This website uses cookies essential to its operation, for analytics, and for personalized content. By continuing to browse this site, you acknowledge the use of cookies.
For details on cookie usage on our site, read our Privacy Policy
Accept
Reject

Suspicious DNS Query - conficker

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Suspicious DNS Query - conficker

bdeschut
L4 Transporter

‎09-21-2013 12:26 PM

Hey,

Is there a way for not letting conficker fill up the threat logs? Or an easy way to filter them out? I have 1000+ logs from 1 host on just a few hours and it is getting hard to see the other threats... Even in the ACC, I get a list full of conficker, nothing else. This is caused by every conficker URL being identified as a different threat ID.

Kind regards,

Bob

13 REPLIES 13

shasnain
L4 Transporter

‎09-21-2013 01:23 PM

Hi,

You can use the anti-spyware profile and add the exception for DNS queries not to be populated in the threat logs by choosing the action allow.

spyware.PNG.png

Associate the profile to the rule which the traffic is hitting.

Thanks,

Syed R Hasnain

bdeschut
L4 Transporter
In response to shasnain

‎09-21-2013 02:23 PM

So I would need to create a new rule above the one that allows it at the moment with source IP the infected clients (otherwise I would not know when other clients have it)?

Also, the conficker threat has a lot of threat ID's, so setting all DNS queries to all would make other threats not show up in the logs?

0 Likes Likes

HULK
L7 Applicator
In response to bdeschut

‎09-21-2013 03:27 PM

Hello,

Yes, you need to create a new rule above the one that allows it currently in order to apply the anti-spyware profile .

Below mentioned discussion may help you

Suspicious DNS Query - how to find source computer?

Thanks

shasnain
L4 Transporter
In response to bdeschut

‎09-21-2013 05:00 PM

Hi,

You can use individual threat IDS and add them in the exception and set the action for them as allow as shown above in the snap shot..So in this way you will not be doing for all the threats but just for some individuals not to be populated in the threat logs.

Thanks,

Syed R Hasnain

0 Likes Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Copyright 2007 - 2023 - Palo Alto Networks