See Infected Hosts that Attempted to Connect to a Malicious Domain

Advanced Threat Prevention

See Infected Hosts that Attempted to Connect to a Malicious Domain

Table of Contents

See Infected Hosts that Attempted to Connect to a Malicious Domain

Where Can I Use This?
What Do I Need?
  • NGFW
  • Advanced Threat Prevention or Threat Prevention License
After you have configured DNS sinkholing and verified that traffic to a malicious domain goes to the sinkhole address, you should regularly monitor traffic to the sinkhole address, so that you can track down the infected hosts and eliminate the threat.
  • Use App Scope to identify infected client hosts.
    1. Select
      App Scope
      and select
      Threat Monitor
    2. Click the
      Show spyware
      button along the top of the display page.
    3. Select a time range.
      The following screenshot shows three instances of Suspicious DNS queries, which were generated when the test client host performed an NSLOOKUP on a known malicious domain. Click the graph to see more details about the event.
  • Configure a custom report to identify all client hosts that have sent traffic to the sinkhole IP address, which is in this example.
    Forward to an SNMP manager, Syslog server and/or Panorama to enable alerts on these events.
    In this example, the infected client host performed an NSLOOKUP to a known malicious domain that is listed in the Palo Alto Networks DNS Signature database. When this occurred, the query was sent to the local DNS server, which then forwarded the request through the firewall to an external DNS server. The firewall security policy with the Anti-Spyware profile configured matched the query to the DNS Signature database, which then forged the reply using the sinkhole address of and fd97:3dec:4d27:e37c:5:5:5:5. The client attempts to start a session and the traffic log records the activity with the source host and the destination address, which is now directed to the forged sinkhole address.
    Viewing the traffic log on the firewall allows you to identify any client host that is sending traffic to the sinkhole address. In this example, the logs show that the source address sent the malicious DNS query. The host can then be found and cleaned. Without the DNS sinkhole option, the administrator would only see the local DNS server as the system that performed the query and would not see the client host that is infected. If you attempted to run a report on the threat log using the action “Sinkhole”, the log would show the local DNS server, not the infected host.
    1. Select
      Manage Custom Reports
    2. Click
      the report.
    3. Define a custom report that captures traffic to the sinkhole address as follows:
      • Database
        Traffic Log
      • Scheduled
        and the report will run every night.
      • Time Frame
        —30 days
      • Selected Columns
        Source address
        Source User
        (if you have User-ID configured), which will identify the infected client host in the report, and
        Destination address
        , which will be the sinkhole address.
      • In the section at the bottom of the screen, create a custom query for traffic to the sinkhole address ( in this example). You can either enter the destination address in the
        Query Builder
        window (
        addr.dst in
        ) or select the following in each column and click
        : Connector = and, Attribute = Destination Address, Operator = in, and Value = Click
        to add the query.
    4. Click
      Run Now
      to run the report. The report will show all client hosts that have sent traffic to the sinkhole address, which indicates that they are most likely infected. You can now track down the hosts and check them for spyware.
    5. To view scheduled reports that have run, select

Recommended For You