Suspicious TLS Evasion Found(14978)

cancel
Showing results for 
Search instead for 
Did you mean: 

Suspicious TLS Evasion Found(14978)

L4 Transporter

Dear Team,

 

I have configured the web service behind PA. and attached the security profile . i can see in the thread logs the thread is generating "Suspicious TLS Evasion Found(14978)".

i have gone through the below KB but didn't understand

 

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000HBwCCAW&lang=en_US%E2%80%A...

 

moreover, I can see the thread signature is showing in excpetion so I have enabled this and put the action is alert. the severity is informational. do i need to take any action on this?

 

Jafar_Hussain_0-1631539667011.png

 

the severity is informational

 

 

4 REPLIES 4

L5 Sessionator

Please see our best practices guide here, in which we recommend changing the default alert behavior to drop. 

Help the community! Add tags & mark solutions please.

Cyber Elite
Cyber Elite

@Jafar_Hussain,

The piece that is actually relevant to your alert:

Evasion signatures that detect crafted HTTP or TLS requests can send alerts when clients connect to a domain other than the domain specified in the original DNS request. Make sure to configure DNS proxy before you enable evasion signatures. Without DNS proxy, evasion signatures can trigger alerts when a DNS server in the DNS load balancing configuration returns different IP addresses—for servers hosting identical resources—to the firewall and client in response to the same DNS request.


If you haven't used a DNS proxy object you can ignore these alerts, or override the action to allow so you don't have them filling up your threat logs. By default the 14978 signature is actually already set to allow, so you've actually modified the default action or setup a policy that otherwise overrides the default action for simple-informational alerts to receive any notice about these threats to begin with.

I'd recommend that you either configure the dns proxy object and get that setup so the signature actually functions correctly, or you set the action back to allow. Without the DNS proxy configured they aren't going to work effectively, which is why they are setup as informational allowed threats. 

@BPryI have checked, according to the below documents the best practice is we should set the action drop for the evasion signature 14978.

 

https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/threat-prevention/best-practices-for-secur...

 

moreover, if i set the action drop so the service is stopped and drop all the traffic for my server, that I have attached the antispyware profile.

i have configured below antispyware profile:-

 

Jafar_Hussain_0-1631600466484.png

 

 

Jafar_Hussain_1-1631600509008.png

 

so now, i want to allow the traffic but an alert should not come. what i need to do.

 

- Do i need to allow the traffic instead of alert in the exception?

- If alerts are coming so i can ignore?

- or to work properly do i need to configure the DNS proxy. i believe if i configure the DNS proxy and if i will put in the antispyware rule and exception all the things is drop. it will work or not?

 

L5 Sessionator

DNS Proxy just allows the firewall to cache DNS responses and forward to your internal server, if you choose. See here. You *must* configure a DNS proxy for the TLS evasion blocks to work properly. 

Help the community! Add tags & mark solutions please.
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!