My Echo Requests

Just when you thought I had gone and left you.....

Page 2 of 6

Palo-Alto searching for Arps…

Logging traffic for global counters

If you need GUI Tutorial goto Palo Alto page:
https://live.paloaltonetworks.com/docs/DOC-3199

1. Lets look for a drop or error counter that currently counts bad packets

This is an example with arp protocol. we are looking for some arp issues. Thats a tipical problem on networks…

> show counter global filter value non-zero delta yes | match arp

flow_fwd_l3_noarp                          5        0 drop      flow      forward   Packets dropped: no ARP  ----- HERE 5 bad packets!!! Look for it.
flow_arp_pkt_rcv                         468       47 info      flow      arp       ARP packets received
flow_arp_pkt_xmt                           2        0 info      flow      arp       ARP packets transmitted
flow_arp_pkt_replied                     175       17 info      flow      arp       ARP requests replied
flow_arp_pkt_learned                       2        0 info      flow      arp       ARP entry learned
flow_arp_rcv_gratuitous                   10        1 info      flow      arp       Gratuitous ARP packets received
flow_arp_resolve_xmt                       2        0 info      flow      arp       ARP resolution packets transmitted

2. Activate the log for that specific counter

Continue reading

More Palo-Alto Firewall info I need – Status of incomplete vs insufficient etc…

  • incomplete
    • SYN or SYN-SYNACK-ACK is seen but no data packets are seen. In other words, the traffic you are seeing is not really an application.

EX: if a client sends a sever a SYN and the firewall creates a session for that SYN, but the server never sends a SYNACK in response back to the client, then that session would be incomplete.

  • insufficient-data
    • The firewall didn’t see the complete TCP 3-way handshake, OR
    • There were no data packets exchanged after the handshake

Continue reading

Palo-Alto basic troubleshooting

When troubleshooting network and security issues on many different devices I always miss some command options to do exactly what I want to do on the device I am currently working with. Therefore, I list a few commands for the Palo Alto Networks firewalls to have a short reference for myself. Maybe some other network professionals will find it useful.

However, since I am almost always using the GUI this short reference only lists commands that are useful for the console while not present in the GUI.

This blog post will be a living document. Whenever I use some “new” commands for troubleshooting issues, I will update it. If there are any useful commands missing, please send me a comment!

For a complete list of all CLI commands, use the CLI Reference Guides from PAN. Or use the official Quick Reference Guide: Helpful Commands PDF.

Standard Show Commands

The following commands are really the basics and need no further description. I list them just as a reference:

  Continue reading

MS Word…yup, patch it again.

Microsoft Word Memory Corruption Remote Code Execution Vulnerability

A vulnerability exists in Microsoft Word due to a memory corruption error when processing crafted RTF files. A remote attacker could exploit this vulnerability to execute arbitrary code on vulnerable systems.

Technical Analysis

Microsoft Word is a word processing application included as a part of the Microsoft Office suite. A vulnerability exists in Microsoft Word 2003, 2007, 2010, 2013, and 2013 RT; Microsoft Word Viewer; the Microsoft Office Compatibility Pack; Microsoft Office for Mac 2011; Microsoft SharePoint Server 2010 and 2013; and Microsoft Office Web Apps 2010 and Office Web Apps Server 2013 due to improper handling of objects in memory when parsing RTF files. Parsing a specially crafted RTF file may allow remote attackers to corrupt memory and execute arbitrary code on vulnerable systems with the privileges of the logged on user. Successful exploitation may lead to a system compromise if the user operates with administrative privileges.

Solution

The vendor has released an update to address this vulnerability. Users of Microsoft Word should apply Microsoft Fix it 51010, which can be downloaded from https://support.microsoft.com/kb/2953095.

References

  1. http://office.microsoft.com/en-us/word/
  2. http://support.microsoft.com/kb/2953095
  3. http://technet.microsoft.com/en-us/security/advisory/2953095

Android got 99 problems…

Ok…well, maybe not 99 – But I told my wife I’d send these to her and I forgot too…so I’m posting them here so y’all can be aware of them too.

Android Hole Allows Data Capture
http://www.isssource.com/android-hole-allows-data-capture/

Android.HeHe: Malware Now Disconnects Phone Calls
http://www.fireeye.com/blog/technical/2014/01/android-hehe-malware-now-disconnects-phone-calls.html

Windows Malware Attempts to Infect Android Devices
http://www.symantec.com/connect/blogs/windows-malware-attempts-infect-android-devices

So there are a few others that are in the works and I can’t fully disclose just yet, but as soon as I figure them out or someone else posts them in public – I’ll update this thread and let ya know…I’ll give you a hint:

Multiple vulnerabilities exist in Google Chrome for Android due to unspecified security flaws. A remote attacker could exploit these vulnerabilities to cause an unknown impact on vulnerable systems. 

2014

Yes…it’s a new year – and I suck at posting to this blog b/c facebook has pwned me something awful. But hey…I just wanted to post so that you know I still exist. Here I am…

New Mac Trojan

Intego, a Mac security company, was the first to report seeing a new Mac Trojan that attempts to create a backdoor on its victim’s system. The article indicates this attack appears to be a targeted attack by an unknown delivery mechanism. Intego reported that the command and control (C&C) server appeared to be down at the time of the article. During their testing, the Trojan attempted to download an image that implied links to the Syrian Electronic Army. We advise our Mac users to review the article closely for more details. In some cases, Gatekeeper may issue an alert should a user attempt to download the Trojan. We highly advise that all operating system and application patches as well as anti-virus definition files are at their latest versions. Readers should also be wary of unsolicited emails with attachments. Applications should only be downloaded from trusted, known sources.
http://www.intego.com/mac-security-blog/new-mac-trojan-discovered-related-to-syria/

« Older posts Newer posts »

© 2024 My Echo Requests

Theme by Anders NorenUp ↑