This website uses cookies essential to its operation, for analytics, and for personalized content. By continuing to browse this site, you acknowledge the use of cookies.
For details on cookie usage on our site, read our Privacy Policy
For details on cookie usage on our site, read our Privacy Policy
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
About scottlsattler
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- LIVEcommunity
- About scottlsattler
07-13-2016
5Posts
3Likes
0Solutions
Jul 13, 2016Last Visited
User
Activity
User
Profile
Latest posts by scottlsattler
| Subject | Views | Posted |
|---|---|---|
| 1670 | 07-02-2013 09:10 AM | |
| 3535 | 07-02-2013 07:11 AM | |
| 3534 | 06-19-2013 04:05 AM | |
| 5888 | 04-09-2013 12:06 PM |
My Liked Posts
| Subject | Likes | Posted |
|---|---|---|
| 2 Likes | 06-19-2013 04:05 AM | |
| 1 Like | 07-02-2013 07:11 AM |
User Badges
Community Statistics
| Member Since | 10-13-2011 08:50 AM |
| Date Last Visited | 07-13-2016 10:59 AM |
| Posts | 5 |
| Total Likes Received | 3 |
07-02-2013
09:10 AM
I write SIEM content (Mostly Arcsight and Q1), I have found PAN to be very effective in identifying adverse traffic. One thing that would be great, that in addition to recognizing the file type such as "file Microsoft PE File(52060)" which is useful as a poor mans DLP, with which I can track whats coming and going, it's only so effective by just having the file name. It would be much more effective if the md5 hash value of the file was written to the log file. Then I can correlate the log file md5 hash with my known bad hash database....Can this be done, is it there and I have missed it? Thanks
... View more
07-02-2013
07:11 AM
1 Kudo
I am not talking about the typical DNS tunneling. There are 20 clients out there that can do dns tunneling. I am talking about using the DNS protocol itself for command and control and data exfiltration, doesn't matter if you proxy or send up to root or your ISP. I see it all the time at clients, It would be nice if there was a signature that could detect (Without me continuing to write them) large TXT fields or protocol violations.....etc etc..
... View more
06-19-2013
04:05 AM
2 Kudos
DNS for ex filtration is catching many of the vendors off guard. Specialty vendors like Damballa do a fairly decent job. Don't expect a firewall vendor to invest the effort to track this type of ex filtration and CnC activity any time soon. You will find the typical signatures for tunneling protocols over DNS which are relatively easy to spot and so are the Gen 3/4 version of the DNS DGA malware that is out in the public. However malware that uses the additional dns fields to exfiltrate data or for CNC activity has not been looked at or addressed by any vendor that I know off. I know many of security folk who simply don't log or look at DNS traffic making it an ideal avenue for data exfiltration
... View more
04-09-2013
12:06 PM
If your looking for DLP get Vontu.......DLP "lite" is what you have here similiar to checkpoint......if you like being flooded with false positives, by all means..... I do have a question though on file content....I am writing some Arcsight use cases and tracking which file names are transfered over which application protocol by user. I do not seem to be able to find a document which outlines the signature matches for the various documents. (such as File microsoft MSOFFICE(52033) or a File Microsoft Office 2007 xls document 52024) etc etc..... I built some nice use cases with fireeye to pickup on the .jar files coming in but since this client doesnt have a dlp solution (yet) I do want to give an idea of what type of file names are leaving the perimeter to give them a little "boost" in acquiring DLP capability. Thanks
... View more
LEGAL NOTICES
Copyright 2007 - 2022 - Palo Alto Networks