Memory Corruption Exploit

Good day,

This may be a silly question we have been getting memory corruption exploit Alerts from a certain endpoint. Client does see them as cause for concern.

On a single end point would it be cause for concern to see multiple memory corruption expl

How to detect domain fronting

Hi,

did anyone manage to write a custom signature to detect domain fronting?

PA extracts the Host header, so in theory it should be possible to detect if the Host header is different from the URL?

Alternatively, if one could log the Host header one co

Unit42 STIX 2.0 feeds

I'm running my own Anomali STAXX server. I'm trying to ingest these Unit 42 feeds.  Do they still exist? The page is still up and I registered and created my API keys. No matter what I try to do, I can't get Anomali STAXX to connect. https://stix2.un

ThreatID 81845 - Generic PHP Webshell File Detection false positives

Anyone else seeing a large number of threat alerts this morning for the new generic signatures added last night? Seeing dozens this morning coming from user document downloads from a trusted financial source. I haven't fully decrypted the data yet, b

Uptick in Solarwinds exploit domain flagging

Starting early Saturday morning (4/23) we started getting a large number of DNS threat alerts for 3 domains associated with the Solarwinds exploit. These domains are now resolving to multiple Leaseweb IPs (as I recall, they were NX previously). Diggi

CVE-2022-0778 mitigation with Threat Prevention

Hi,

Following the CVE-2022-0778 vulnerability, I would like to apply the workaround to reduce the risk of attack until the PAN-OS update is released.

According to the security ticket, you have to activate the Threat IDs 92409 and 92411 but how to do

CVE-2022-0778 OpenSSL infinite loop vulnerability

CVE-2022-0778 Impact of the OpenSSL Infinite Loop Vulnerability CVE-2022-0778 (paloaltonetworks.com)

Further to this one, it mentions that Globalprotect is affected but doesnt say whether a client software update is required.

Do you know if the Global

policy, objects and smtp

howdy,

I can not get my head around how to do this.

Allow smtp from a country but block every other service, application.

You can negate countries but not services/applications.

can one do any/any with an exception?

Thank you

Threat Signature Pattern Lookup

How can I lookup what pattern(s) a particular threat signature is looking for?

Wildfire and Vulnerability Protection Signatures

The Wildfire engine obviously has a large impact on AV signatures, URL-Filtering categorization, and DNS Security, but I was curious if it plays any part at all in creating new vulnerability protection threat IDs? 

If not, then are new IDs created so

Signatures or Definition files

I have learned of a vulnerability from our security team with a file named "trello.dll". Is there a way to know what is covered  in the signatures and definitions?

How to Block RClone

If I search for rclone in the applications on my PAN 3220 w 9.1, I am not spotting "rclone". 
Is there a means of identifying and blocking rclone traffic?

https://research.nccgroup.com/2021/05/27/detecting-rclone-an-effective-tool-for-exfiltration/

Palo Alto Networks PAN-OS 8.1.x / 9.0.x / 9.1.x / 10.0.x Improper Input Validation

Hi All,

I would like to verify some vulnerability as in PAN OS Advisory for  "Low- PAN-OS 8.1.x / 9.0.x / 9.1.x / 10.0.x Improper Input Validation"

Also there are detected by Nessus scanner for "High- SQLi scanner and low- Auto completion finding".

Is

PoshC2 false positive

Hello,

We are seeing what appears to be false positive detections for the PoshC2C vulnerability signatures that was released recently. Connections going to Google and BBC, is anyone else seeing the same thing here?