06-06-2022 05:50 AM
Hello and sorry for my poor English.
I wrote this question/feedback before here, but no one wrote an answer. I decided to share it here as well.
We are a member of pool.ntp.org
Our time server url is ntp.cbu.edu.tr
Beginning May 19th problem appeared on our NTP service. We started getting a lot of bittorrent requests. Of course, requests were denied. However, pool.ntp.org started reporting that we were not responding to ntp requests.
We captured the packets that PaloAlto detected as bittorrent. When we examined the packages, we could not see anything other than ntp traffic.
As a result, we think that PaloAlto mistakenly detected ntp traffic as bittorrent traffic.
If you want to examine it, I'm putting a file here that the packages we capture.
Thank you.
07-01-2022 02:02 AM
The problem to be fixed with App&Thread Update 8586. The release note says that false positive is fixed.
Thank you for your interest.
06-09-2022 02:37 AM
Hi @riza.emet ,
The Community Feedback area is dedicated to questions about the LIVEcommunity.
In order to get better traction for your question I've moved it to the VirusTotal discussions area. This area is moderated by the threat team to check signatures and verdicts.
Cheers,
-Kiwi.
06-09-2022 11:57 PM
did you get any proper solution for this problem
06-10-2022 12:12 AM
No, we haven't found it yet. However, we have opened a case to PaloAlto Support for the issue. We're waiting.
06-10-2022 10:35 AM
Sorry but I don't believe this has anything to do with VirusTotal either. This forum is for non-customers. The Threat and Vulnerability forum may have been a better fit, however, posts in the LIVECommunity expect answers from other Palo Alto Networks customers. If you need a response from Palo Alto Networks Support, the correct avenue for help is filing a Support ticket.
06-10-2022 11:22 AM
What is your Security policy for the incoming NTP traffic to your server? Are you using Application="ntp" and Service="application-default" in your allow rule? Or are you using a Service="udp_123" or something similar?
06-10-2022 11:38 AM
We are using Application="ntp" and Service="application-default" in our allow rule.
Monitor show some udp-123 traffic "ntp", some udp-123 traffic "bittorrent". As expected bittorrent blocked but they are actually ntp.
06-10-2022 12:04 PM
Seems like a false positive then. Looking thru my PaloAlto Apps and Threats release notes I don't see anything about bittorrent Application changes in the last year. I think you are going to have to get PaloAlto support to investigate/fix the false positive. If it is a serious problem for you, you could temporarily bypass the application filter and just allow UDP 123 in the mean time.
06-10-2022 12:42 PM
I replayed your PCAP to my lab. I see NTPv4 traffic detected as ntp-base, and NTPv1 traffic detected as ntp-non-rfc. I don't see any bittorrent traffic, but I am running 10.2.2, maybe your PAN-OS identifies it differently. Check the source ports of the sessions identified as bittorrent, and compare them to your packet capture to see if there is a correlation between NTPv1 and bittorrent, versus NTPv4 and correct identifification of ntp-base traffic. It is possible that your firewall is detecting ntp-non-rfc as bittorrent.
06-10-2022 12:45 PM - edited 06-10-2022 12:49 PM
Also check if the misdetection began around March 15, 2022, that's when the change was pushed in Content. https://live.paloaltonetworks.com/t5/customer-resources/app-id-decoders-enhancement-plan/ta-p/469547
You can test adding ntp-non-rfc as an allowed app in your policy to see if it resolves the issue.
06-10-2022 12:47 PM
Thanks for answer. I will compare.
07-01-2022 02:02 AM
The problem to be fixed with App&Thread Update 8586. The release note says that false positive is fixed.
Thank you for your interest.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
