Why do I see "Suspicious TLS Evasion Found" (14978) and "Suspicious HTTP Evasion Found" (14984) false positives?
Question
What are these "Suspicious TLS Evasion Found" (14978) and "Suspicious HTTP Evasion Found" (14984) Anti-Spyware signatures, and why are they triggering false positives?
Environment
- Palo Alto Firewall.
- PAN-OS 7.1 and above.
- Threat prevention.
Answer
The purpose and use of these signatures is described at
The purpose of these special evasion signatures, "Suspicious TLS Evasion Found" (14978) and "Suspicious HTTP Evasion Found" (14984), is to detect an internal client crafting a packet in order to evade URL Filtering.
For example, If a user wanted to visit a site that was being blocked by a URL category. An evader (user) could trick URL Filtering into thinking the category is "search engines".
In the case of HTTPS traffic, the evader would be crafting an HTTPS request with the Server Name Indication (SNI) field in the Client Hello packet. In the case of HTTP traffic, the evader would be crafting an HTTP request with the "Hostname" field. Either field for HTTPS or HTTP could be changed to google.com and point the request to a different IP address, hence evading URL Filtering detection.
These signatures will check the SNI (for HTTPS) or Hostname (for HTTP) FQDN in the request and ensure there was a previously seen DNS query in DNS Proxy that matches the target domain.
For there to be a comparable DNS record, the DNS Proxy feature in the Palo Alto Networks firewall needs to be in use. The potential inaccuracy of these signatures is if they are not leveraged with the recommended configuration of DNS Proxy in the Palo Alto Networks firewall.
For this reason, oftentimes an exception for informational Threat ID's of 14978 and 14984 action to "allow" or "alert" may be needed. For instructions please see:
How to Use Anti-Spyware, Vulnerability, and Antivirus Exceptions to Block or Allow Threats
If specific IP addresses need to be excepted, please see:
Why IP addresses under "IP address exemptions" of spyware threat exception was not excepted from spyware modified action.
The following article details the configuration and usage of DNS Proxy on the Palo Alto Networks firewall:
How to Configure DNS Proxy on a Palo Alto Networks Firewall
Additional Information
In certain cases, if the Domain is incorrectly configured in the firewall (Under Device>Setup>Management>General Settings), there may be queries sourced by the firewall that automatically add the incorrect suffix to its own queries. If you observe signature triggers where the source is the firewall then an incorrect configured domain in the firewall could be the culprit.