Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Get Started
- News & Events
- Collaboration
- Education Services
- Technologies
- Next-Generation Firewall
- GlobalProtect
- Threat Prevention Services
- Endpoint Protection
- SSL Decryption
- App-ID
- Content-ID
- User-ID
- 5G
- IoT Security
- Cloud Identity Engine
- Panorama
- AIOps for NGFW
Network Security
- Prisma Access
- Prisma Cloud
- Prisma SD-WAN
- Cloud NGFW for AWS
- CN-Series
- VM-Series:
- Private Cloud
- OCI
- Alibaba
- AWS
- GCP
- Azure
Cloud Security
- Cortex XDR
- Cortex XSOAR
- Cortex Data Lake
- Cortex Xpanse
Security Operations
- Resources
- COVID-19 Response Center
About ymiyashita
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- LIVEcommunity
- About ymiyashita
Online
228Posts
42Likes
39Solutions
May 24, 2022Last Visited
User
Activity
User
Profile
Latest posts by ymiyashita
| Subject | Views | Posted |
|---|---|---|
| 13 | 05-24-2022 10:07 PM | |
| 450 | 01-31-2022 08:41 PM | |
| 623 | 12-20-2021 05:10 PM | |
| 780 | 12-16-2021 09:11 PM | |
| 916 | 12-13-2021 10:40 PM |
My Liked Posts
| Subject | Likes | Posted |
|---|---|---|
| 1 Like | 01-31-2022 08:41 PM | |
| 1 Like | 11-23-2021 05:04 PM | |
| 1 Like | 11-19-2021 01:26 AM | |
| 3 Likes | 11-01-2021 04:49 PM | |
| 1 Like | 10-26-2021 06:42 PM |
Posts I Liked
| Subject | Likes | Author | Latest Post |
|---|---|---|---|
| 33 Likes | |||
| 1 Like | |||
| 1 Like | |||
| 3 Likes | |||
| 5 Likes |
My LIVEcommunity Articles Contributions
| Subject | Likes | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 |
User Badges
Community Statistics
| Member Since | 12-04-2012 07:14 PM |
| Date Last Visited | 05-24-2022 10:05 PM |
| Posts | 228 |
| Total Likes Received | 21 |
05-24-2022
10:07 PM
Hi EJaspe,
Please help us clarify your questions.
- Are you seeing the threat log "HTTP Unauthorized Brute Force Attack - ID 40031" which destination IP address is the fileserver? If so, the fileserver is also running as a web server, right? - Do you want to know if the web access was performed by using IP address or hostname? In that case, you can look at the HTTP Host header. The logging must be enabled on the web server to see it in the log. Or you can capture the traffic and check.
You can refer to the following KB to see how the signature detects the brute force. Brute Force Signature and Related Trigger Conditions https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClmpCAC
40031 - HTTP Unauthorized Brute-force Attack "If a session has the same source and same destination but triggers our child signature, 34556, 100 times in 60 seconds, we call it is a brute force attack. The child signature, 34556, is looking for HTTP 401 response."
As you see, it can trigger regardless of the way of access using IP address or hostname, and also regardless of where the access is coming from (internal or external).
# By the way, this thread was already marked as 'resolved' about 2 years ago. You may want to post a new one from the next time onwards if you have a new inquiry.
... View more
01-31-2022
08:41 PM
1 Kudo
From your description, I understand that you are seeing "Abnormal SSL traffic on port 443 (54699)" detected on the firewall and on the panorama you are seeing the threat log forwarded by the firewall. https://threatvault.paloaltonetworks.com/?query=Abnormal SSL traffic on 443&type=
I would advise you to take a threat pcap and verify if the traffic is actually abnormal. Most likely, the SSL handshake is missing. https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/monitoring/take-packet-captures/take-a-threat-packet-capture.html
If it's a true positive, you can change the default action to block the traffic to minimize the threat since it's an abnormal traffic. STEPS TO CHANGE THE DEFAULT ACTION FOR SIGNATURES https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm3KCAS
... View more
12-20-2021
05:10 PM
It would depend on how the zone protection is configured. For the traffic from Trust to Untrust, it shouldn't be too strict especially when it's configured with "Block IP" action. I'd also suggest to check the traffic log or sessions to see what kind traffic is matching with the condition. You may also want to capture packets on the Windows 10 machine with/without "News and Interests" toolbar enabled.
For your reference: How do I analyze alerts for SCAN: Host Sweep (8002)? https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000HBioCAG
... View more
12-16-2021
09:11 PM
Please provide the hash value of the sample for further research.
... View more
12-13-2021
10:40 PM
MineMeld doesn't use Java components so it's not affected by the Log4j vulnerability.
... View more
11-23-2021
09:18 PM
(Advised to use another method for Palo Alto internal communications.)
... View more
11-23-2021
05:04 PM
1 Kudo
As you found it in the KB, ID: 52019 is a file type signature which detects "Windows Dynamic Link Library (DLL)". If you see it in the WildFire submission log, I'd suggest to check the WildFire report for more detail or get the hash value of the sample to research further.
... View more
11-19-2021
01:26 AM
1 Kudo
I'm a Palo Alto Networks employee, so I can check the signature status. (I just updated my profile with a job title.)
... View more
11-18-2021
05:32 PM
Palo Alto Networks confirmed that it was a False Positive. The signature "malware.azjf C2 traffic(446823108)" will be disabled in Anti-Virus version 3905.
... View more
11-08-2021
04:55 PM
I'd suggest to post the question to "General Topics" channel since the swap problem is not directly related to "Threat & Vulnerability". https://live.paloaltonetworks.com/t5/general-topics/bd-p/members_discuss
Having the question in the right channel will help you get more accurate answer and also will be beneficial to other members.
... View more
11-01-2021
04:49 PM
3 Kudos
Palo Alto Networks has been working on the false positive issue with "WGeneric.atbsxx C2 traffic(385282722)". The signature will be disabled in AV version 3888.
... View more
10-27-2021
05:03 PM
The support case (01996968) was opened with a serial number which has a Premium Partner Support thus Palo Alto Networks advised to contact ASC partner (Authorized Support Center) to get support.
... View more
10-26-2021
06:42 PM
1 Kudo
Currently, it's considered as designed since Strict-Transport-Security is only for the Global Protect server itself and we don't have control for the sub domains. We have a feature request (FR 17182) for this. You may want to contact Palo Alto Networks sales department to add more weight.
... View more
10-21-2021
01:27 AM
1 Kudo
Please refer to the following KBs.
How to Manually Upload License Keys https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClsoCAC
How to Manually Install Antivirus, Content, and WildFire Updates on the Firewall https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClFhCAK
... View more
10-19-2021
05:45 PM
PAN-110168 was fixed in PAN-OS 8.1.9. It can be found in the release note. https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-release-notes/pan-os-8-1-addressed-issues/pan-os-8-1-9-addressed-issues.html
PAN-147254: jQuery was upgraded to 3.5.1 in PAN-OS 8.1.19. At this time, OSS listing still shows 3.4.1. Palo Alto Networks is working on the documentation. https://docs.paloaltonetworks.com/oss-listings/pan-os-oss-listings/pan-os-8-1-open-source-software-oss-listing.html
... View more
Contact Me
| Online Status |
Online
|
| Date Last Visited |
05-24-2022
10:05 PM
|
Latest Tags
No tags yet
LEGAL NOTICES
Copyright 2007 - 2022 - Palo Alto Networks
