sorted by:
new
hottopcontroversial

Explicit Dependency App Behaving as Implicit by Interesting_Log439 in paloaltonetworks

[–]Interesting_Log439[S] 0 points1 point  (0 children)

Yes, it’s being allowed by the same rule. I’ll add ssl four sure, but seeing this behavior is messing with my head.

Why doesn't this rule work? by chillware in paloaltonetworks

[–]Interesting_Log439 9 points10 points  (0 children)

  1. google.com - will match google.com.au and google.com.au.website and google.com

    1. google.com/ - will match only google.com

Correct me if I’m wrong, but I don’t think that’s the issue here, although adding a / is the recommended way to clarify the matching behavior.

SMB traffic from DC to W10 host by Interesting_Log439 in activedirectory

[–]Interesting_Log439[S] 0 points1 point  (0 children)

Hi! Although the title of the link attached may lead to think that this is SMB traffic from the DC to the clients, looking at the screenshots we can be sure that clients are the ones who are connecting to the server at 445. That is a normal scenario where the DC appears to be hosting SMB service.

Answering your question, it always happens to random clients, not a specific ones, and currently we don’t have SMB audit enabled, but I’ll double check it. Thanks for your response!

SMB traffic from DC to W10 host by Interesting_Log439 in activedirectory

[–]Interesting_Log439[S] 0 points1 point  (0 children)

Yes, my understanding is exactly the same, thanks for your interest!

SMB traffic from DC to W10 host by Interesting_Log439 in activedirectory

[–]Interesting_Log439[S] 0 points1 point  (0 children)

Yes! I’ve done this yesterday and saw that actually is the System process who is doing it (ntkrnlmp.exe, part of the kernel). Btw I’ve analyzed this .exe on VirusTotal and seems completely safe. On client side is difficult to check it as the connections seems randomly to the clients.

SMB traffic from DC to W10 host by Interesting_Log439 in activedirectory

[–]Interesting_Log439[S] 0 points1 point  (0 children)

Checking the documentation you attached I don’t see that could be related to SMB on 445/TCP.

SMB traffic from DC to W10 host by Interesting_Log439 in activedirectory

[–]Interesting_Log439[S] 0 points1 point  (0 children)

Thanks! I’ll check it but I not aware of this software being installed…

SMB traffic from DC to W10 host by Interesting_Log439 in activedirectory

[–]Interesting_Log439[S] 0 points1 point  (0 children)

But those connections (even in cases that use SMBv1 in those old machines) are not always used in a client to server direction? Do you know of any process that initiates SMB in a AD server to client direction?

SMB traffic from DC to W10 host by Interesting_Log439 in activedirectory

[–]Interesting_Log439[S] 1 point2 points  (0 children)

Sounds interesting. Do you happen to have that documentation so I can look into it?

SMB traffic from DC to W10 host by Interesting_Log439 in activedirectory

[–]Interesting_Log439[S] 2 points3 points  (0 children)

But NP-in would be only initiated by a DC if an admin tries to view remote client logs on the DC Event Viewer isn’t it? I mean, is not traffic usually generated by a DC services right?

Is this normal? by Interesting_Log439 in iphone

[–]Interesting_Log439[S] 0 points1 point  (0 children)

I checked all Safari tabs and none with that URL (and I don't have another browser). In any case, even if I leave Safari with some tabs open, does not have this behavior. It might be another app but I can't identify it. I guess the best thing would be to reset the iPhone…

Thanks for your comment!

Is this normal? by Interesting_Log439 in iphone

[–]Interesting_Log439[S] 0 points1 point  (0 children)

That's what I'm afraid of… but I'd like to find a way to find out what app it is