About mrsoldner

I had thought about posting that same report in hopes of seeing / hearing other thoughts. This video was also ... interesting to say the least. Note:  I understand this appears to be a CheckPoint smear channel, it's still interesting to see the vulnerability.   Palo Alto Netowrks IPS evasion DEMO - NSS Labs - YouTube ... View more

This is going to be a terribly simplistic reply - mainly because your question could be done so many ways - but I'd collapse edge security in the PAs (including URL filtering and inter-domain communication) and then collapse your VPN functionality into the ASA.  ASA's untrusted says external with it's trusted interface passing through the PAs.  ... View more

So, If i'm reading this right - the attachment was blocked but the email allowed? ... View more

Yeah panos and HULK - Interesting indeed: Av Profile: ... View more

panos wrote: you use alert profile but you see block logs ? that is interesting. Yeah,  very interesting indeed.  I need to do some more digging... ... View more

rkra wrote: Is it possible to make a reverse DNS Query in reports to get Names instead IPs in report displayed? Roman If you are creating a custom report and just click "Run Now" it will give you IPs.  I believe if you do a scheduled report, it will provide any applicable DNS name. ... View more

dynamicv wrote: Default Action on the signature is set to alert, which is very strange for something that could potentially be used to create DHCP worms across virtually every non-Windows platform, including smartphones. We've installed the update onto all our PANOS boxes, but cannot see ID 36729 nor the CVE number appear in the signatures list. Regardless of that, if I create a rule to match the 36729 ID with block as the action will the device take it? You can make an exception and change the default action. Go into your Vulnerability Protection Profile Click "Exceptions" Check "Show all signatures" Enter 36729 Change the action to whatever you'd like it to be. Push policy. ... View more

I believe the latest emergency content update addresses this: Application and Threat Content Release Notes Version 457 Notes: Earlier today, Wednesday, September 24th, Palo Alto Networks became aware of a remote code execution vulnerability in the Bash shell utility. This vulnerability is CVE-2014-6271 and allows for remote code execution through multiple vectors due to the way Bash is often used on linux systems for processing commands. Additional information can be found here: http://seclists.org/oss-sec/2014/q3/650 To address this vulnerability, Palo Alto Networks has released an emergency content update that provides detection of attempted exploitation of CVE-2014-6271 with IPS vulnerability Signature ID: 36729 "Bash Remote Code Execution Vulnerability" with Critical severity and default action of "Alert." Palo Alto Networks customers with a Threat Prevention subscription are advised to verify that they are running the latest content version on their devices. If you have any questions about coverage for this advisory, please contact Support. New Vulnerability Signatures (1) Severity ID Attack Name CVE ID Vendor ID Default Action Minimum PAN-OS Version critical 36729 Bash Remote Code Execution Vulnerability CVE-2014-6271 alert 4.0.0 ... View more

jtyler wrote: Setting a block for viruses on smtp will cause the originating server to keep trying to relay the email until a timeout occurs. This could potentially cause a lot of unwanted traffic pointed at your smtp server that is getting blocked over and over by the firewall. That may still be preferred to allowing a virus in via smtp, but it's just something to be aware of. Good point, I did some digging and found this:  Threat Prevention Deployment Tech Note It looks like some intelligence is built in for SMTP and will send back a 541 response so that the other side doesn't keep resending the email.  POP and IMAP however don't have any intelligence built in.  So, per the doc: Note: The reason why SMTP, POP3 and IMAP have the default action set to ALERT is because in most cases there is already a dedicated Antivirus gateway solution in place for these protocols. Specifically for POP3 and IMAP, it is not possible to clean files or properly terminate an infected file-transfer in-stream without affecting the entire session. This is due to shortcomings in these protocols to deal with this kind of situation. Thanks for the help.  I think we'll stick with the defaults for now and potentially ratchet up SMTP. ... View more

Is there somewhere that Virus severity is noted?  ... View more