- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
05-16-2021 08:13 AM
Hello Bros,
We have subscribed to palo alto dns-security and the license has been applied to the device.
Rules with anti-spyware "dns-security sinkhole action enabled".
Now regarding the hosts with sinkhole action, that means these hosts trying to connect to a malicious domains.
These trials blocked but is these another recommended actions to be taken towards these hosts? Is there a recommended method to stop them from trying to connect to these malicious domains?
TIA
05-16-2021 08:52 AM
The recommendation would be to check these hosts if there is some sort of malware/spyware running which tries to connect to these domains. With the sinkhole feature it shows you these hosts which otherwise wouldn't be identified.
The little problem is to differentiate if it really was some sort of malware or only connections done by the users browsers which probably are the reason for most of the sinkholed connections. It's not that (my assumption) that users directly connect to these domains, these requests are because of advertisements on the actual websites or because of malicious scripts somehow get executed on the websites that the users open.
So there is no way to fully stop clients connecting to domains whitch are redirected to the sinkhole, but it still is a very helpful feature to identify clients which should be checked.
05-16-2021 08:52 AM
The recommendation would be to check these hosts if there is some sort of malware/spyware running which tries to connect to these domains. With the sinkhole feature it shows you these hosts which otherwise wouldn't be identified.
The little problem is to differentiate if it really was some sort of malware or only connections done by the users browsers which probably are the reason for most of the sinkholed connections. It's not that (my assumption) that users directly connect to these domains, these requests are because of advertisements on the actual websites or because of malicious scripts somehow get executed on the websites that the users open.
So there is no way to fully stop clients connecting to domains whitch are redirected to the sinkhole, but it still is a very helpful feature to identify clients which should be checked.
05-17-2021 04:40 PM
Thank you so much Bro.
07-29-2021 05:58 AM
If you are using XDR you can setup an IOC to alert when a client connects to the sinkhole IP. Then put an exclusion on the the alert if it is coming from a browser and then investigate any endpoint that has a process other than a browser connecting to the sinkhole.
07-30-2021 05:23 AM
Thank you for participation but unfortunately we don't have XDR.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!