Saucepan

User Tools

Site Tools

Trace: dos_protection globalprotect github kerberos licence_information show_commands basics panos_versions panorama evasion
paloaltonetworks:configuration:evasion

Evasion

In this case, we are accessing 1.2.3.4 as if it were host.corp.com. If we see a threat, we log this because PAN-OS resolves 1.2.3.4 to some other FQDN 

( subtype eq spyware ) and ( ( name-of-threatid eq 'Suspicious TLS Evasion Found' ) or ( name-of-threatid eq 'Suspicious HTTP Evasion Found' ) ) and ( addr.dst in 1.2.3.4 ) and ( url eq 'host.corp.com/' )

Test using 

curl --verbose --header 'Host: www.example.com' 'http://www.yandex.com'

The following will fetch www.sync.com even if “online storage” is blocked. It is classed as financial-services.

Evasion 

curl --verbose --insecure --header 'Host: www.halifax.co.uk' 'https://www.sync.com' > index.html

No Evasion 

curl --verbose --insecure --header 'Host: www.santander.com' 'https://www.sync.com/' > index.html

Filter results 

( addr.src in 10.4.4.21 ) and ( addr.dst in 104.24.101.166 ) and ( url eq 'www.santander.com/' ) and ( url_category_list contains low-risk ) and ( url_category_list contains financial-services )
curl --verbose --insecure --header 'Host: www.halifax.co.uk' 'https://www.sync.com' > index.html
curl --verbose --insecure --header 'Host: www.santander.com' 'https://www.sync.com/' > index.html
sudo systemd-resolve --flush-caches
wget 'http://httpforever.com/'
( addr.src in 10.4.4.21 ) and ( addr.dst in 104.24.101.166 ) and ( url eq 'httpforever.com/' )   and ( url_category_list contains low-risk ) and ( url_category_list contains computer-and-internet-info )
show dns-proxy cache all
clear dns-proxy cache all

These work even if you do not have dns proxy setup as the firewall still looks up the DNS names.

HTTP evasion works (sometimes) but SSL evasion uses certificate information to check the domain (I think). I need to generate a fake website for Google and use a certificate trusted by the endpoint and firewall so I can see if this evasion then works. However, in the real world, getting a certificate for Google that the firewall trusts will be difficult. An untrusted chain can be blocked with SSL Decryption Profiles. The HTTP evasion only seemed to work at first when we did not query a CNAME record. The firewall cache have a FQDN CNAME for the original DNS query which can't be matched against and IP. If the DNS Cache TTL expires the query, then we can bypass prevention (Test this). HTTP evasion will always work with a random FQDN. However, URL filtering will always call this “high-risk,unknown”.

paloaltonetworks/configuration/evasion.txt · Last modified: by 127.0.0.1