Wildfire 上传已取消 DP
22032
Created On 01/23/19 20:02 PM - Last Modified 10/22/24 12:46 PM
Symptom
- A 客户端下载未知的 pe 文件(由开发人员创建 - 哈希未知 wildfire ),这应该触发上传到 wildfire 。 相反 wildfire ,上传日志显示上传取消 DP :
wildfire-upload.log 2018-10-03 12:50:20 2018-10-03 12:50:20 +0200: stegno.exe pe cancelled - by DP PUB 21980 1478 112110 0x4034 allow wildfire-upload.log 2018-10-08 14:40:08 2018-10-08 14:40:08 +0200: stegno.exe pe cancelled - by DP PUB 22757 1481 991030 0x4034 allow wildfire-upload.log 2018-10-08 14:52:41 2018-10-08 14:52:41 +0200: stegno.exe pe cancelled - by DP PUB 190749 1484 281470 0x4034 allow wildfire-upload.log 2018-10-08 15:08:08 2018-10-08 15:08:08 +0200: stegno.exe pe cancelled - by DP PUB 59443 1488 112110 0x4034 allow wildfire-upload.log 2018-10-08 15:29:44 2018-10-08 15:29:44 +0200: stegno.exe pe cancelled - by DP PUB 234409 1495 110650 0x4034 allow 1 52020 0 109 0 172.20.10.40:64594 172.20.31.30:80 98d1d24a59f340716095e978bd3a5094d56626472f8761644059cc85c4f0f9d7 wildfire-upload.log 2018-10-08 15:32:45 2018-10-08 15:32:45 +0200: stegno.exe pe cancelled - by DP PUB 109010 1496 217230 0x4034 allow 1 52020 0 109 0 172.20.10.40:64614 172.20.31.30:80 2377ee33ea7d65fd851c001a071bb5032243afcc53392e7b5ea381863c2bc5cc wildfire-upload.log 2018-10-08 15:39:34 2018-10-08 15:39:34 +0200: stegno.exe pe cancelled - by DP PUB 23556 1499 326730 0x4034 allow 1 52020 0 109 0 172.20.10.40:64655 172.20.31.30:80 93aecc4564ed6dd7beeefb75132f1612b89c2a0420ee9253f1f5bb5f608b50b7 wildfire-upload.log 2018-10-08 15:40:51 2018-10-08 15:40:51 +0200: stegno.exe pe cancelled - by DP PUB 116244 1502 1357490 0x4034 allow 1 52020 0 109 0 172.20.10.40:64672 172.20.31.30:80 3271fbbfeb472de6f959d9bbe96b54ef0265f5483f1ccd3a9ba497d3bd17f845
- 日志文件中的哈希与真实文件哈希不匹配:18219154e5b345e8f2096458bfb609702e731ca53ad0b505260e98119207998,每次尝试都不同。
- 下面是会话信息的示例:
admin@pan01> show session id 184522
Session 184522
c2s flow:
source: 172.20.10.40 [Office]
dst: 172.20.31.30
proto: 6
sport: 53261 dport: 80
state: INIT type: FLOW
src user: unknown
dst user: unknown
s2c flow:
source: 172.20.31.30 [DMZ]
dst: 172.20.10.40
proto: 6
sport: 80 dport: 53261
state: INIT type: FLOW
src user: unknown
dst user: unknown
start time : Mon Oct 15 10:11:09 2018
timeout : 15 sec
total byte count(c2s) : 18902
total byte count(s2c) : 4899646
layer7 packet count(c2s) : 308
layer7 packet count(s2c) : 3230
vsys : vsys1
application : web-browsing
rule : Webserver
session to be logged at end : True
session in session ager : False
session updated by HA peer : False
layer7 processing : completed
URL filtering enabled : False
session via syn-cookies : False
session terminated on host : False
session traverses tunnel : False
captive portal session : False
ingress interface : ethernet1/1.100
egress interface : ethernet1/1.121
session QoS rule : N/A (class 4)
tracker stage firewall : TCP RST - client
tracker stage l7proc : ctd queue limit
end-reason : tcp-rst-from-client- 从全局计数器中,我们可以收集有关 ctd 信息的信息:
admin@pan01> show counter global filter packet-filter yes delta yes Global counters: Elapsed time since last sampling: 8.938 seconds name value rate severity category aspect description -------------------------------------------------------------------------------- pkt_outstanding 3540 396 info packet pktproc Outstanding packet to be transmitted pkt_alloc 1243 139 info packet resource Packets allocated session_allocated 1 0 info session resource Sessions allocated session_freed 13 1 info session resource Sessions freed session_installed 1 0 info session resource Sessions installed flow_host_pkt_xmt 2 0 info flow mgmt Packets transmitted to control plane appid_ident_by_simple_sig 1 0 info appid pktproc Application identified by simple signature appid_proc 1 0 info appid pktproc The number of packets processed by Application identification dfa_dte_request_total 1239 138 info dfa offload The total number of dfa match using dte dfa_hte_in_cache_lookup 1239 138 info dfa offload The total number of requests to an in cache HFA graph dfa_session_change 1 0 info dfa offload when getting dfa result from offload, session was changed dfa_hfa_lookup_too_many_matches 1 0 info dfa resource too many matches in HFA lookup ctd_err_sw 1 0 info ctd pktproc ctd sw error ctd_file_forward 1 0 info ctd pktproc The number of file forward found ctd_bloom_filter_nohit 4 0 info ctd pktproc The number of no match for virus bloom filter ctd_fwd_session_init 1 0 info ctd pktproc Content forward: number of successful action init ctd_fwd_session_send 2474 276 info ctd pktproc Content forward: number of successful action send ctd_fwd_session_fini 1 0 info ctd pktproc Content forward: number of successful action fini ctd_fwd_session_cancel_send 1 0 info ctd pktproc Content forward: number of cancel requests sent ctd_fwd_err_tcp_state 1 0 info ctd pktproc Content forward error: TCP in establishment when session went away fpga_request 1238 138 info fpga offload The outstanding requests to FPGA aho_fpga 1238 138 info aho resource The total requests to FPGA for AHO aho_fpga_data 1855970 207649 info aho resource The total data size to FPGA for AHO ctd_exceed_queue_limit 1 0 warn ctd resource The number of packets queued in ctd exceeds per session's limit, action bypass ctd_process 1 0 info ctd pktproc session processed by ctd ctd_pkt_slowpath 1238 138 info ctd pktproc Packets processed by slowpath log_traffic_cnt 10 1 info log system Number of traffic logs ctd_http_range_response 1 0 info ctd system Number of HTTP range responses detected by ctd -------------------------------------------------------------------------------- Total counters shown: 28 --------------------------------------------------------------------------------
Environment
model: PA-3020 sw-version: 8.0.8 global-protect-client-package-version: 4.0.7 app-version: 8072-5053 app-release-date: 2018/10/02 14:29:35 av-version: 2759-3268 av-release-date: 2018/10/08 04:02:51 threat-version: 8072-5053 threat-release-date: 2018/10/02 14:29:35 wf-private-version: 0 wf-private-release-date: unknown url-db: paloaltonetworks wildfire-version: 286084-288681 wildfire-release-date: 2018/10/08 10:40:08 platform-family: 3000 vpn-disable-mode: off multi-vsys: on operational-mode: normal
Cause
在全球计数器中,我们可以看到两个关注领域可能导致恶意文件绕过 firewall 和 wildfire 文件上传:
ctd_exceed_queue_limit 1 0 warn ctd resource The number of packets queued in ctd exceeds per session's limit, action bypass
ctd_http_range_response 1 0 info ctd system Number of HTTP range responses detected by ctd
- ctd_exceed_queue_limit
- 表示ctd_queue已满,交通将绕过检查
- firewall内容检查队列满时跳过内容检查
- ctd_http_range_response
- 意味着文件下载中断,并使用 HTTP 范围选项恢复
- 我们不缓冲部分文件,如果他们允许 HTTP 范围选项,这将导致错过 WF 上传和 AV 逃避
Resolution
- 当 firewall 传输路径中的下一代识别并丢弃恶意文件时,它会 TCP 用数据包终止会话 RST 。
- 如果 Web 浏览器实现 HTTP "范围"选项,则可以启动新会话仅提取文件的剩余部分。
- 这可 firewall 防止由于初始会话中缺少上下文而再次触发相同的签名,同时允许 Web 浏览器重新组装文件并交付恶意内容。
默认情况下, firewall 允许 HTTP 范围选项。
为了防止恶意内容绕过 firewall 并从而 wildfire 上传,请确保在 WebUI 中的 [设备>设置>内容 ID - 下 禁用这两个选项:
- 转到 设备> 设置>内容 -ID 禁用 超出 TCP 内容检查队列的转发段
- 转到 设备>设置>内容-ID 禁用 允许 HTTP 标题范围选项
NOTE:
帕洛阿尔托网络公司建议两者都禁用,以确保最大的安全做法。禁用此选项不应影响设备性能;但是, HTTP 文件传输中断恢复可能会受损。
请参阅下图
NOTE:
许多流媒体应用根据网络性能重新调整 http 视频的位速率。
注入新流时,使用 http 范围选项恢复流。
因此,如果您阻止该选项,您将中断一些 http 视频流应用程序,如 Netflix。
解决方法是将应用程序覆盖应用于流式处理应用程序。
Additional Information
有关内容设置的更多信息 ID ,请单击此处
pan-os :https://docs.paloaltonetworks.com//8-0/ - pan-os Web-接口帮助/设备/设备设置内容-id
有关应用覆盖的更多信息,请单击此处
:https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClVLCA0