Category mismatch between the WildFire submission log of an email link ("malicious") and the URL category (not "Malware")
1310
Created On 12/28/22 05:25 AM - Last Modified 06/13/24 02:03 AM
Symptom
A WildFire submission log for an email link is generated with "malicious" category. The URL in the log is 63 characters long.
Upon looking up its URL category on Test A site (https://urlfiltering.paloaltonetworks.com/), the category of the corresponding URL is displayed as not "Malware".
Environment
Palo Alto Networks Firewall with WildFire subscription.
Cause
When the URL is longer than 63 bytes, the URL in the WildFire submission gets truncated.
Reference:
https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-admin/monitoring/use-syslog-for-monitoring/syslog-field-descriptions/threat-log-fields
- URL/Filename (misc)
- A Filename has a maximum of 63 characters.
- File name when the subtype is wildfire
Please note that the field is treated as a Filename rather than a URL in case of WildFire submission log even for an email link.
When looking up the URL category of the truncated URL, you may get a different URL category, e.g. the category of its parent URL is returned because there is no exact match with the partial URL in the database.
Resolution
The actual URL (non truncated URL) can be found in the WildFire report.
Here's the example.
(This example is to show how to find the actual URL. It is not the example of the category mismatch.)
- WildFire Report (MONITOR > Logs > WildFire Submissions > Detailed Log View > WildFire Analysis Report)
The same information can be also found on WildFire portal.
So, the actual URL is below in this example.
http://urlfiltering.paloaltonetworks.com/test-phishing/1672192606
- WildFire Submission log
$ echo -n 'http://urlfiltering.paloaltonetworks.com/test-phishing/16721926' | wc -c 63The URL in the WildFire submission log was truncated at 63 byte.
Once you find the URL in the WildFire report, you can check the category on Test A Site (https://urlfiltering.paloaltonetworks.com/).
If the WildFire submission log is generated with "malicious" category, most likely Test A Site will also show one of the malicious categories ("Malware", "Phishing", etc).