- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
06-09-2018 07:52 AM
Hi,
Anyone else notices increase amount of Suspicious HTTP Response Found ID 54319 after installed AppID 8029-4784?.
The threat vault description This signature detects a suspicious HTTP response
Category protocol anomaly
PANOS Min version 8.0.0
Severity low
Action Alert
Fire release 785
Want to see if others are seeing the same thing on their firewall? It looks like it is catching http get file transfer. What makes it suspicious?
06-09-2018 07:04 PM
I've noticed an uptick, but it's something that I notice quite a lot anyways with our users.
06-10-2018 07:42 AM
Try to understand "suspicious HTTP response" means from PAN point of view, it will be nice to have a more descriptive explaination. It is a low severity, but why is it set to alert?
06-12-2018 06:06 AM
Unfortunately they kind of stopped publishing exactly what the signature in question is looking for, however all of the Suspicious HTTP Response Found signatures all focus on looking for different characters in the HTTP response header. For example '40400' looks for "x00". They essentially are looking for a character set that shouldn't actually exist in the response header.
The real issue is that most people don't take the standard seriously and include whatever they want within the response header because generally it doesn't cause any issues. Its set to alert because you can actually use the response header to give commands to infected machines. So if an infected machine reaches out to a CnC server it can put control information within a response header.
I'll clarify this by saying that there is a lot of services that don't actually respect RFC 2616 or the further defined RFC 7230. Slack is one that I can think of at the moment that is horribly out of scope and is rightfully identified but is a known application.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!