This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Pan OS 5.0

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Pan OS 5.0

edwinchristopher
Not applicable

‎09-04-2013 10:44 PM

i have set up Palo Alto to send logs to syslog server.

Yesterday i have seen something unusual in THREAT,url log?

The length of the URL is 1044 bytes but in the Palo Alto log i can see some of the bytes is truncated?

Original URL:

http://s.youtube.com/api/stats/watchtime?feature=fvwrel&rt=6.827&cos=Windows&cosver=6.1&len=300&cpn=...,

31.032&plid=AATlflqGqxQyiWvv&st=0,27.009&fs=0&cbrver=9.0&hl=en_US&cr=US&ei=4iEmUoDlC8XDlwfK6oHwAg&docid=lHFg0T9SYtI&state=playing&cver=as3&

c=WEB&cbr=IE&lact=7257&ver=2&ldpj=-24&fmt=134&cmt=31.112&rtn=16&rti=6&el=detailpage&idpj=-4&fexp=917000,909703,910207,923302,914072,

916623,930901,929117,929121,929906,929907,929922,929127,929129,929131,929930,936403,925726,925720,925722,925718,929917,906945,929933,

920302,906842,913428,920605,919811,913563,904830,919373,930803,904122,932211,938701,936308,909549,912711,904494,904497,939903,900375,

934507,936312,906001,930000,5757575757,474774747,474774747747,488484838399389,784848484884848,44444444,4774747747477474747474747,

888888888888888888,99999999999999999999,111111111111111111111111111111111,2222222222222222222222222,8948848488348934838989389389389389,

111111111111111111,55555555555555345345345,666666666666666666666,777777777777,99999999999999999999,66666666,111

Length of the original URL is 1044 bytes.

Log Line :

Sep 04 21:40:13 xx.xx.xx.xx Sep  4 21:38:24 1,2013/09/04 21:38:24,007000001148,THREAT,url,1,2013/09/04 21:38:23,xx.xx.xx.xx,xx.xx.xx.xx,xx.xx.xx.xx,xx.xx.xx.xx,Test,,,http-proxy,vsys1,Trust,Untrust,ethernetx/y,ethernetx/z,Log Forwarding,2013/09/04 21:38:23,40789,1,63718,3128,0,0,0x0,tcp,block-url,"s.youtube.com/api/stats/watchtime?feature=fvwrel&rt=6.827&cos=Windows&cosver=6.1&len=300&cpn=xilIxgDpN0ymnVDt&ns=yt&et=1.666,31.032&plid=AATlflqGqxQyiWvv&st=0,27.009&fs=0&cbrver=9.0&hl=en_US&cr=US&ei=4iEmUoDlC8XDlwfK6oHwAg&docid=lHFg0T9SYtI&state=playing&cver=as3&c=WEB&cbr=IE&lact=7257&ver=2&ldpj=-24&fmt=134&cmt=31.112&rtn=16&rti=6&el=detailpage&idpj=-4&fexp=917000,909703,910207,923302,914072,916623,930901,929117,929121,929906,929907,929922,929127,929129,929131,929930,936403,925726,925720,925722,925718,929917,906945,929933,920302,906842,913428,920605,919811,913563,904830,919373,930803,904122,932211,938701,936308,909549,912711,904494,904497,939903,900375,934507,936312,906001,930000,5757575757,474774747,474774747747,488484838399389,784848484884848,44444444,4774747747477474747474747,888888888888888888,99999999999999999999,111111111111111111111111111111111,2222222222222222222222222,8948848488348934838989389389389389,111111111111111111,55555555555555345345345,666666666666666666666,777777777777,9999999999999999999",(9999),streaming-media,informational,client-to-server,419,0x0,192.168.0.0-192.168.255.255,192.168.0.0-192.168.255.255,0,,

if you see the url highlighted in red in the log line only 1023 bytes is shown and the rest of the bytes highlighted in pink in original URL is missing?

Is Palo Alto truncates the URL if it is longer than 1024 bytes?

If it is truncating the URL then some thing is wrong because it should truncate the message not the the URL in between!!!!!

0 Likes Likes
2 REPLIES 2

sraghunandan
L5 Sessionator

‎09-04-2013 11:17 PM

If your are using PAN-DB then there is an imposed limit of 1024 characters for the length of a URL, which includes both the host and the path. PAN-OS will normalize the URL by removing the following:

  • Tab (0x09), CR (0x0d), LF (0x0a) characters from the URL
  • Fragment parameters (e.g. www.google.com/#frag is shortened to www.google.com/)
  • Remove hex encodings (e.g. %43 or \x43 would change to '+')
  • Query parameters (www.google.com/search?q=abcd+xyz) becomes (www.google.com/search)

After normalization, length of the final URL is checked.  If it length is greater than the allowed 1024, the URL is truncated and the first 1024 characters is sent to the MP for a query.

mikand
L6 Presenter
In response to sraghunandan

‎09-05-2013 03:48 PM

Also according to RFC 3164 (RFC regarding syslog) the total length of the (syslog) packet MUST be 1024 bytes or less.

http://www.ietf.org/rfc/rfc3164.txt

I dont know if PA puts this limit on syslog packets being sent out of the box but there is a great risk that the syslog server who accepts the log from your PA might cut and throw away any data thats beyond 1024 bytes.

Speaking of which... if PA do cut any data beyond the 1024 bytes marker - will the same occur on custom logs sent as CEF to Arcsight installation or such?

0 Likes Likes
  • 2351 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks