This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Session end reason threat traffic allow

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Session end reason threat traffic allow

Tyson-Liu
L1 Bithead

‎09-08-2021 11:53 AM

Hi Everyone 

 

we got the problem for session end reason “threat”, cause we detected the coin miner traffic through firewall and transmission to internet, even we saw the session end reason already hit to threat when the spyware traffic initially and threat log show result to drop for same session, but the traffic seems like still pass through to firewall, because we can look the send & receive packet growing up by magnifier.

 

my confused is if the session reason already count to “threat” and threat log action to drop, it should be discard session or not?

if yes, why still receive and transmit packet

 

thx

 

Tyson

0 Likes Likes
4 REPLIES 4

PavelK
Cyber Elite
Cyber Elite

‎09-08-2021 09:25 PM

Thank you @Tyson-Liu  for this post.

 

Could you please confirm what signature is getting hit and PAN-OS you are running?

Also, when you navigate to session browser under: Monitor > Session Browser can you see the session still alive?

 

Kind Regards

Pavel 

Help the community: Like helpful comments and mark solutions.
0 Likes Likes

Tyson-Liu
L1 Bithead
In response to PavelK

‎09-10-2021 02:44 AM

@PavelK  Hi 

It's 86358 threat ID (CoinMiner Command & Control traffic detection) at the PAN-OS 9.0.11 version, the application visibility to json-rpc.

 

we can not replicate traffic because internal rule,  but the visit record of malicious site from our security operation center, 

 

thanks 

 

Tyson

0 Likes Likes

PavelK
Cyber Elite
Cyber Elite

‎09-23-2021 11:03 PM

Thank you for reply @Tyson-Liu  and sorry for getting back to you with delay.

 

I know you mentioned that you can't reproduce it, however if you come across similar case for different signature as a next action I would recommend to get a session ID and then from CLI issue: show session id <session id> | match count

 

You will get below output:

 

total byte count(c2s) : 
total byte count(s2c) : 
layer7 packet count(c2s) : 
layer7 packet count(s2c) : 

 

If you can by re-running this command still see bytes increasing, it is possible that for c2s, the infected client is still sending some traffic hitting this signature.

 

Kind Regards

Pavel

Help the community: Like helpful comments and mark solutions.

Tyson-Liu
L1 Bithead
In response to PavelK

‎12-05-2021 06:10 PM

Hi @PavelK 

Thanks for the great suggestion.

I think it’s behavior of APP-ID check.

When traffic through firewall, Palo Alto will try to analysis / handshake those packet and visible it, traffic already sent and received at  before spyware identification.

We just set action Drop to mitigate and reduce rate for event occurs, if we haven’t ip layer info.

 

thanks

 

Tyson

 

 

 

0 Likes Likes
  • 6167 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks