Threat ID 92632 was added late 6/3 for the new Atlassian 0-day exploit. All morning we have been seeing false positives on the new signature. Anyone else seeing the same?
We are seeing the same false positive.
I opened a ticket the TAC and they are requesting a full packet capture. I'm hesitant to do this on prisma gateways because it's unclear how to reproduce the traffic AND the destination IP changes so the packet capture could be running and running.
We are using the SaaS version of Atlassian, and according to the Security Advisory (https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html) :
Atlassian Cloud sites are protected
If your Confluence site is accessed via an atlassian.net domain, it is hosted by Atlassian and is not vulnerable.
Our investigations have not found any evidence of exploitation of Atlassian Cloud.
So I'm tempted to make a signature exception in the Antivirus Profile.
Are you receiving the alert on connections to your Atlassian instance? Or on connections from your users to a random third party website? For my false alert (and others I believe), there is no Atlassian server involved at all.
From the threat alert there should be a packet capture. If you export that capture and open it in Wireshark you can reassemble the packets into a formated output: select a packet in the capture and select "Follow -> tcp stream". A new window will pop up of the assembled packet like:
GET - the URL path
Host - the host server FQDN that was connected to
Referer - the original server FQDN of the page that the reference to the URL was in (if it was an included object)
You should be able to identify the destination and recreate the alert by copying the host and URL into a separate browser window and downloading again.
Yep, so the alert is hitting on the content included from pbc.bidswitch.net on usatoday.com. Bidswitch is an ad company. You can probably replicate the alert by calling the URL
directly in your browser (you might have to play around some HTTP variables). Once you can replicate the alert from calling the URL directly (instead of being buried in usatoday.com's code), its easy to do a packet capture of just that request.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!