This website uses cookies essential to its operation, for analytics, and for personalized content. By continuing to browse this site, you acknowledge the use of cookies.
For details on cookie usage on our site, read our Privacy Policy
For details on cookie usage on our site, read our Privacy Policy
About ktm530russ
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- LIVEcommunity
- About ktm530russ
11-16-2021
29Posts
4Likes
3Solutions
Nov 16, 2021Last Visited
User
Activity
User
Profile
Latest posts by ktm530russ
| Subject | Views | Posted |
|---|---|---|
| 6118 | 07-08-2013 02:14 PM | |
| 3318 | 07-08-2013 02:00 PM | |
| 1710 | 06-21-2013 10:45 AM | |
| 4154 | 06-20-2013 08:21 AM | |
| 4463 | 06-19-2013 04:45 PM |
My Liked Posts
| Subject | Likes | Posted |
|---|---|---|
| 1 Like | 01-29-2013 02:32 PM | |
| 3 Likes | 09-09-2011 12:17 PM |
User Badges
Community Statistics
| Member Since | 08-29-2011 10:06 AM |
| Date Last Visited | 11-16-2021 07:08 PM |
| Posts | 29 |
| Total Likes Received | 4 |
06-17-2013
04:26 PM
I am convinced that ANY pattern matching that includes any wildcards before the 7 character minimum limit does NOT work, even with a valid pattern. I would appreciate ANYONE testing to confirm this. Set up a Custom Application that mirrors DNS, then add a pattern matching for a specific DNS pattern with few leading characters ("fs.fed.us" maybe?) apply a Security Rule with this application, then run a DNS query to your DNS servers for this domain. I believe that even with a valid application pattern, and security rule, it will NOT get any hits on the rule... then change that pattern to one that has more than 7 leading characters before any wildcard/periods, it will probably work. Both of our blocking pattern matches work, because they have over 7 characters before the first "wildcard" period, but our third rule that requires the literal backslash has NEVER worked (I believe that the one random working web DNS request was a misconfiguration elsewhere).
... View more
06-17-2013
09:58 AM
Thanks for the quick response and suggestions. Ours is somewhat similar, but appears cosmetic. The device we did the 'commit' on will still be showing "synching to peer" when we get the error message. This will change to "Synchronized" on both devices after a short while. More of an irritant than an issue at this point, but wanted to know if this is just on our installation, or if it is a version issue...
... View more
06-17-2013
09:29 AM
This message appears (email, and SNMP trap) pretty much anytime I run a "commit" on the box. It appears cosmetic, as the GUI on both boxes show them being in synch. (possible latency/delay issues during synchsynch causing this mis-fire?) I noted this was an issue in the 3.x version of code, did they somehow "unfix" this bug? Anyone else experiencing this error message?
... View more
Labels:
- Labels:
-
Configuration
06-17-2013
09:09 AM
I am assuming the patterns for the Malware blocking are working, as the period (.) would be found as a wildcard, so the original string would still be read correctly for these, even though the "period/wildcard" could be any character. As for our DNS domain string, I think there may be an issue with the way I set up the Custom Application, or the Security rule, as one of the configuration attempts (and I do NOT remember which one), was hitting this rule for our inbound WEB traffic requests. I am somewhat confused as this rule was cloned from the MalWare rule, and only the text of the RegEx string was changed. (and traffic allowed on the Security Rule.) The Custom Application is set up as follows: Category = "general-internet", Subcategory = "internet-utility", Technology = "client-server", Parent App = "dns" Risk = "3" Signature = Condition = "OR condition 1", Operator = "pattern-match", Context = "dns-req-section", Pattern = " ab\.cdefgh.ij.us" (This is the latest iteration I am trying, I don't really care about the "period/wildcard" issues near the end of the string at this time...) I also tried changing the Context to "unknown-req-tcp-payload" and "unknown-req-udp-payload" with no change of status. I have our Security rule set up for ANY request to EITHER of our two DNS servers, for ANY traffic, with the Custom Application for above. (again, this Security rule was cloned from the Malware Security rule, then modified for the string and allowing traffic) Any other suggestions?
... View more
06-14-2013
10:55 AM
I was working on getting Data Filtering to block specific DNS requests with no resolution. So, I am creating a Custom Application for DNS with a Pattern matching, which is partially working. Working strings: Under Objects/Applications/("Added applications, DNS DDOS, DNS DDOS1, OUR DNS"). Configuration: Category = "general-internet", Subcategory = "internet-utility", Technology = "client-server", Parent App = "dns" Risk = "3" Signatures, Added first two (OR condition) with the following: Context = "dns-req-section", Pattern = "ddostheinter.net" (Not sure if it is parsing the ".net" portion of this string) Context = "dns-req-section", Pattern = "directedat.asia" (again not sure of the parsing after the period) Set to a Security rule, and it blocks these specific DNS requests to our firewall. So, I am attempting to set up to only ALLOW legitimate requests for OUR public services (OUR DNS), and having issues. Context = "dns-req-section", Pattern = "ab.cdefgh.ij.us", returns error (I have obscured our legitimate DNS domain) " -> signature -> DNS -> and-condition -> And Condition 2 -> or-condition -> Or Condition 1 -> operator -> pattern-match -> pattern 'ab.cdefgh.ij.us' is invalid. pattern must be at least 7 bytes" I have also tried several iterations, including: '.*(ab.cdefgh.ij.us)' - returns same error as above. 'ab\.cdefgh\.ij\.us' - No error, but applying to a Security Rule, it does NOT match any traffic on this rule, although it (this DNS traffic) IS allowed in another Security Rule further down... '.*(ab\.cdefgh\.ij\.us)' - same as above, no error, but not matching Rule.
... View more
Labels:
- Labels:
-
Configuration
-
Networking
-
Troubleshooting
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
11-16-2021
07:08 PM
|
Latest Tags
No tags yet
LEGAL NOTICES
Copyright 2007 - 2023 - Palo Alto Networks