Session end reason threat traffic allow

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Session end reason threat traffic allow

L1 Bithead

Hi Everyone 

 

we got the problem for session end reason “threat”, cause we detected the coin miner traffic through firewall and transmission to internet, even we saw the session end reason already hit to threat when the spyware traffic initially and threat log show result to drop for same session, but the traffic seems like still pass through to firewall, because we can look the send & receive packet growing up by magnifier.

 

my confused is if the session reason already count to “threat” and threat log action to drop, it should be discard session or not?

if yes, why still receive and transmit packet

 

thx

 

Tyson

4 REPLIES 4

Cyber Elite
Cyber Elite

Thank you @Tyson-Liu  for this post.

 

Could you please confirm what signature is getting hit and PAN-OS you are running?

Also, when you navigate to session browser under: Monitor > Session Browser can you see the session still alive?

 

Kind Regards

Pavel 

Help the community: Like helpful comments and mark solutions.

@PavelK  Hi 

It's 86358 threat ID (CoinMiner Command & Control traffic detection) at the PAN-OS 9.0.11 version, the application visibility to json-rpc.

 

we can not replicate traffic because internal rule,  but the visit record of malicious site from our security operation center, 

 

thanks 

 

Tyson

Cyber Elite
Cyber Elite

Thank you for reply @Tyson-Liu  and sorry for getting back to you with delay.

 

I know you mentioned that you can't reproduce it, however if you come across similar case for different signature as a next action I would recommend to get a session ID and then from CLI issue: show session id <session id> | match count

 

You will get below output:

 

total byte count(c2s) : 
total byte count(s2c) : 
layer7 packet count(c2s) : 
layer7 packet count(s2c) : 

 

If you can by re-running this command still see bytes increasing, it is possible that for c2s, the infected client is still sending some traffic hitting this signature.

 

Kind Regards

Pavel

Help the community: Like helpful comments and mark solutions.

Hi @PavelK 

Thanks for the great suggestion.

I think it’s behavior of APP-ID check.

When traffic through firewall, Palo Alto will try to analysis / handshake those packet and visible it, traffic already sent and received at  before spyware identification.

We just set action Drop to mitigate and reduce rate for event occurs, if we haven’t ip layer info.

 

thanks

 

Tyson

 

 

 

  • 6169 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!