Saucepan

User Tools

Site Tools

Trace: nios_x_servers vmotion abbreviations azure rpz_feeds useful_nios sd_wan misc support grid_master_candidates
paloaltonetworks:troubleshooting:testing_panos

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
paloaltonetworks:troubleshooting:testing_panos [2023/01/21 15:16] – [DNS Security] bstaffordpaloaltonetworks:troubleshooting:testing_panos [2023/01/21 16:54] (current) – [DNS Security] bstafford
Line 40: Line 40:
  
 If protection is active, the following domains resolve to whatever your sinkhole is set to (e.g. ''72.5.65.111'') or nothing if block is set as the action instead of sinkhole. If protection is active, the following domains resolve to whatever your sinkhole is set to (e.g. ''72.5.65.111'') or nothing if block is set as the action instead of sinkhole.
 +
 +
 +To find example malicious domains, look in the release notes of the active AV file on the firewall (Setup > Dynamic Updates). Search for <code>New Spyware DNS C2 Signatures</code>
 +
 +In built AV file based DNS malware detection:
 +<code>( name-of-threatid contains 'Suspicious DNS Query (Compromised_DNS' )
 +( name-of-threatid contains 'Suspicious DNS Query (generic' )</code>
 +
  
 Don't block Ad Tracking Domains. This will block anything that uses CNAME. This affects most major sites. Don't block Ad Tracking Domains. This will block anything that uses CNAME. This affects most major sites.
  
   * Ad Tracking   * Ad Tracking
-   * CNAME Cloaking+    * CNAME Cloaking
   * Command and Control   * Command and Control
-   * Tunnelling +    * Tunnelling 
-   * Infiltration +    * Infiltration 
-   * NXNS +    * NXNS 
-   * Rebinding +    * Rebinding 
-   * DGA+    * DGA
   * Dynamic DNS   * Dynamic DNS
   * Grayware   * Grayware
-   * FastFlux +    * FastFlux 
-   * Malicious NRD +    * Malicious NRD 
-   * Dangling Domain +    * Dangling Domain 
-   * Wildcard Abuse +    * Wildcard Abuse 
-   * Strategically Aged+    * Strategically Aged
   * Parked   * Parked
   * Phishing   * Phishing
Line 63: Line 71:
   * Newly Registered Domains   * Newly Registered Domains
  
 +Malicious DNS queries found based on the AV filedownload are categoriesed as ''( category-of-threatid eq dns )''
 +
 +<code>( subtype eq spyware ) and ( category-of-threatid eq dns-grayware ) and ( severity eq low )</code>
 ^ Default Log Severity ^ Threat Category ^ Test Domain ^ Test Command ^ ^ Default Log Severity ^ Threat Category ^ Test Domain ^ Test Command ^
-| informational | dns-adtracking | test-adtracking.testpanw.com | dig +short @192.168.99.A test-adtracking.testpanw.com | +| informational | dns-adtracking | test-adtracking.testpanw.com | dig +short @8.8.8.A test-adtracking.testpanw.com | 
-| informational | dns-adtracking | test-cname-cloaking.testpanw.com | dig +short @192.168.99.A test-cname-cloaking.testpanw.com | +| informational | dns-adtracking | test-cname-cloaking.testpanw.com | dig +short @8.8.8.A test-cname-cloaking.testpanw.com | 
-| high | dns-c2 | test-c2.testpanw.com | dig +short @192.168.99.A test-c2.testpanw.com | +| high | dns-c2 | test-c2.testpanw.com | dig +short @8.8.8.A test-c2.testpanw.com | 
-| high | dns-c2 | test-dnstun.testpanw.com  | dig +short @192.168.99.A test-dnstun.testpanw.com | +| high | dns-c2 | test-dnstun.testpanw.com  | dig +short @8.8.8.A test-dnstun.testpanw.com | 
-| high | dns-c2 | test-dns-infiltration.testpanw.com | dig +short @192.168.99.A test-dns-infiltration.testpanw.com | +| high | dns-c2 | test-dns-infiltration.testpanw.com | dig +short @8.8.8.A test-dns-infiltration.testpanw.com | 
-| high | dns-c2 | test-nxns.testpanw.com | dig +short @192.168.99.A test-nxns.testpanw.com | +| high | dns-c2 | test-nxns.testpanw.com | dig +short @8.8.8.A test-nxns.testpanw.com | 
-| high | dns-c2 | test-dns-rebinding.testpanw.com | dig +short @192.168.99.A test-dns-rebinding.testpanw.com | +| high | dns-c2 | test-dns-rebinding.testpanw.com | dig +short @8.8.8.A test-dns-rebinding.testpanw.com | 
-| high | dns-c2 | test-dga.testpanw.com | dig +short @192.168.99.A test-dga.testpanw.com | +| high | dns-c2 | test-dga.testpanw.com | dig +short @8.8.8.A test-dga.testpanw.com | 
-| informational | dns-ddns | test-ddns.testpanw.com | dig +short @192.168.99.A test-ddns.testpanw.com | +| informational | dns-ddns | test-ddns.testpanw.com | dig +short @8.8.8.A test-ddns.testpanw.com | 
-| low | dns-grayware | test-fastflux.testpanw.com | dig +short @192.168.99.A test-fastflux.testpanw.com | +| low | dns-grayware | test-grayware.testpanw.com | dig +short @8.8.8.8 A test-grayware.testpanw.com | 
-| low | dns-grayware | test-malicious-nrd.testpanw.com | dig +short @192.168.99.A test-malicious-nrd.testpanw.com | +| low | dns-grayware | test-fastflux.testpanw.com | dig +short @8.8.8.A test-fastflux.testpanw.com | 
-| low | dns-grayware | test-dangling-domain.testpanw.com | dig +short @192.168.99.A test-dangling-domain.testpanw.com | +| low | dns-grayware | test-malicious-nrd.testpanw.com | dig +short @8.8.8.A test-malicious-nrd.testpanw.com | 
-| low | dns-grayware | test-wildcard-abuse.testpanw.com | dig +short @192.168.99.A test-wildcard-abuse.testpanw.com | +| low | dns-grayware | test-dangling-domain.testpanw.com | dig +short @8.8.8.A test-dangling-domain.testpanw.com | 
-| low | dns-grayware | test-strategically-aged.testpanw.com | dig +short @192.168.99.A test-strategically-aged.testpanw.com | +| low | dns-grayware | test-wildcard-abuse.testpanw.com | dig +short @8.8.8.A test-wildcard-abuse.testpanw.com | 
-| medium | dns-malware | test-malware.testpanw.com | dig +short @192.168.99.A test-malware.testpanw.com |+| low | dns-grayware | test-strategically-aged.testpanw.com | dig +short @8.8.8.A test-strategically-aged.testpanw.com | 
 +| medium | dns-malware | test-malware.testpanw.com | dig +short @8.8.8.A test-malware.testpanw.com |
 | medium | dns-malware | test-compromised-dns.testpanw.com | dig +short @8.8.8.8 A test-compromised-dns.testpanw.com | | medium | dns-malware | test-compromised-dns.testpanw.com | dig +short @8.8.8.8 A test-compromised-dns.testpanw.com |
-| informational | dns-parked | test-parked.testpanw.com | dig +short @192.168.99.A test-parked.testpanw.com | +| informational | dns-parked | test-parked.testpanw.com | dig +short @8.8.8.A test-parked.testpanw.com | 
-| low | dns-phishing | test-phishing.testpanw.com | dig +short @192.168.99.A test-phishing.testpanw.com | +| low | dns-phishing | test-phishing.testpanw.com | dig +short @8.8.8.A test-phishing.testpanw.com | 
-| low | dns-proxy | test-proxy.testpanw.com | dig +short @192.168.99.A test-proxy.testpanw.com | +| low | dns-proxy | test-proxy.testpanw.com | dig +short @8.8.8.A test-proxy.testpanw.com | 
-| low | dns-new-domain | test-nrd.testpanw.com | dig +short @192.168.99.A test-nrd.testpanw.com |+| low | dns-new-domain | test-nrd.testpanw.com | dig +short @8.8.8.A test-nrd.testpanw.com |
  
 <code>show dns-proxy dns-signature info</code> <code>show dns-proxy dns-signature info</code>
Line 90: Line 102:
  
  
-<code> +<code>dig +short @8.8.8.8 A test-adtracking.testpanw.com 
-dig +short @8.8.8.8 A test-malware.testpanw.com +dig +short @8.8.8.8 A test-cname-cloaking.testpanw.com
-dig +short @8.8.8.8 A test-c2.testpanw.com +
-dig +short @8.8.8.8 A test-phishing.testpanw.com +
-dig +short @8.8.8.8 A test-grayware.testpanw.com +
-dig +short @8.8.8.8 A test-proxy.testpanw.com +
-dig +short @8.8.8.8 A test-parked.testpanw.com +
-dig +short @8.8.8.8 A test-adtracking.testpanw.com +
- +
-dig +short @8.8.8.8 A test-dga.testpanw.com +
-dig +short @8.8.8.8 A test-fastflux.testpanw.com +
- +
-dig +short @8.8.8.8 A test-ddns.testpanw.com +
-dig +short @8.8.8.8 A test-nrd.testpanw.com +
-dig +short @8.8.8.8 A test-malicious-nrd.testpanw.com+
  
 +dig +short @8.8.8.8 A test-c2.testpanw.com
 dig +short @8.8.8.8 A test-dnstun.testpanw.com dig +short @8.8.8.8 A test-dnstun.testpanw.com
 dig +short @8.8.8.8 A test-dns-infiltration.testpanw.com dig +short @8.8.8.8 A test-dns-infiltration.testpanw.com
 dig +short @8.8.8.8 A test-nxns.testpanw.com dig +short @8.8.8.8 A test-nxns.testpanw.com
-dig +short @8.8.8.8 A test-dangling-domain.testpanw.com 
 dig +short @8.8.8.8 A test-dns-rebinding.testpanw.com dig +short @8.8.8.8 A test-dns-rebinding.testpanw.com
 +dig +short @8.8.8.8 A test-dga.testpanw.com
 +
 +dig +short @8.8.8.8 A test-ddns.testpanw.com
 +
 +dig +short @8.8.8.8 A test-grayware.testpanw.com
 +dig +short @8.8.8.8 A test-fastflux.testpanw.com
 dig +short @8.8.8.8 A test-malicious-nrd.testpanw.com dig +short @8.8.8.8 A test-malicious-nrd.testpanw.com
 +dig +short @8.8.8.8 A test-dangling-domain.testpanw.com
 dig +short @8.8.8.8 A test-wildcard-abuse.testpanw.com dig +short @8.8.8.8 A test-wildcard-abuse.testpanw.com
 dig +short @8.8.8.8 A test-strategically-aged.testpanw.com dig +short @8.8.8.8 A test-strategically-aged.testpanw.com
 +
 +dig +short @8.8.8.8 A test-malware.testpanw.com
 dig +short @8.8.8.8 A test-compromised-dns.testpanw.com dig +short @8.8.8.8 A test-compromised-dns.testpanw.com
  
-dig +short @8.8.8.8 A test-cname-cloaking.testpanw.com</code>+dig +short @8.8.8.8 A test-parked.testpanw.com 
 + 
 +dig +short @8.8.8.8 A test-phishing.testpanw.com 
 + 
 +dig +short @8.8.8.8 A test-proxy.testpanw.com 
 + 
 +dig +short @8.8.8.8 A test-nrd.testpanw.com</code>
 ====Vulnerability Protection==== ====Vulnerability Protection====
 As listed in this [[https://live.paloaltonetworks.com/t5/Management-Articles/How-to-Check-if-the-Vulnerability-Module-is-Working-Properly/ta-p/56519|article]]. As listed in this [[https://live.paloaltonetworks.com/t5/Management-Articles/How-to-Check-if-the-Vulnerability-Module-is-Working-Properly/ta-p/56519|article]].
paloaltonetworks/troubleshooting/testing_panos.1674314202.txt.gz · Last modified: by bstafford