RSS[Graylog] PA Network rule reference
7 月 21
REF: https://www.paloaltonetworks.com/documentation/61/pan-os/pan-os/reports-and-logging/syslog-field-descriptions.html
潛在威脅條件:14天內(實際只有10天索引)
action:alert, block-url, deny,
action: reset-server, reset-client, reset-both (利用TCP發送 reset 封包給主機或用戶)
PA-Network FW 偵測的類型
Type:TRAFFIC, THREAT, SYSTEM, CONFIG
在 THREAT的 Subtype:應注意 spyware,virus, flood, packet, vulnerability, wildfire-virus, scan
ThreatID: (建議查手冊, 看看有沒有區段可以設定)
Suspicious DNS Query (generic:apk.hz5l.hz155.com)(4010379)
Suspicious DNS Query (generic:rlhqw.cn)(4077880)
Suspicious DNS Query (generic:sslbaidu.jomodns.com)(4083430)
Trojan-Spy/Win32.zbot.aahsy(2556727)
Trojan-Downloader/MSWord.cryptoload.im(1210808)
Trojan-Downloader/MSWord.agent.dpfgv(1210131)
Trojan-Downloader/MSWord.cryptoload.ec(1210235)
Virus/Win32.Adwind.af(1251891)
Virus/Win32.WGeneric.jhukl(1210208)
Virus/Win32.WGeneric.jhvwt(1210379)
Virus/Win32.WGeneric.jhvsx(1210326)
Virus/Win32.WGeneric.jhvxq(1210542)
Nsanti User-Agent Traffic(10028)
FTP: login Brute-force attempt(40001)
一些關鍵字:Brute-force, Virus, User-Agent, Trojan, Suspicious, Vulnerability
Description: 可能是critical
一些關鍵字: failed
RepeatCount: Number of sessions with same Source IP, Destination IP, Application, and Subtype seen within 5 seconds; used for ICMP only
也許是…..網路擁塞
Application: 可以看用戶的軟體行為
一些關鍵字: unknown-tcp