This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Cookie Policy. Click Preferences to customize your cookie settings.
About wolkenfeld
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- LIVEcommunity
- About wolkenfeld
08-18-2015
5Posts
0Likes
0Solutions
Aug 18, 2015Last Visited
User
Activity
User
Profile
Latest posts by wolkenfeld
| Subject | Views | Posted |
|---|---|---|
| 3930 | 08-06-2013 01:45 PM | |
| 3930 | 07-24-2013 01:54 PM | |
| 4101 | 07-24-2013 12:22 PM | |
| 4101 | 07-24-2013 08:09 AM | |
| 4221 | 07-23-2013 09:21 AM |
User Badges
Community Statistics
| Member Since | 01-28-2013 07:25 AM |
| Date Last Visited | 08-18-2015 09:07 AM |
| Posts | 5 |
08-06-2013
01:45 PM
Pardon me for the late reply, please; yes, we took a packet capture and have uploaded this capture to our ticket (ticket #: 00149001). Please let me know if this will suffice for now, or if there is anything else we can provide you with in helping us develop a filter to test against this scanner. Thank you so much, Dovid
... View more
07-24-2013
01:54 PM
SRA, thank you for your speedy reply. As the Acunetix CTO stated "All editions are making a request to the following URL before starting the scan:http://{website}/acunetix-wvs-test-for-some-inexistent-file" OK, I re-ran an experiment scan after our firewall guy hit "session" in the rule: same results. What can we do from here - any ideas? Thanks again, Dovid
... View more
07-24-2013
12:22 PM
SRA, we tried your suggestion but met with only limited success. Here's the experiment we did: Our firewall guy created a custom application which identified the initial connection attempt by Acunetix based on the signatures that the Acunetix CTO gave us. I then downloaded a free, community edition of Acunetix, version 8, and ran a scan against a URL which resides behind our firewall. The result was this: Palo Alto firewall noticed the signature present in the first couple of packets and, so, blocked those packets. Subsequent packets (from the same source IP), which lacked these signatures, were not identified as part of the banned application and were allowed through. Is there some we can create a DDoS trigger that can block the originating IP? Etc. What can we do about this? Please advise. Thank you again, Dovid
... View more
07-24-2013
08:09 AM
Thank you SRA, I have communicated your response to our firewall manager; we'll be in touch...
... View more
07-23-2013
09:21 AM
Dear PAN Developers, Several times now a developer on our side has reported to us from monitoring tools he manages that people have scanned our critical applications with a freely available Web Application Vulnerability scanner from Acunetix. Our CSO contacted the CTO of Acunetix asking how can we could fingerprint their scanner so as to protect our applications from it. Their CTO wrote this: "About blocking the attack: I don't know exactly what edition was used to scan your website. Some of our editions send the following header with each request: Acunetix-Scanning-agreement:Third Party Scanning PROHIBITED Check if you can see this header and block based on that.However, if they are using a Consultant edition, this header is not sent. All editions are making a request to the following URL before starting the scan: http://{website}/acunetix-wvs-test-for-some-inexistent-file. So, you can also look for that." Please let me know if, based on this information, you can create for us a method by which to finger print and (dynamically) filter traffic from this scanner in the future. Our current countermeasure - waking up our network engineers and having them manually add the source IP of the scanner (which varies with each attack) - is time consuming... Thank you so much Dovid
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
08-18-2015
09:07 AM
|
Latest Tags
No tags yet
LEGAL NOTICES
Copyright 2007 - 2023 - Palo Alto Networks