see some of the bytes is truncated?

Original URL:

http://s.youtube.com/api/stats/watchtime?feature=fvwrel&rt=6.827&cos=Windows&cosver=6.1&len=300&cpn=...,

31.032&plid=AATlflqGqxQyiWvv&st=0,27.009&fs=0&cbrver=9.0&hl=en_US&cr=US&ei=4iEmUoDlC8XDlwfK6oHwAg&docid=lHFg0T9SYtI&state=playing&cver=as3&

c=WEB&cbr=IE&lact=7257&ver=2&ldpj=-24&fmt=134&cmt=31.112&rtn=16&rti=6&el=detailpage&idpj=-4&fexp=917000,909703,910207,923302,914072,

916623,930901,929117,929121,929906,929907,929922,929127,929129,929131,929930,936403,925726,925720,925722,925718,929917,906945,929933,

920302,906842,913428,920605,919811,913563,904830,919373,930803,904122,932211,938701,936308,909549,912711,904494,904497,939903,900375,

934507,936312,906001,930000,5757575757,474774747,474774747747,488484838399389,784848484884848,44444444,4774747747477474747474747,

888888888888888888,99999999999999999999,111111111111111111111111111111111,2222222222222222222222222,8948848488348934838989389389389389,

111111111111111111,55555555555555345345345,666666666666666666666,777777777777,99999999999999999999,66666666,111

Length of the original URL is 1044 bytes.

Log Line :

Sep 04 21:40:13 xx.xx.xx.xx Sep  4 21:38:24 1,2013/09/04 21:38:24,007000001148,THREAT,url,1,2013/09/04 21:38:23,xx.xx.xx.xx,xx.xx.xx.xx,xx.xx.xx.xx,xx.xx.xx.xx,Test,,,http-proxy,vsys1,Trust,Untrust,ethernetx/y,ethernetx/z,Log Forwarding,2013/09/04 21:38:23,40789,1,63718,3128,0,0,0x0,tcp,block-url,"s.youtube.com/api/stats/watchtime?feature=fvwrel&rt=6.827&cos=Windows&cosver=6.1&len=300&cpn=xilIxgDpN0ymnVDt&ns=yt&et=1.666,31.032&plid=AATlflqGqxQyiWvv&st=0,27.009&fs=0&cbrver=9.0&hl=en_US&cr=US&ei=4iEmUoDlC8XDlwfK6oHwAg&docid=lHFg0T9SYtI&state=playing&cver=as3&c=WEB&cbr=IE&lact=7257&ver=2&ldpj=-24&fmt=134&cmt=31.112&rtn=16&rti=6&el=detailpage&idpj=-4&fexp=917000,909703,910207,923302,914072,916623,930901,929117,929121,929906,929907,929922,929127,929129,929131,929930,936403,925726,925720,925722,925718,929917,906945,929933,920302,906842,913428,920605,919811,913563,904830,919373,930803,904122,932211,938701,936308,909549,912711,904494,904497,939903,900375,934507,936312,906001,930000,5757575757,474774747,474774747747,488484838399389,784848484884848,44444444,4774747747477474747474747,888888888888888888,99999999999999999999,111111111111111111111111111111111,2222222222222222222222222,8948848488348934838989389389389389,111111111111111111,55555555555555345345345,666666666666666666666,777777777777,9999999999999999999",(9999),streaming-media,informational,client-to-server,419,0x0,192.168.0.0-192.168.255.255,192.168.0.0-192.168.255.255,0,,

if you see the url highlighted in red in the log line only 1023 bytes is shown and the rest of the bytes highlighted in pink in original URL is missing?

Is Palo Alto truncates the URL if it is longer than 1024 bytes?

If it is truncating the URL then some thing is wrong because it should truncate the message not the the URL in between!!!!!

2 REPLIES 2

L5 Sessionator

If your are using PAN-DB then there is an imposed limit of 1024 characters for the length of a URL, which includes both the host and the path. PAN-OS will normalize the URL by removing the following:

  • Tab (0x09), CR (0x0d), LF (0x0a) characters from the URL
  • Fragment parameters (e.g. www.google.com/#frag is shortened to www.google.com/)
  • Remove hex encodings (e.g. %43 or \x43 would change to '+')
  • Query parameters (www.google.com/search?q=abcd+xyz) becomes (www.google.com/search)

After normalization, length of the final URL is checked.  If it length is greater than the allowed 1024, the URL is truncated and the first 1024 characters is sent to the MP for a query.

Also according to RFC 3164 (RFC regarding syslog) the total length of the (syslog) packet MUST be 1024 bytes or less.

http://www.ietf.org/rfc/rfc3164.txt

I dont know if PA puts this limit on syslog packets being sent out of the box but there is a great risk that the syslog server who accepts the log from your PA might cut and throw away any data thats beyond 1024 bytes.

Speaking of which... if PA do cut any data beyond the 1024 bytes marker - will the same occur on custom logs sent as CEF to Arcsight installation or such?

  • 2543 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!