Saucepan

User Tools

Site Tools

Trace: dynamic_updates partners decryption software_updates tokens sd_wan nslookup aws dns microsoft
paloaltonetworks:troubleshooting:testing_panos

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
paloaltonetworks:troubleshooting:testing_panos [2022/08/16 13:35] – [DNS Security] bstaffordpaloaltonetworks:troubleshooting:testing_panos [2023/01/21 16:54] (current) – [DNS Security] bstafford
Line 39: Line 39:
 If protection is not active, the following domains resolve to ''72.5.65.115''. If protection is not active, the following domains resolve to ''72.5.65.115''.
  
-If protection is active, the following domains resolve to whatever your sinkhole is set to (or nothing if block is set as the action instead of sinkhole).+If protection is active, the following domains resolve to whatever your sinkhole is set to (e.g. ''72.5.65.111''or nothing if block is set as the action instead of sinkhole.
  
-  * C2 ''test-c2.testpanw.com'' + 
-  * DNS Tunneling ''test-dnstun.testpanw.com'' +To find example malicious domains, look in the release notes of the active AV file on the firewall (Setup > Dynamic Updates). Search for <code>New Spyware DNS C2 Signatures</code> 
-  * DGA ''test-dga.testpanw.com'' + 
-  * Dynamic DNS ''test-ddns.testpanw.com'' +In built AV file based DNS malware detection: 
-  * Malware ''test-malware.testpanw.com'' +<code>( name-of-threatid contains 'Suspicious DNS Query (Compromised_DNS
-  * Newly Registered Domains ''test-nrd.testpanw.com'' +( name-of-threatid contains 'Suspicious DNS Query (generic)</code> 
-  * Phishing ''test-phishing.testpanw.com'' + 
-  * Grayware ''test-grayware.testpanw.com'' + 
-  * Parked ''test-parked.testpanw.com'' +Don't block Ad Tracking Domains. This will block anything that uses CNAME. This affects most major sites. 
-  * Proxy Avoidance and Anonymizers ''test-proxy.testpanw.com'' + 
-  * Fast Flux ''test-fastflux.testpanw.com'' +  * Ad Tracking 
-  * Malicious NRD ''test-malicious-nrd.testpanw.com'' +    * CNAME Cloaking 
-  * NXNS Attack ''test-nxns.testpanw.com'' +  * Command and Control 
-  * Dangling Domains ''test-dangling-domain.testpanw.com'' +    * Tunnelling 
-  * DNS Rebinding ''test-dns-rebinding.testpanw.com'' +    * Infiltration 
-  * DNS Infiltration ''test-dns-infiltration.testpanw.com'' +    * NXNS 
-  * Wildcard Abuse ''test-wildcard-abuse.testpanw.com'' +    * Rebinding 
-  * Strategically-Aged Domains ''test-strategically-aged.testpanw.com'' +    * DGA 
-  * Compromised DNS ''test-compromised-dns.testpanw.com'' +  * Dynamic DNS 
-  * Ad Tracking Domains ''test-adtracking.testpanw.com'' +  * Grayware 
-  * CNAME Cloaking ''test-cname-cloaking.testpanw.com''+    * FastFlux 
 +    * Malicious NRD 
 +    * Dangling Domain 
 +    * Wildcard Abuse 
 +    * Strategically Aged 
 +  * Parked 
 +  * Phishing 
 +  * Proxy Avoidance 
 +  * Newly Registered Domains 
 + 
 +Malicious DNS queries found based on the AV filedownload are categoriesed as ''( category-of-threatid eq dns )'' 
 + 
 +<code>( subtype eq spyware ) and ( category-of-threatid eq dns-grayware ) and ( severity eq low )</code> 
 +^ Default Log Severity ^ Threat Category ^ Test Domain ^ Test Command ^ 
 +| informational | dns-adtracking | test-adtracking.testpanw.com | dig +short @8.8.8.8 A test-adtracking.testpanw.com | 
 +| informational | dns-adtracking | test-cname-cloaking.testpanw.com | dig +short @8.8.8.8 A test-cname-cloaking.testpanw.com | 
 +| high | dns-c2 | test-c2.testpanw.com | dig +short @8.8.8.8 A test-c2.testpanw.com | 
 +| high | dns-c2 | test-dnstun.testpanw.com  | dig +short @8.8.8.8 A test-dnstun.testpanw.com | 
 +| high | dns-c2 | test-dns-infiltration.testpanw.com | dig +short @8.8.8.8 A test-dns-infiltration.testpanw.com | 
 +| high | dns-c2 | test-nxns.testpanw.com | dig +short @8.8.8.8 A test-nxns.testpanw.com | 
 +| high | dns-c2 | test-dns-rebinding.testpanw.com | dig +short @8.8.8.8 A test-dns-rebinding.testpanw.com | 
 +| high | dns-c2 | test-dga.testpanw.com | dig +short @8.8.8.8 A test-dga.testpanw.com | 
 +| informational | dns-ddns | test-ddns.testpanw.com | dig +short @8.8.8.8 A test-ddns.testpanw.com | 
 +| low | dns-grayware | test-grayware.testpanw.com | dig +short @8.8.8.8 A test-grayware.testpanw.com | 
 +| low | dns-grayware | test-fastflux.testpanw.com | dig +short @8.8.8.8 A test-fastflux.testpanw.com | 
 +| low | dns-grayware | test-malicious-nrd.testpanw.com | dig +short @8.8.8.8 A test-malicious-nrd.testpanw.com | 
 +| low | dns-grayware | test-dangling-domain.testpanw.com | dig +short @8.8.8.8 A test-dangling-domain.testpanw.com | 
 +| low | dns-grayware | test-wildcard-abuse.testpanw.com | dig +short @8.8.8.8 A test-wildcard-abuse.testpanw.com | 
 +| low | dns-grayware | test-strategically-aged.testpanw.com | dig +short @8.8.8.8 A test-strategically-aged.testpanw.com | 
 +| medium | dns-malware | test-malware.testpanw.com | dig +short @8.8.8.8 A test-malware.testpanw.com | 
 +| medium | dns-malware | test-compromised-dns.testpanw.com | dig +short @8.8.8.8 A test-compromised-dns.testpanw.com | 
 +| informational | dns-parked | test-parked.testpanw.com | dig +short @8.8.8.8 A test-parked.testpanw.com | 
 +| low | dns-phishing | test-phishing.testpanw.com | dig +short @8.8.8.8 A test-phishing.testpanw.com 
 +| low | dns-proxy | test-proxy.testpanw.com | dig +short @8.8.8.8 A test-proxy.testpanw.com | 
 +| low | dns-new-domain | test-nrd.testpanw.com | dig +short @8.8.8.8 A test-nrd.testpanw.com |
  
 <code>show dns-proxy dns-signature info</code> <code>show dns-proxy dns-signature info</code>
 <code>test dns-proxy dns-signature fqdn</code> <code>test dns-proxy dns-signature fqdn</code>
 +
 +
 +
 +<code>dig +short @8.8.8.8 A test-adtracking.testpanw.com
 +dig +short @8.8.8.8 A test-cname-cloaking.testpanw.com
 +
 +dig +short @8.8.8.8 A test-c2.testpanw.com
 +dig +short @8.8.8.8 A test-dnstun.testpanw.com
 +dig +short @8.8.8.8 A test-dns-infiltration.testpanw.com
 +dig +short @8.8.8.8 A test-nxns.testpanw.com
 +dig +short @8.8.8.8 A test-dns-rebinding.testpanw.com
 +dig +short @8.8.8.8 A test-dga.testpanw.com
 +
 +dig +short @8.8.8.8 A test-ddns.testpanw.com
 +
 +dig +short @8.8.8.8 A test-grayware.testpanw.com
 +dig +short @8.8.8.8 A test-fastflux.testpanw.com
 +dig +short @8.8.8.8 A test-malicious-nrd.testpanw.com
 +dig +short @8.8.8.8 A test-dangling-domain.testpanw.com
 +dig +short @8.8.8.8 A test-wildcard-abuse.testpanw.com
 +dig +short @8.8.8.8 A test-strategically-aged.testpanw.com
 +
 +dig +short @8.8.8.8 A test-malware.testpanw.com
 +dig +short @8.8.8.8 A test-compromised-dns.testpanw.com
 +
 +dig +short @8.8.8.8 A test-parked.testpanw.com
 +
 +dig +short @8.8.8.8 A test-phishing.testpanw.com
 +
 +dig +short @8.8.8.8 A test-proxy.testpanw.com
 +
 +dig +short @8.8.8.8 A test-nrd.testpanw.com</code>
 ====Vulnerability Protection==== ====Vulnerability Protection====
 As listed in this [[https://live.paloaltonetworks.com/t5/Management-Articles/How-to-Check-if-the-Vulnerability-Module-is-Working-Properly/ta-p/56519|article]]. As listed in this [[https://live.paloaltonetworks.com/t5/Management-Articles/How-to-Check-if-the-Vulnerability-Module-is-Working-Properly/ta-p/56519|article]].
Line 153: Line 219:
   * **-S <IP>** "Source IP (spoofed IP to use to connect to the target host>"   * **-S <IP>** "Source IP (spoofed IP to use to connect to the target host>"
  
 +=== Test Ping Broadcast Flood === 
 +<code>ping -b -f 192.168.39.255 -v</code>
 === Test UDP Flood === === Test UDP Flood ===
 The following command will cause a UDP flood The following command will cause a UDP flood
paloaltonetworks/troubleshooting/testing_panos.1660656946.txt.gz · Last modified: (external edit)