Sinkhole dns-wildfire

How does the dns-wildfire threat category work? I've seen a log entry, but there isn't any traffic to the sinkhole IP. The action is sinkhole and reported as generic:malicious.domain1. I have confirmed that sinkhole does work for regular threat categ

Authorized file suddenly blocked as threat

We came into the office this morning to receive reports from users that they weren't able to access their core application which runs on apache web server.  When they login, the internet explorer URL directs the users to www[whatever-url]com/login.js

MINEMELD CSV OUTPUT to ArcSight Logger SIEM

Hi,

I've MineMeld running on Ubunto 14.04 TLS and everythings Ok.

Cunfigured CEF output e now I'm looking for a CSV output, that is for inputing on ArcSight Logger in order to use this csv in Lookups to match events.

Has anyone found/created any node

C&C Traffic Direction re China Chopper

Hi,  sorry if this is a stupid question, maybe we need a Reddit-style "ELI5" forum ;o)

I have been turning a blind eye to a background hum of China Chopper alerts for some time, so I thought I would try to understand what is going on.  The thing is t

Help with Microsoft DCE RPC Big Endian Evasion Vulnerability 33510

I have Googled this and read up on numerous links, but I cannot find anything of value on this threatID.  I have 30-40 events a day from various IP addresses on my network, usually 1 event per IP, sometimes 2 events.  I have scanned several of the PC

Blocked URL's are not getting blocked anymore

I configured a URL filering profile that doesnt filter any topic & just blocks 2 URL's as a test.  This was working a few days ago but stopped.  There have been no new changes commited since & the security policy is still in the same order.  Even loo

Threat blocked by Palo Alto: Is there anything else to do?

Hi,

When the Palo Alto blocks a communication that is flags as a threat (ie: SQL Injection, XSS, etc.), should we investigate the target IP to make sure that the threat was blocked? The reason I'm asking is that whenever the Palo Alto blocks an attac

Dynamic IP lists and FQDN?

The only type of external dynamic list i appear to be able to specify in my firewall policy is a dynamic IP list (not a dynamic domain list). And the formatting of such lists appears to be purely for IP addresses. So my question is, how can i specify

Recommended MineMeld prototypes/miners?

I defined two miners - Alient_Vault_Reputation and Bambenek_Consulting - and assigned them to the appropriate processor and output. I then added them to a global deny rule in PA.

Are there any other recommended prototypes with a high reputation to ad

URL Filtering Team creating MORE of a risk

Hi all,

Does anyone know how to directly interact with the URL filtering team besides urlfiltering.paloaltonetworks.com?  I would especially like to reach a manager.  I am having huge problems with them.  I keep submitting sites on which scanners hav