Hello and sorry for my poor English.
I wrote this question/feedback before here, but no one wrote an answer. I decided to share it here as well.
We are a member of pool.ntp.org
Our time server url is ntp.cbu.edu.tr
Beginning May 19th problem appeared on our NTP service. We started getting a lot of bittorrent requests. Of course, requests were denied. However, pool.ntp.org started reporting that we were not responding to ntp requests.
We captured the packets that PaloAlto detected as bittorrent. When we examined the packages, we could not see anything other than ntp traffic.
As a result, we think that PaloAlto mistakenly detected ntp traffic as bittorrent traffic.
If you want to examine it, I'm putting a file here that the packages we capture.
Hi @riza.emet ,
The Community Feedback area is dedicated to questions about the LIVEcommunity.
In order to get better traction for your question I've moved it to the VirusTotal discussions area. This area is moderated by the threat team to check signatures and verdicts.
Sorry but I don't believe this has anything to do with VirusTotal either. This forum is for non-customers. The Threat and Vulnerability forum may have been a better fit, however, posts in the LIVECommunity expect answers from other Palo Alto Networks customers. If you need a response from Palo Alto Networks Support, the correct avenue for help is filing a Support ticket.
Seems like a false positive then. Looking thru my PaloAlto Apps and Threats release notes I don't see anything about bittorrent Application changes in the last year. I think you are going to have to get PaloAlto support to investigate/fix the false positive. If it is a serious problem for you, you could temporarily bypass the application filter and just allow UDP 123 in the mean time.
I replayed your PCAP to my lab. I see NTPv4 traffic detected as ntp-base, and NTPv1 traffic detected as ntp-non-rfc. I don't see any bittorrent traffic, but I am running 10.2.2, maybe your PAN-OS identifies it differently. Check the source ports of the sessions identified as bittorrent, and compare them to your packet capture to see if there is a correlation between NTPv1 and bittorrent, versus NTPv4 and correct identifification of ntp-base traffic. It is possible that your firewall is detecting ntp-non-rfc as bittorrent.
Also check if the misdetection began around March 15, 2022, that's when the change was pushed in Content. https://live.paloaltonetworks.com/t5/customer-resources/app-id-decoders-enhancement-plan/ta-p/469547
You can test adding ntp-non-rfc as an allowed app in your policy to see if it resolves the issue.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!