Today I sent two requests to get 2 IPs categorized as malicious (Command and Control) to Palo Alto. The IPs are:
The current category for both of them is: insufficient-content
However, these IPs are being associated with botnet/command and control behavior by our SIEM and flagged as such, as our Palo Alto Networks allows sessions connecting to these IPs to go through.
Here's what I submitted for each IP when I request a new categorisation.
You can see from the VirusTotal reports alone that there's plenty of suspicious activity coming from these IPs, and that other vendors are also flagging them as malicious.
My question is: do Palo Alto really consider these IPs as safe, and not harmful? What other pieces of evidence should I have linked with my request to put more weight into it? Are VirusTotal reports, threat intel from other sources (IBM X-Force Exchange, AlienVault, etc.) not enough? Do you need an actual malicious sample (SHA-256, MD5 hash, etc.) or else?
Has anyone else been in the same situation as me?
Hello, while it does appear that both IP addresses you have mentioned are associated with suspicious activity we will often categorize certain sites as insufficient-content due to the following reasons:
Websites and services that present test pages, no content, API access not intended for end-user display, or that require authentication without displaying any content that suggests a more specific categorization. Sites absent of content, or those with no useful content such as server test pages make it difficult to identify the intent or business of a site and categorize accordingly.
If you would like to open a case with our support team we would be happy to investigate these IPs further and request C2 categorization on your behalf.
Thank you for your answer. I understand the "Insufficient content" categorization, though from the description, I hope that Palo Alto doesn't try to simply access the IP to see if it displays anything, and if not, put it in the "insufficient-content" category. A more thorough investigation of the IP (DNS records, associated activity, etc.) should be done in my opinion.
I'll open a ticket with the Support and see if they want to push the investigation a bit deeper.
IP addresses that are typically associated with malicious activity tend to be ephemeral since the devices engaging in C2 are often times benign devices that have been compromised.
URL Categorization is for websites, and it's limited to HTTP traffic, that's why you would see an insufficient-content categorization.
IP Addresses in the pre-build EDL's (High-risk, and Known-malicious), are exhaustably manually vetted to make sure they are not ephemeral benign compromised hosts.
Instead of creating IOC's based on IP's, we are instead interested in identifying traffic by its patterns, so that if the C2 moves to a different IP, the signature continues to be useful, therefore, we would recommend to engage support, and present with a packet capture of C2 traffic, so that we can build a signature based on traffic patterns - instead of destination IP's.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!