Detection of Critical Vulnerabilities, what does it mean ?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Detection of Critical Vulnerabilities, what does it mean ?

L2 Linker

Hi All,

When Palo alto firewall detects a vulnerability ( in the ACC tab, threats widget ), what does it mean exactly?

( The source IP is private IP and destination is a public IP )

1.Does it mean that the server is infected and is sending out traffic to some malicious IP. 

2.Does it mean that the server is not infected but it contains software which could be exploited via the vulnerability detected.

3.Or it means something else totally?

1 accepted solution

Accepted Solutions

L6 Presenter

It means 4.The PaloAlto has detected traffic which it has categorized as a threat. This may be an actual threat, or it may be a false alert, you need to look deeper at the logging to determine what exactly it is alerting on and whether it was blocked/connection reset or was just an alert (depending on the type and severity of the alert, different actions can occur). Since you say this is from an internal IP to an external IP, this could be malware calling home, "bad" or suspect DNS requests, attempts to compromise external addresses, or something that was just misidentified as such.

 

Start by going to the logs at Monitor -> Threat and look at the details of the individual threat detections. It may indicate a particular malware/virus/etc. with links to a ThreatID number with more information. Or it may be something benign that is just being alerted to. For example: A alert log that a workstation is doing DNS lookups of a domain associated with malware. Or one we frequently get, "HTTP Unauthorized Brute Force Attack" logs where in the morning a client window has been left open to a website and the user auth has expired, the user attempts to refresh the page which results in a string of 401 Unauthorized server responses which the PaloAlto misidentifies as an attempt to brute force user login.

View solution in original post

2 REPLIES 2

L2 Linker

Can anyone help on this ?

L6 Presenter

It means 4.The PaloAlto has detected traffic which it has categorized as a threat. This may be an actual threat, or it may be a false alert, you need to look deeper at the logging to determine what exactly it is alerting on and whether it was blocked/connection reset or was just an alert (depending on the type and severity of the alert, different actions can occur). Since you say this is from an internal IP to an external IP, this could be malware calling home, "bad" or suspect DNS requests, attempts to compromise external addresses, or something that was just misidentified as such.

 

Start by going to the logs at Monitor -> Threat and look at the details of the individual threat detections. It may indicate a particular malware/virus/etc. with links to a ThreatID number with more information. Or it may be something benign that is just being alerted to. For example: A alert log that a workstation is doing DNS lookups of a domain associated with malware. Or one we frequently get, "HTTP Unauthorized Brute Force Attack" logs where in the morning a client window has been left open to a website and the user auth has expired, the user attempts to refresh the page which results in a string of 401 Unauthorized server responses which the PaloAlto misidentifies as an attempt to brute force user login.

  • 1 accepted solution
  • 4157 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!