Saucepan

User Tools

Site Tools

Trace: adp abbreviations load_partial rpz_feeds dtc azure discovery_vdiscovery nios_x_servers support misc
paloaltonetworks:troubleshooting:testing_panos

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
paloaltonetworks:troubleshooting:testing_panos [2022/08/16 13:37] bstaffordpaloaltonetworks:troubleshooting:testing_panos [2023/01/21 16:54] (current) – [DNS Security] bstafford
Line 41: Line 41:
 If protection is active, the following domains resolve to whatever your sinkhole is set to (e.g. ''72.5.65.111'') or nothing if block is set as the action instead of sinkhole. If protection is active, the following domains resolve to whatever your sinkhole is set to (e.g. ''72.5.65.111'') or nothing if block is set as the action instead of sinkhole.
  
-  * C2 ''test-c2.testpanw.com'' + 
-  * DNS Tunneling ''test-dnstun.testpanw.com'' +To find example malicious domains, look in the release notes of the active AV file on the firewall (Setup > Dynamic Updates). Search for <code>New Spyware DNS C2 Signatures</code> 
-  * DGA ''test-dga.testpanw.com'' + 
-  * Dynamic DNS ''test-ddns.testpanw.com'' +In built AV file based DNS malware detection: 
-  * Malware ''test-malware.testpanw.com'' +<code>( name-of-threatid contains 'Suspicious DNS Query (Compromised_DNS
-  * Newly Registered Domains ''test-nrd.testpanw.com'' +( name-of-threatid contains 'Suspicious DNS Query (generic)</code> 
-  * Phishing ''test-phishing.testpanw.com'' + 
-  * Grayware ''test-grayware.testpanw.com'' + 
-  * Parked ''test-parked.testpanw.com'' +Don't block Ad Tracking Domains. This will block anything that uses CNAME. This affects most major sites. 
-  * Proxy Avoidance and Anonymizers ''test-proxy.testpanw.com'' + 
-  * Fast Flux ''test-fastflux.testpanw.com'' +  * Ad Tracking 
-  * Malicious NRD ''test-malicious-nrd.testpanw.com'' +    * CNAME Cloaking 
-  * NXNS Attack ''test-nxns.testpanw.com'' +  * Command and Control 
-  * Dangling Domains ''test-dangling-domain.testpanw.com'' +    * Tunnelling 
-  * DNS Rebinding ''test-dns-rebinding.testpanw.com'' +    * Infiltration 
-  * DNS Infiltration ''test-dns-infiltration.testpanw.com'' +    * NXNS 
-  * Wildcard Abuse ''test-wildcard-abuse.testpanw.com'' +    * Rebinding 
-  * Strategically-Aged Domains ''test-strategically-aged.testpanw.com'' +    * DGA 
-  * Compromised DNS ''test-compromised-dns.testpanw.com'' +  * Dynamic DNS 
-  * Ad Tracking Domains ''test-adtracking.testpanw.com'' +  * Grayware 
-  * CNAME Cloaking ''test-cname-cloaking.testpanw.com''+    * FastFlux 
 +    * Malicious NRD 
 +    * Dangling Domain 
 +    * Wildcard Abuse 
 +    * Strategically Aged 
 +  * Parked 
 +  * Phishing 
 +  * Proxy Avoidance 
 +  * Newly Registered Domains 
 + 
 +Malicious DNS queries found based on the AV filedownload are categoriesed as ''( category-of-threatid eq dns )'' 
 + 
 +<code>( subtype eq spyware ) and ( category-of-threatid eq dns-grayware ) and ( severity eq low )</code> 
 +^ Default Log Severity ^ Threat Category ^ Test Domain ^ Test Command ^ 
 +| informational | dns-adtracking | test-adtracking.testpanw.com | dig +short @8.8.8.8 A test-adtracking.testpanw.com | 
 +| informational | dns-adtracking | test-cname-cloaking.testpanw.com | dig +short @8.8.8.8 A test-cname-cloaking.testpanw.com | 
 +| high | dns-c2 | test-c2.testpanw.com | dig +short @8.8.8.8 A test-c2.testpanw.com | 
 +| high | dns-c2 | test-dnstun.testpanw.com  | dig +short @8.8.8.8 A test-dnstun.testpanw.com | 
 +| high | dns-c2 | test-dns-infiltration.testpanw.com | dig +short @8.8.8.8 A test-dns-infiltration.testpanw.com | 
 +| high | dns-c2 | test-nxns.testpanw.com | dig +short @8.8.8.8 A test-nxns.testpanw.com | 
 +| high | dns-c2 | test-dns-rebinding.testpanw.com | dig +short @8.8.8.8 A test-dns-rebinding.testpanw.com | 
 +| high | dns-c2 | test-dga.testpanw.com | dig +short @8.8.8.8 A test-dga.testpanw.com | 
 +| informational | dns-ddns | test-ddns.testpanw.com | dig +short @8.8.8.8 A test-ddns.testpanw.com | 
 +| low | dns-grayware | test-grayware.testpanw.com | dig +short @8.8.8.8 A test-grayware.testpanw.com | 
 +| low | dns-grayware | test-fastflux.testpanw.com | dig +short @8.8.8.8 A test-fastflux.testpanw.com | 
 +| low | dns-grayware | test-malicious-nrd.testpanw.com | dig +short @8.8.8.8 A test-malicious-nrd.testpanw.com | 
 +| low | dns-grayware | test-dangling-domain.testpanw.com | dig +short @8.8.8.8 A test-dangling-domain.testpanw.com | 
 +| low | dns-grayware | test-wildcard-abuse.testpanw.com | dig +short @8.8.8.8 A test-wildcard-abuse.testpanw.com | 
 +| low | dns-grayware | test-strategically-aged.testpanw.com | dig +short @8.8.8.8 A test-strategically-aged.testpanw.com | 
 +| medium | dns-malware | test-malware.testpanw.com | dig +short @8.8.8.8 A test-malware.testpanw.com | 
 +| medium | dns-malware | test-compromised-dns.testpanw.com | dig +short @8.8.8.8 A test-compromised-dns.testpanw.com | 
 +| informational | dns-parked | test-parked.testpanw.com | dig +short @8.8.8.8 A test-parked.testpanw.com | 
 +| low | dns-phishing | test-phishing.testpanw.com | dig +short @8.8.8.8 A test-phishing.testpanw.com 
 +| low | dns-proxy | test-proxy.testpanw.com | dig +short @8.8.8.8 A test-proxy.testpanw.com | 
 +| low | dns-new-domain | test-nrd.testpanw.com | dig +short @8.8.8.8 A test-nrd.testpanw.com |
  
 <code>show dns-proxy dns-signature info</code> <code>show dns-proxy dns-signature info</code>
 <code>test dns-proxy dns-signature fqdn</code> <code>test dns-proxy dns-signature fqdn</code>
 +
 +
 +
 +<code>dig +short @8.8.8.8 A test-adtracking.testpanw.com
 +dig +short @8.8.8.8 A test-cname-cloaking.testpanw.com
 +
 +dig +short @8.8.8.8 A test-c2.testpanw.com
 +dig +short @8.8.8.8 A test-dnstun.testpanw.com
 +dig +short @8.8.8.8 A test-dns-infiltration.testpanw.com
 +dig +short @8.8.8.8 A test-nxns.testpanw.com
 +dig +short @8.8.8.8 A test-dns-rebinding.testpanw.com
 +dig +short @8.8.8.8 A test-dga.testpanw.com
 +
 +dig +short @8.8.8.8 A test-ddns.testpanw.com
 +
 +dig +short @8.8.8.8 A test-grayware.testpanw.com
 +dig +short @8.8.8.8 A test-fastflux.testpanw.com
 +dig +short @8.8.8.8 A test-malicious-nrd.testpanw.com
 +dig +short @8.8.8.8 A test-dangling-domain.testpanw.com
 +dig +short @8.8.8.8 A test-wildcard-abuse.testpanw.com
 +dig +short @8.8.8.8 A test-strategically-aged.testpanw.com
 +
 +dig +short @8.8.8.8 A test-malware.testpanw.com
 +dig +short @8.8.8.8 A test-compromised-dns.testpanw.com
 +
 +dig +short @8.8.8.8 A test-parked.testpanw.com
 +
 +dig +short @8.8.8.8 A test-phishing.testpanw.com
 +
 +dig +short @8.8.8.8 A test-proxy.testpanw.com
 +
 +dig +short @8.8.8.8 A test-nrd.testpanw.com</code>
 ====Vulnerability Protection==== ====Vulnerability Protection====
 As listed in this [[https://live.paloaltonetworks.com/t5/Management-Articles/How-to-Check-if-the-Vulnerability-Module-is-Working-Properly/ta-p/56519|article]]. As listed in this [[https://live.paloaltonetworks.com/t5/Management-Articles/How-to-Check-if-the-Vulnerability-Module-is-Working-Properly/ta-p/56519|article]].
Line 153: Line 219:
   * **-S <IP>** "Source IP (spoofed IP to use to connect to the target host>"   * **-S <IP>** "Source IP (spoofed IP to use to connect to the target host>"
  
 +=== Test Ping Broadcast Flood === 
 +<code>ping -b -f 192.168.39.255 -v</code>
 === Test UDP Flood === === Test UDP Flood ===
 The following command will cause a UDP flood The following command will cause a UDP flood
paloaltonetworks/troubleshooting/testing_panos.1660657042.txt.gz · Last modified: (external edit)