09-28-2022 08:25 AM
First off, I am fairly new to Palo Alto firewalls. Yesterday we received a number of alerts over a one minute period related to a Domain Generation Algorithm threat. The source was an internal IP address, the destination was an external IP address. The action taken was sinkhole. The rule was DNS Forwarders.
I don't fully understand what this is telling me. At first glance, it appears I may have something running on an internal device try to talk to a C&C server. However, it may also be something going on with the sinkhole.
Does anyone have any thoughts on what's going on or a resource that will help me better understand this threat? I've done some research on DGA threats and have a basic understanding of them, but not sure how it applies to what I'm seeing.
Thanks, Kelley
10-01-2022 11:48 PM
Hello @kshaddrick
thank you for reply.
When it comes to getting details of the logs, the options limited. You can get more information by clicking on magnifying glass, then under: "Details", you can see what threat ID has triggered it. By clicking on: "View in Threat Vault" you can domain name. I personally use 3rd party commercial Threat Intel product to cross check URLs to get more details beyond what I can get from Firewall / Threat Vault. I randomly went through logs and with Action: sinkhole and Severity: medium, many of the domains were flagged with low indicator score in 3rd party Threat Intel platform. It is hard to judge, depending on size of your organization and end point types some of these alerts are expected. For example in my case most of these are coming from guest subnets.
If all your DNS requests from clients are forwarded to internal DNS servers that is resolving domain, then to get logs of what clients are sources of this potentially malicious requests, you will have to filter logs to sinkhole IP address. Please refer to section: "Client Using Internal DNS Server" in this KB: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Clk2
If you know the internal IP address of the hosts, you check client itself.
Kind Regards
Pavel
09-28-2022 02:58 PM
Hello @kshaddrick
thank you for post.
To check details of signature that is triggering this alert please navigate to Monitor > Logs > Threat, then you can narrow down logs by using filter: (threat-type eq spyware). After clicking on magnifying glass icon for Detailed Log View, refer to Details where you can see details of the threat. Here is the reference: https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/threat-prevention/dns-security/domain-gene...
Regarding the rule that is getting hit and action of Sinkhole, depending on your setup this is expected. When potentially infected client is requesting malicious domain, your internal DNS server will look up this request. If signature is triggered, Firewall will intercept this and forge Sinkhole IP address instead. This IP address is returned to potentially infected client that will communicate with Sinkhole IP instead of C&C server. By reviewing logs you can track internal IP address of infected client. Details how this work are in below KB and documentation:
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClGECA0
Kind Regards
Pavel
09-30-2022 08:04 AM
Thanks for the reply Pavel. I looked at the documents you provided and have a better understanding of the sinkhole process. When I look at either the traffic log or the threat log, I see hundreds of "sinkhole" entries. The entries in the threat log are almost all "low" severity. There are about a dozen that are "high" severity. If I filter the traffic log by "sinkhole", I don't see any traffic that corresponds with the high severity entries in the threat log.
I'm finding it difficult to believe that these are all bots or infected end points. We run a highly rated antivirus/antimalware product that isn't reporting any issues on the end points in question. Any thoughts on what I can look at to better understand what these logs are telling me?
Thanks,
Kelley
10-01-2022 11:48 PM
Hello @kshaddrick
thank you for reply.
When it comes to getting details of the logs, the options limited. You can get more information by clicking on magnifying glass, then under: "Details", you can see what threat ID has triggered it. By clicking on: "View in Threat Vault" you can domain name. I personally use 3rd party commercial Threat Intel product to cross check URLs to get more details beyond what I can get from Firewall / Threat Vault. I randomly went through logs and with Action: sinkhole and Severity: medium, many of the domains were flagged with low indicator score in 3rd party Threat Intel platform. It is hard to judge, depending on size of your organization and end point types some of these alerts are expected. For example in my case most of these are coming from guest subnets.
If all your DNS requests from clients are forwarded to internal DNS servers that is resolving domain, then to get logs of what clients are sources of this potentially malicious requests, you will have to filter logs to sinkhole IP address. Please refer to section: "Client Using Internal DNS Server" in this KB: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Clk2
If you know the internal IP address of the hosts, you check client itself.
Kind Regards
Pavel
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
