Differences

This shows you the differences between two versions of the page.

--- paloaltonetworks:troubleshooting:testing_panos [2023/01/21 15:17] – bstafford
+++ paloaltonetworks:troubleshooting:testing_panos [2023/01/21 16:54] (current) – [DNS Security] bstafford
@@ Line 40: / Line 40: @@
 If protection is active, the following domains resolve to whatever your sinkhole is set to (e.g. ''72.5.65.111'') or nothing if block is set as the action instead of sinkhole.
+To find example malicious domains, look in the release notes of the active AV file on the firewall (Setup > Dynamic Updates). Search for <code>New Spyware DNS C2 Signatures</code>
+In built AV file based DNS malware detection:
+<code>( name-of-threatid contains 'Suspicious DNS Query (Compromised_DNS' )
+( name-of-threatid contains 'Suspicious DNS Query (generic' )</code>
 Don't block Ad Tracking Domains. This will block anything that uses CNAME. This affects most major sites.
@@ Line 63: / Line 71: @@
   * Newly Registered Domains
+Malicious DNS queries found based on the AV filedownload are categoriesed as ''( category-of-threatid eq dns )''
+<code>( subtype eq spyware ) and ( category-of-threatid eq dns-grayware ) and ( severity eq low )</code>
 ^ Default Log Severity ^ Threat Category ^ Test Domain ^ Test Command ^
-| informational | dns-adtracking | test-adtracking.testpanw.com | dig +short @192.168.99.9 A test-adtracking.testpanw.com |
+| informational | dns-adtracking | test-adtracking.testpanw.com | dig +short @8.8.8.8 A test-adtracking.testpanw.com |
-| informational | dns-adtracking | test-cname-cloaking.testpanw.com | dig +short @192.168.99.9 A test-cname-cloaking.testpanw.com |
+| informational | dns-adtracking | test-cname-cloaking.testpanw.com | dig +short @8.8.8.8 A test-cname-cloaking.testpanw.com |
-| high | dns-c2 | test-c2.testpanw.com | dig +short @192.168.99.9 A test-c2.testpanw.com |
+| high | dns-c2 | test-c2.testpanw.com | dig +short @8.8.8.8 A test-c2.testpanw.com |
-| high | dns-c2 | test-dnstun.testpanw.com  | dig +short @192.168.99.9 A test-dnstun.testpanw.com |
+| high | dns-c2 | test-dnstun.testpanw.com  | dig +short @8.8.8.8 A test-dnstun.testpanw.com |
-| high | dns-c2 | test-dns-infiltration.testpanw.com | dig +short @192.168.99.9 A test-dns-infiltration.testpanw.com |
+| high | dns-c2 | test-dns-infiltration.testpanw.com | dig +short @8.8.8.8 A test-dns-infiltration.testpanw.com |
-| high | dns-c2 | test-nxns.testpanw.com | dig +short @192.168.99.9 A test-nxns.testpanw.com |
+| high | dns-c2 | test-nxns.testpanw.com | dig +short @8.8.8.8 A test-nxns.testpanw.com |
-| high | dns-c2 | test-dns-rebinding.testpanw.com | dig +short @192.168.99.9 A test-dns-rebinding.testpanw.com |
+| high | dns-c2 | test-dns-rebinding.testpanw.com | dig +short @8.8.8.8 A test-dns-rebinding.testpanw.com |
-| high | dns-c2 | test-dga.testpanw.com | dig +short @192.168.99.9 A test-dga.testpanw.com |
+| high | dns-c2 | test-dga.testpanw.com | dig +short @8.8.8.8 A test-dga.testpanw.com |
-| informational | dns-ddns | test-ddns.testpanw.com | dig +short @192.168.99.9 A test-ddns.testpanw.com |
+| informational | dns-ddns | test-ddns.testpanw.com | dig +short @8.8.8.8 A test-ddns.testpanw.com |
-| low | dns-grayware | test-fastflux.testpanw.com | dig +short @192.168.99.9 A test-fastflux.testpanw.com |
+| low | dns-grayware | test-grayware.testpanw.com | dig +short @8.8.8.8 A test-grayware.testpanw.com |
-| low | dns-grayware | test-malicious-nrd.testpanw.com | dig +short @192.168.99.9 A test-malicious-nrd.testpanw.com |
+| low | dns-grayware | test-fastflux.testpanw.com | dig +short @8.8.8.8 A test-fastflux.testpanw.com |
-| low | dns-grayware | test-dangling-domain.testpanw.com | dig +short @192.168.99.9 A test-dangling-domain.testpanw.com |
+| low | dns-grayware | test-malicious-nrd.testpanw.com | dig +short @8.8.8.8 A test-malicious-nrd.testpanw.com |
-| low | dns-grayware | test-wildcard-abuse.testpanw.com | dig +short @192.168.99.9 A test-wildcard-abuse.testpanw.com |
+| low | dns-grayware | test-dangling-domain.testpanw.com | dig +short @8.8.8.8 A test-dangling-domain.testpanw.com |
-| low | dns-grayware | test-strategically-aged.testpanw.com | dig +short @192.168.99.9 A test-strategically-aged.testpanw.com |
+| low | dns-grayware | test-wildcard-abuse.testpanw.com | dig +short @8.8.8.8 A test-wildcard-abuse.testpanw.com |
-| medium | dns-malware | test-malware.testpanw.com | dig +short @192.168.99.9 A test-malware.testpanw.com |
+| low | dns-grayware | test-strategically-aged.testpanw.com | dig +short @8.8.8.8 A test-strategically-aged.testpanw.com |
+| medium | dns-malware | test-malware.testpanw.com | dig +short @8.8.8.8 A test-malware.testpanw.com |
 | medium | dns-malware | test-compromised-dns.testpanw.com | dig +short @8.8.8.8 A test-compromised-dns.testpanw.com |
-| informational | dns-parked | test-parked.testpanw.com | dig +short @192.168.99.9 A test-parked.testpanw.com |
+| informational | dns-parked | test-parked.testpanw.com | dig +short @8.8.8.8 A test-parked.testpanw.com |
-| low | dns-phishing | test-phishing.testpanw.com | dig +short @192.168.99.9 A test-phishing.testpanw.com |
+| low | dns-phishing | test-phishing.testpanw.com | dig +short @8.8.8.8 A test-phishing.testpanw.com |
-| low | dns-proxy | test-proxy.testpanw.com | dig +short @192.168.99.9 A test-proxy.testpanw.com |
+| low | dns-proxy | test-proxy.testpanw.com | dig +short @8.8.8.8 A test-proxy.testpanw.com |
-| low | dns-new-domain | test-nrd.testpanw.com | dig +short @192.168.99.9 A test-nrd.testpanw.com |
+| low | dns-new-domain | test-nrd.testpanw.com | dig +short @8.8.8.8 A test-nrd.testpanw.com |
 <code>show dns-proxy dns-signature info</code>
@@ Line 90: / Line 102: @@
-<code>
+<code>dig +short @8.8.8.8 A test-adtracking.testpanw.com
-dig +short @8.8.8.8 A test-malware.testpanw.com
+dig +short @8.8.8.8 A test-cname-cloaking.testpanw.com
-dig +short @8.8.8.8 A test-c2.testpanw.com
-dig +short @8.8.8.8 A test-phishing.testpanw.com
-dig +short @8.8.8.8 A test-grayware.testpanw.com
-dig +short @8.8.8.8 A test-proxy.testpanw.com
-dig +short @8.8.8.8 A test-parked.testpanw.com
-dig +short @8.8.8.8 A test-adtracking.testpanw.com
-dig +short @8.8.8.8 A test-dga.testpanw.com
-dig +short @8.8.8.8 A test-fastflux.testpanw.com
-dig +short @8.8.8.8 A test-ddns.testpanw.com
-dig +short @8.8.8.8 A test-nrd.testpanw.com
-dig +short @8.8.8.8 A test-malicious-nrd.testpanw.com
+dig +short @8.8.8.8 A test-c2.testpanw.com
 dig +short @8.8.8.8 A test-dnstun.testpanw.com
 dig +short @8.8.8.8 A test-dns-infiltration.testpanw.com
 dig +short @8.8.8.8 A test-nxns.testpanw.com
-dig +short @8.8.8.8 A test-dangling-domain.testpanw.com
 dig +short @8.8.8.8 A test-dns-rebinding.testpanw.com
+dig +short @8.8.8.8 A test-dga.testpanw.com
+dig +short @8.8.8.8 A test-ddns.testpanw.com
+dig +short @8.8.8.8 A test-grayware.testpanw.com
+dig +short @8.8.8.8 A test-fastflux.testpanw.com
 dig +short @8.8.8.8 A test-malicious-nrd.testpanw.com
+dig +short @8.8.8.8 A test-dangling-domain.testpanw.com
 dig +short @8.8.8.8 A test-wildcard-abuse.testpanw.com
 dig +short @8.8.8.8 A test-strategically-aged.testpanw.com
+dig +short @8.8.8.8 A test-malware.testpanw.com
 dig +short @8.8.8.8 A test-compromised-dns.testpanw.com
-dig +short @8.8.8.8 A test-cname-cloaking.testpanw.com</code>
+dig +short @8.8.8.8 A test-parked.testpanw.com
+dig +short @8.8.8.8 A test-phishing.testpanw.com
+dig +short @8.8.8.8 A test-proxy.testpanw.com
+dig +short @8.8.8.8 A test-nrd.testpanw.com</code>
 ====Vulnerability Protection====
 As listed in this [[https://live.paloaltonetworks.com/t5/Management-Articles/How-to-Check-if-the-Vulnerability-Module-is-Working-Properly/ta-p/56519|article]].