Identify Infected Hosts
After you have configured DNS sinkholing and verified that traffic to a malicious domain goes to the sinkhole address, you should regularly monitor traffic to the sinkhole address, so that you can track down the infected hosts and eliminate the threat.
- Use App Scope to identify infected client
- Select MonitorApp Scope and select Threat Monitor.
- Click the Show spyware button along the top of the display page.
- Select a time range.The following screenshot shows three instances of Suspicious DNS queries, which were generated when the test client host performed an NSLOOKUP on a known malicious domain. Click the graph to see more details about the event.
- Configure a custom report to identify all client hosts
that have sent traffic to the sinkhole IP address, which is 10.15.0.20
in this example.Forward to an SNMP manager, Syslog server and/or Panorama to enable alerts on these events.In this example, the infected client host performed an NSLOOKUP to a known malicious domain that is listed in the Palo Alto Networks DNS Signature database. When this occurred, the query was sent to the local DNS server, which then forwarded the request through the firewall to an external DNS server. The firewall security policy with the Anti-Spyware profile configured matched the query to the DNS Signature database, which then forged the reply using the sinkhole address of 10.15.0.20 and fd97:3dec:4d27:e37c:5:5:5:5. The client attempts to start a session and the traffic log records the activity with the source host and the destination address, which is now directed to the forged sinkhole address.Viewing the traffic log on the firewall allows you to identify any client host that is sending traffic to the sinkhole address. In this example, the logs show that the source address 192.168.2.10 sent the malicious DNS query. The host can then be found and cleaned. Without the DNS sinkhole option, the administrator would only see the local DNS server as the system that performed the query and would not see the client host that is infected. If you attempted to run a report on the threat log using the action “Sinkhole”, the log would show the local DNS server, not the infected host.
- Select MonitorManage Custom Reports.
- Click Add and Name the report.
- Define a custom report that captures traffic to the
sinkhole address as follows:
- Database—Select Traffic Log.
- Scheduled—Enable Scheduled and the report will run every night.
- Time Frame—30 days
- Selected Columns—Select Source address or Source User (if you have User-ID configured), which will identify the infected client host in the report, and Destination address, which will be the sinkhole address.
- In the section at the bottom of the screen, create a custom query for traffic to the sinkhole address (10.15.0.20 in this example). You can either enter the destination address in the Query Builder window (addr.dst in 10.15.0.20) or select the following in each column and click Add: Connector = and, Attribute = Destination Address, Operator = in, and Value = 10.15.0.20. Click Add to add the query.
- Click Run Now to run the report. The report will show all client hosts that have sent traffic to the sinkhole address, which indicates that they are most likely infected. You can now track down the hosts and check them for spyware.
- To view scheduled reports that have run, select MonitorReports.
Configure the Sinkhole IP Address to a Local Server on Your...
Configure the Sinkhole IP Address to a Local Server on Your Network By default, sinkholing is enabled for all Palo Alto Networks DNS signatures, and ...
Use DNS Queries to Identify Infected Hosts on the Network
Use DNS Queries to Identify Infected Hosts on the Network The DNS sinkhole action in Anti-Spyware profiles enables the firewall to forge a response to ...
DNS Sinkholing DNS sinkholing helps you to identify infected hosts on the protected network using DNS traffic in situations where the firewall cannot see the ...
Objects > Security Profiles > Anti-Spyware Profile
Objects > Security Profiles > Anti-Spyware Profile You can attach an Anti-Spyware profile to a Security policy rule for detecting connections initiated by spyware and ...
Create the Data Center Best Practice Anti-Spyware Profile
Protect your data center from spyware such as command-and-control, backdoor, data theft, and keylogging attacks. ...
Review Threat Logs
Review Threat Logs To begin investigating the alert, use the threat ID to search the Threat logs on Panorama ( Monitor Logs Threat ). From ...
Configure DNS Sinkholing for a List of Custom Domains
Configure DNS Sinkholing for a List of Custom Domains To enable DNS Sinkholing for a custom list of domains, you must create an External Dynamic ...
Security Profiles While security policy rules enable you to allow or block traffic on your network, security profiles help you define an allow but scan ...
Deploy Data Center Best Practices
If you’re already familiar with Palo Alto Networks’ platform, this checklist streamlines deploying security best practices in your data center to safeguard your most valuable ...