This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Suspicious HTTP Response Found (ID 54319) after updated to 8029-4784

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Suspicious HTTP Response Found (ID 54319) after updated to 8029-4784

nextgenhappines
L4 Transporter

‎06-09-2018 07:52 AM

Hi,

 

Anyone else  notices increase amount of Suspicious HTTP Response Found ID 54319 after installed AppID 8029-4784?.

 

The threat vault description This signature detects a suspicious HTTP response

Category protocol anomaly

PANOS Min version 8.0.0

Severity low

Action Alert

Fire release 785

 

Want to see if others are seeing the same thing on their firewall?  It looks like it is catching http get file transfer.  What makes it suspicious?

 

54319.png

 

 

3 people had this problem.
3 REPLIES 3

BPry
Cyber Elite
Cyber Elite

‎06-09-2018 07:04 PM

@nextgenhappines,

I've noticed an uptick, but it's something that I notice quite a lot anyways with our users. 

0 Likes Likes

nextgenhappines
L4 Transporter
In response to BPry

‎06-10-2018 07:42 AM

Try to understand "suspicious HTTP response" means from PAN point of view, it will be nice to have a more descriptive explaination.  It is a low severity, but why is it set to alert?

 

 

BPry
Cyber Elite
Cyber Elite
In response to nextgenhappines

‎06-12-2018 06:06 AM

@nextgenhappines,

Unfortunately they kind of stopped publishing exactly what the signature in question is looking for, however all of the Suspicious HTTP Response Found signatures all focus on looking for different characters in the HTTP response header. For example '40400' looks for "x00". They essentially are looking for a character set that shouldn't actually exist in the response header. 

The real issue is that most people don't take the standard seriously and include whatever they want within the response header because generally it doesn't cause any issues. Its set to alert because you can actually use the response header to give commands to infected machines. So if an infected machine reaches out to a CnC server it can put control information within a response header. 

 

I'll clarify this by saying that there is a lot of services that don't actually respect RFC 2616 or the further defined RFC 7230. Slack is one that I can think of at the moment that is horribly out of scope and is rightfully identified but is a known application. 

0 Likes Likes
  • 3245 Views
  • 3 replies
  • 1 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks