This website uses cookies essential to its operation, for analytics, and for personalized content. By continuing to browse this site, you acknowledge the use of cookies.
For details on cookie usage on our site, read our Privacy Policy
For details on cookie usage on our site, read our Privacy Policy
About JuanB
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- LIVEcommunity
- About JuanB
01-14-2021
5Posts
0Likes
0Solutions
Jan 14, 2021Last Visited
User
Activity
User
Profile
Latest posts by JuanB
| Subject | Views | Posted |
|---|---|---|
| 6481 | 05-23-2016 01:46 PM | |
| 6562 | 05-23-2016 01:39 PM | |
| 6568 | 05-23-2016 01:30 PM | |
| 6631 | 05-23-2016 12:36 PM |
User Badges
Community Statistics
| Member Since | 09-18-2015 08:45 AM |
| Date Last Visited | 01-14-2021 06:03 AM |
| Posts | 5 |
05-23-2016
01:39 PM
OK, Cole thanks for your help.
BTW, do you know if there is any way to do what i need with the current PANOS?
THanks in advance.
... View more
05-23-2016
01:30 PM
rcole, thanks for your answare. What im actually traying to do is capture in a pcap file every try of ntlm auth from a desktop machine with the hostname "jbonaldo". I attached you a pcap file with the capture and here it is a screenshot of what information im traying use to trigger my custom signature (and than, when the signature triggers capture this fail login).
In the pcap file (row 10) you can see that the hostname is actually in the package sended to the server so, in teory, we can see this information with the palo alto and trigger the custome signature and then, capture the traffic.
... View more
05-23-2016
12:36 PM
Hello guys,
We recently discover that sometimes, ramdonly, host called "Windows7" trays to mount a shared folder from our fileserver/DC. We discover this because our SIEM correlated some events from de DCserver. Sadly this SIEM do not show us the Source IP Address so, we add a PAN in SPAM port mode to the switch to tray to capture the ms-smb fail logons.
We started by adding the default custome signature and setting up to triggers with 5 events in 120 seconds (just like the SIEM's alert) but that do not work. Now we are traying to make a custome signatere that triggers when any package with the string "jbonaldo" goes through the PAN (jbonaldo is the host name).
I already read the "creating customg signature rev b" and I can not find any reference to SMB2 for the context field, so i try to use the "unknown-req-tcp-payload". I also tray setting up the string in clear text and/or hexadecimal.
BTW, I already create a vulnerability profile and append that to the security rule (just to be clear 🙂 )
what i am doing wrong?
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
01-14-2021
06:03 AM
|
Latest Tags
No tags yet
LEGAL NOTICES
Copyright 2007 - 2023 - Palo Alto Networks