Saucepan

User Tools

Site Tools

Trace: grid_master_candidates dtc support adp snmp discovery_network_insight misc azure nios_x_servers dns
paloaltonetworks:troubleshooting:testing_panos

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
paloaltonetworks:troubleshooting:testing_panos [2022/09/07 11:17] – external edit 127.0.0.1paloaltonetworks:troubleshooting:testing_panos [2023/01/21 16:54] (current) – [DNS Security] bstafford
Line 41: Line 41:
 If protection is active, the following domains resolve to whatever your sinkhole is set to (e.g. ''72.5.65.111'') or nothing if block is set as the action instead of sinkhole. If protection is active, the following domains resolve to whatever your sinkhole is set to (e.g. ''72.5.65.111'') or nothing if block is set as the action instead of sinkhole.
  
-  * C2 ''test-c2.testpanw.com'' 
-  * DNS Tunneling ''test-dnstun.testpanw.com'' 
-  * DGA ''test-dga.testpanw.com'' 
-  * Dynamic DNS ''test-ddns.testpanw.com'' 
-  * Malware ''test-malware.testpanw.com'' 
-  * Newly Registered Domains ''test-nrd.testpanw.com'' 
-  * Phishing ''test-phishing.testpanw.com'' 
-  * Grayware ''test-grayware.testpanw.com'' 
-  * Parked ''test-parked.testpanw.com'' 
-  * Proxy Avoidance and Anonymizers ''test-proxy.testpanw.com'' 
-  * Fast Flux ''test-fastflux.testpanw.com'' 
-  * Malicious NRD ''test-malicious-nrd.testpanw.com'' 
-  * NXNS Attack ''test-nxns.testpanw.com'' 
-  * Dangling Domains ''test-dangling-domain.testpanw.com'' 
-  * DNS Rebinding ''test-dns-rebinding.testpanw.com'' 
-  * DNS Infiltration ''test-dns-infiltration.testpanw.com'' 
-  * Wildcard Abuse ''test-wildcard-abuse.testpanw.com'' 
-  * Strategically-Aged Domains ''test-strategically-aged.testpanw.com'' 
-  * Compromised DNS ''test-compromised-dns.testpanw.com'' 
-  * Ad Tracking Domains ''test-adtracking.testpanw.com'' 
-  * CNAME Cloaking ''test-cname-cloaking.testpanw.com'' 
  
-<code>show dns-proxy dns-signature info</code> +To find example malicious domains, look in the release notes of the active AV file on the firewall (Setup Dynamic Updates). Search for <code>New Spyware DNS C2 Signatures</code>
-<code>test dns-proxy dns-signature fqdn</code>+
  
 +In built AV file based DNS malware detection:
 +<code>( name-of-threatid contains 'Suspicious DNS Query (Compromised_DNS' )
 +( name-of-threatid contains 'Suspicious DNS Query (generic' )</code>
  
  
-<code> +Don't block Ad Tracking DomainsThis will block anything that uses CNAMEThis affects most major sites.
-dig +short @8.8.8.8 A test-malware.testpanw.com +
-dig +short @8.8.8.8 A test-c2.testpanw.com +
-dig +short @8.8.8.8 A test-phishing.testpanw.com +
-dig +short @8.8.8.8 A test-grayware.testpanw.com +
-dig +short @8.8.8.8 A test-proxy.testpanw.com +
-dig +short @8.8.8.8 A test-parked.testpanw.com +
-dig +short @8.8.8.8 A test-adtracking.testpanw.com+
  
-dig +short @8.8.8.8 A test-dga.testpanw.com +  * Ad Tracking 
-dig +short @8.8.8.8 A test-fastflux.testpanw.com+    * CNAME Cloaking 
 +  * Command and Control 
 +    * Tunnelling 
 +    * Infiltration 
 +    * NXNS 
 +    * Rebinding 
 +    * DGA 
 +  * Dynamic DNS 
 +  * Grayware 
 +    * FastFlux 
 +    * Malicious NRD 
 +    * Dangling Domain 
 +    * Wildcard Abuse 
 +    * Strategically Aged 
 +  * Parked 
 +  * Phishing 
 +  * Proxy Avoidance 
 +  * Newly Registered Domains
  
-dig +short @8.8.8.8 A test-ddns.testpanw.com +Malicious DNS queries found based on the AV filedownload are categoriesed as ''( category-of-threatid eq dns )''
-dig +short @8.8.8.8 A test-nrd.testpanw.com +
-dig +short @8.8.8.8 A test-malicious-nrd.testpanw.com+
  
 +<code>( subtype eq spyware ) and ( category-of-threatid eq dns-grayware ) and ( severity eq low )</code>
 +^ Default Log Severity ^ Threat Category ^ Test Domain ^ Test Command ^
 +| informational | dns-adtracking | test-adtracking.testpanw.com | dig +short @8.8.8.8 A test-adtracking.testpanw.com |
 +| informational | dns-adtracking | test-cname-cloaking.testpanw.com | dig +short @8.8.8.8 A test-cname-cloaking.testpanw.com |
 +| high | dns-c2 | test-c2.testpanw.com | dig +short @8.8.8.8 A test-c2.testpanw.com |
 +| high | dns-c2 | test-dnstun.testpanw.com  | dig +short @8.8.8.8 A test-dnstun.testpanw.com |
 +| high | dns-c2 | test-dns-infiltration.testpanw.com | dig +short @8.8.8.8 A test-dns-infiltration.testpanw.com |
 +| high | dns-c2 | test-nxns.testpanw.com | dig +short @8.8.8.8 A test-nxns.testpanw.com |
 +| high | dns-c2 | test-dns-rebinding.testpanw.com | dig +short @8.8.8.8 A test-dns-rebinding.testpanw.com |
 +| high | dns-c2 | test-dga.testpanw.com | dig +short @8.8.8.8 A test-dga.testpanw.com |
 +| informational | dns-ddns | test-ddns.testpanw.com | dig +short @8.8.8.8 A test-ddns.testpanw.com |
 +| low | dns-grayware | test-grayware.testpanw.com | dig +short @8.8.8.8 A test-grayware.testpanw.com |
 +| low | dns-grayware | test-fastflux.testpanw.com | dig +short @8.8.8.8 A test-fastflux.testpanw.com |
 +| low | dns-grayware | test-malicious-nrd.testpanw.com | dig +short @8.8.8.8 A test-malicious-nrd.testpanw.com |
 +| low | dns-grayware | test-dangling-domain.testpanw.com | dig +short @8.8.8.8 A test-dangling-domain.testpanw.com |
 +| low | dns-grayware | test-wildcard-abuse.testpanw.com | dig +short @8.8.8.8 A test-wildcard-abuse.testpanw.com |
 +| low | dns-grayware | test-strategically-aged.testpanw.com | dig +short @8.8.8.8 A test-strategically-aged.testpanw.com |
 +| medium | dns-malware | test-malware.testpanw.com | dig +short @8.8.8.8 A test-malware.testpanw.com |
 +| medium | dns-malware | test-compromised-dns.testpanw.com | dig +short @8.8.8.8 A test-compromised-dns.testpanw.com |
 +| informational | dns-parked | test-parked.testpanw.com | dig +short @8.8.8.8 A test-parked.testpanw.com |
 +| low | dns-phishing | test-phishing.testpanw.com | dig +short @8.8.8.8 A test-phishing.testpanw.com |
 +| low | dns-proxy | test-proxy.testpanw.com | dig +short @8.8.8.8 A test-proxy.testpanw.com |
 +| low | dns-new-domain | test-nrd.testpanw.com | dig +short @8.8.8.8 A test-nrd.testpanw.com |
 +
 +<code>show dns-proxy dns-signature info</code>
 +<code>test dns-proxy dns-signature fqdn</code>
 +
 +
 +
 +<code>dig +short @8.8.8.8 A test-adtracking.testpanw.com
 +dig +short @8.8.8.8 A test-cname-cloaking.testpanw.com
 +
 +dig +short @8.8.8.8 A test-c2.testpanw.com
 dig +short @8.8.8.8 A test-dnstun.testpanw.com dig +short @8.8.8.8 A test-dnstun.testpanw.com
 dig +short @8.8.8.8 A test-dns-infiltration.testpanw.com dig +short @8.8.8.8 A test-dns-infiltration.testpanw.com
 dig +short @8.8.8.8 A test-nxns.testpanw.com dig +short @8.8.8.8 A test-nxns.testpanw.com
-dig +short @8.8.8.8 A test-dangling-domain.testpanw.com 
 dig +short @8.8.8.8 A test-dns-rebinding.testpanw.com dig +short @8.8.8.8 A test-dns-rebinding.testpanw.com
 +dig +short @8.8.8.8 A test-dga.testpanw.com
 +
 +dig +short @8.8.8.8 A test-ddns.testpanw.com
 +
 +dig +short @8.8.8.8 A test-grayware.testpanw.com
 +dig +short @8.8.8.8 A test-fastflux.testpanw.com
 dig +short @8.8.8.8 A test-malicious-nrd.testpanw.com dig +short @8.8.8.8 A test-malicious-nrd.testpanw.com
 +dig +short @8.8.8.8 A test-dangling-domain.testpanw.com
 dig +short @8.8.8.8 A test-wildcard-abuse.testpanw.com dig +short @8.8.8.8 A test-wildcard-abuse.testpanw.com
 dig +short @8.8.8.8 A test-strategically-aged.testpanw.com dig +short @8.8.8.8 A test-strategically-aged.testpanw.com
 +
 +dig +short @8.8.8.8 A test-malware.testpanw.com
 dig +short @8.8.8.8 A test-compromised-dns.testpanw.com dig +short @8.8.8.8 A test-compromised-dns.testpanw.com
  
-dig +short @8.8.8.8 A test-cname-cloaking.testpanw.com</code>+dig +short @8.8.8.8 A test-parked.testpanw.com 
 + 
 +dig +short @8.8.8.8 A test-phishing.testpanw.com 
 + 
 +dig +short @8.8.8.8 A test-proxy.testpanw.com 
 + 
 +dig +short @8.8.8.8 A test-nrd.testpanw.com</code>
 ====Vulnerability Protection==== ====Vulnerability Protection====
 As listed in this [[https://live.paloaltonetworks.com/t5/Management-Articles/How-to-Check-if-the-Vulnerability-Module-is-Working-Properly/ta-p/56519|article]]. As listed in this [[https://live.paloaltonetworks.com/t5/Management-Articles/How-to-Check-if-the-Vulnerability-Module-is-Working-Properly/ta-p/56519|article]].
Line 183: Line 219:
   * **-S <IP>** "Source IP (spoofed IP to use to connect to the target host>"   * **-S <IP>** "Source IP (spoofed IP to use to connect to the target host>"
  
 +=== Test Ping Broadcast Flood === 
 +<code>ping -b -f 192.168.39.255 -v</code>
 === Test UDP Flood === === Test UDP Flood ===
 The following command will cause a UDP flood The following command will cause a UDP flood
paloaltonetworks/troubleshooting/testing_panos.1662549422.txt.gz · Last modified: (external edit)