This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Suspicious traffic from internal to External IP

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Suspicious traffic from internal to External IP

VyasarVenkat
L0 Member

‎01-07-2020 08:49 PM

Hi All,

 

Recently on my SIEM console. I could observe the web traffic from the internal host machine towards the blacklisted IP over the port 443. Alert was flagged by the PaSeries (Palo alto firewall). Two events I have observed 

1)  CryptoMiner.Gen Malicious Script Detection

2)Traffic End

 

First event contains below information

Application=web-browsing

proto=tcp|action=reset-both

ThreatID=CryptoMiner.Gen Malicious Script Detection(18024)

URLCategory=insufficient-content

Flags=0x81502000

 

Second event contains below information

Application=web-browsing

proto=tcp|action=allow

URLCategory=insufficient-content

totalBytes=25865|dstBytes=24296|srcBytes=1569|totalPackets=27

Flags=0x1500010.

 

Based on the above events I assume , From the web browser this traffic would have been generated because it was mentioned as (Application=web-browsing) and the threat Id contains CryptoMiner.Gen Malicious Script Detection , probably some js script will be present in browser which may cause this traffic.

 

On first event CryptoMiner.Gen Malicious Script Detection, action is mentioned as reset-both. it means that connection was unsuccessful ?

But on second event Traffic End, action is mentioned as allow but on my payload i am unable to view Session End Reason field to determine the actual reason of traffic end.

 

Since I am new to analyse the paloalto  logs. Please advise do i need to take any action for the above events.

 

Thanks in Advance

 

0 Likes Likes
2 REPLIES 2

OtakarKlier
Cyber Elite
Cyber Elite

‎01-08-2020 07:25 AM

Hello,

Reset-both means that the PAN send a rest packet to both the server and the client to terminate the connection, so yes the connection was successful but the PAN saw bad stuff and reset the connections. Also check the 'Type or Log Subtype', depends on which log you are looking at, column as it often also has useful info.

https://docs.paloaltonetworks.com/cortex/explore/explore-schema-reference/long-field-descriptions/pa...

 

Hope that helps. 

VyasarVenkat
L0 Member
In response to OtakarKlier

‎01-08-2020 07:10 PM

Thank you for the clarification

0 Likes Likes
  • 3872 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2025 - Palo Alto Networks