we got the problem for session end reason “threat”, cause we detected the coin miner traffic through firewall and transmission to internet, even we saw the session end reason already hit to threat when the spyware traffic initially and threat log show result to drop for same session, but the traffic seems like still pass through to firewall, because we can look the send & receive packet growing up by magnifier.
my confused is if the session reason already count to “threat” and threat log action to drop, it should be discard session or not?
if yes, why still receive and transmit packet
Thank you @Tyson-Liu for this post.
Could you please confirm what signature is getting hit and PAN-OS you are running?
Also, when you navigate to session browser under: Monitor > Session Browser can you see the session still alive?
It's 86358 threat ID (CoinMiner Command & Control traffic detection) at the PAN-OS 9.0.11 version, the application visibility to json-rpc.
we can not replicate traffic because internal rule, but the visit record of malicious site from our security operation center,
Thank you for reply @Tyson-Liu and sorry for getting back to you with delay.
I know you mentioned that you can't reproduce it, however if you come across similar case for different signature as a next action I would recommend to get a session ID and then from CLI issue: show session id <session id> | match count
You will get below output:
total byte count(c2s) :
total byte count(s2c) :
layer7 packet count(c2s) :
layer7 packet count(s2c) :
If you can by re-running this command still see bytes increasing, it is possible that for c2s, the infected client is still sending some traffic hitting this signature.
Thanks for the great suggestion.
I think it’s behavior of APP-ID check.
When traffic through firewall, Palo Alto will try to analysis / handshake those packet and visible it, traffic already sent and received at before spyware identification.
We just set action Drop to mitigate and reduce rate for event occurs, if we haven’t ip layer info.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!