New features of threat content 555: exploit kit and phishing vulnerability profile categories

New features of threat content 555: exploit kit and phishing vulnerability profile categories

7465
Created On 09/26/18 19:12 PM - Last Modified 04/21/20 00:46 AM


Environment
  • PAN-OS 7.0 and 7.1


Resolution

Content 555 released on February 3rd, 2016, has introduced two new categories to help categorize phishing attacks and exploits kits (like Angler, Rig, Nuclear, Magnitude, and Fiesta).

Please note that querying by these added categories only functions in PAN OS 7.0.x +.

When creating a new Vulnerability Profile, it is now possible to select the category "exploit-kit" and "phishing" to limit the profile to detect and enforce only threats within these categories.

Procedure to create  vulnerability profile for preventing exploit kits and phishing signature triggers with an action of Reset Both is outlined below.

  1. Log in to the PAN-OS WebGUI.
  2. Navigate to Objects > Security Profiles > Vulnerability Protection 
  3. Click Add in the bottom left corner.
 User-added image
  1. Name the profile in the Name box.
  2. Click Add to create a new rule.
  3. Name the rule. Let's use "Exploit Kits" for the example.
  4. Set the Action to Reset Both.
  5. Set the category to exploit-kit.
  6. Set packet capture to extended-capture. Exploit kits represent an extreme threat to any customer, and it's critical to see as much data as possible related to the signature triggers.
  7. The rule should look like this.
2.PNG
  1. Click OK to save the rule.
  2. Click Add to create a new rule, which we will use for Phishing.
  3. Name the rule. Let's use, "Phishing" for the example.
  4. Set the Action to Reset Both.
  5. Set the category to phishing.
  6. The rule should appear similar to the below screenshot:
3.PNG

 
Click OK. Now the profile should look like this:
 
4.PNG

You can click on Find Matching Signatures by selecting the rule to gain visibility into signatures.This will help to lend confidence that the profile is only applying the reset-both action to the signatures desired.
  1. Click OK.

There is now a vulnerability protection profile named Exploit Kit and Phishing that can be applied to any security policy on which it is applicable.

When investigating signature triggers in the future, query the threat log by category type  as shown below.
q1.PNG



Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm2rCAC&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments
Choose Language