traffic logs as type - spyware and vulnerability -------session end reason threat

Reply
Highlighted
Cyber Elite

traffic logs as type - spyware and vulnerability -------session end reason threat

 

under unified logs i see the application DNS  and when i click on detailed log view sometimes i see 

 

type as vulnerability  and action reset both           session end reason threat

 

type as spyware and action as drop                       session end reason threat

 

Need to know type vulnerability and spyware are using this security profiles   vulnerability and antispyware?

 

why DNS traffic shows as spyware?

 

also when we see that session end reason is threat does it mean PA drops the traffic ???

 

 

MP
Highlighted
Cyber Elite

@MP18,

DNS can be identified via a number of different vulnerabilities and spyware signatures, and the action would be dependent on the profile applied to this traffic. 

More often then not when DNS traffic is identified with Spyware signatures it's due to the user requesting certain domains that have been identified and this traffic will almost always have an action of drop if you've left everything setup to default. With the action setup as Drop the client simply wouldn't be able to resolve the domain. 

DNS traffic is actually failry reqularly seen under Vulnerability and some of them are simply informational ( 'DNS Zone Transfer AXFR Response' 'DNS Zone Transfer AXFR Attempt'). You'd either have to share the signature you are hitting or really look at your profile to figure out what's exactly going on here. 

 

session_end_reason threat doesn't necissarily mean anything other then a threat was identified somewhere within the session traffic. Going into detailed log view will show you exactly what happended and what action was taken once the threat was identified. 

 

 

Highlighted
Cyber Elite

strange thing is that under unified i only see traffic logs no threat logs.

when i go to threat logs i see this signature 18003.

 

unified logs does not show threat logs and threat id.

so it means that this signature as per threat vault is anti spyware signature.

 

how often this antispayware signature gets dynamic updates?

if i use app override for the dns application traffic then i will avoid the l4 to l7 inspection right?

 

Regards

Mike

MP
Highlighted
Cyber Elite

@MP18,

You can enable or disable what Log Types you wish to show in the Unified Logs, verify that you have Threat enabled. Click on the 'Effective Querries' icon to the left of the magnifying glass if using the GUI, then make sure the little check box by Threat is checked. 

Capture.PNG

"unified logs does not show threat logs and threat id.

so it means that this signature as per threat vault is anti spyware signature."

Correct, 18003 detects data infiltrations over DNS; I haven't known this signature to be wrong unless using certain antivirus products that actually update information via DNS. I would highly recommend you look into the machine that is getting identified and verify it isn't infected. 

 

 

"how often this antispayware signature gets dynamic updates? Doesn't really have a set schedule, updates are pushed as needed. Once a month Palo Alto pushes new application signatures, but updates can be multiple times per week and even multiple per day. 

if i use app override for the dns application traffic then i will avoid the l4 to l7 inspection right?"

Depends on how you build it out, if you override to DNS then no, inspections would still take place since DNS is a built-in application. Regardless, I really wouldn't recommend this as DNS is actively used to extract information. 

Highlighted
Cyber Elite

i check on the left hand side and verify that show effective queries all is selected.

threat is also checked there.

 

does this mean it is antispy ware signature as we do not see this under unified logs?

 

on threat logs i see attack and victim.

and machines are dns server and proofpoint appliance.

so when i see attacker and victim how can i know which is source and destination ?

is victim always be the affected in threat logs?

 

Appoverride 

 

i have built custom app with  app dns and port tcp and udp 443.

then i created app override policy

then under security policy i have choose this custom app dns on tcp and udp port 443.

 

i have read that if you use app override then PA doet do anything afrom l5 to l7?

please confirm this?

MP
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!