Palo Alto high risk site: https://spel-packages.cloudarmor.io

[mcs123]

During the build process the below site is blocked by my companies firewall, based on Palo Alto's findings. Any idea what this is about? and what else can be done about it if I can't get them to unblock it?

https://spel-packages.cloudarmor.io

Palo Alto's reasoning to recommend blocking: Category: High Risk Description: Sites that were previously confirmed to be malicious but have displayed benign activity for at least 30 days. Bulletproof ISP-hosted sites and sites with an IP address from an ASN that is known to allow malicious content. Sites that are associated with confirmed malicious activity (for example, they share the same domain).

[lorengordon]

That site is just a yum repo that provides versions of AWS RPMs from Amazon Linux that are rebuilt for RedHat (and derivative) platforms. It's absolutely never been malicious, and Palo has clearly lost its mind. Of course if you want to block it, that's your prerogative. It should be fine if it is not accessible, as we set skip_if_unavailable=1 in the repo definition.

If it helps, you can view the source for the process of how the repo gets built, here. It's then hosted in an S3 bucket, behind CloudFront.

[mcs123]

Thanks, I had looked at it already and it all seemed good to me, but my organization is a large US federal one, and they use Palo Alto as one of their sources for what to block. I guess I'll try to source the repo internally and point the project towards it.

[lorengordon]

I requested a re-categorization for the site, https://urlfiltering.paloaltonetworks.com/. If you can, it might also help if your organization opens a support ticket with Palo Alto.

[mcs123]

Thank you. My org has requested a review from PA. No idea how long that will take though...

[lorengordon]

fwiw, just got a response that the url was recategorized. hopefully this helps!

Thanks again for your URL re-categorization request. As a result of our re-evaluation, we have made the following changes:

URL: https[:]//spel-packages[.]cloudarmor[.]io/ Previous category: unknown You suggested: computer-and-internet-info Accepted category: computer-and-internet-info The new categorization is available starting with URL DB version: 20220713.20312

If you disagree with this category change and you'd like to resubmit this request along with additional information that will help with accurate categorization, please visit: http://urlfiltering.paloaltonetworks.com/. Note that you may experience different URL categorizations for a given URL across different PAN-OS versions due to new URL filtering capabilities being introduced to more recent versions of PAN-OS.

Url’s and hostnames contained in this communication may have been modified for the purposes of security and to ensure delivery to recipients behind mail gateways actively filtering potential malware and phishing attacks.

Note: This is an unmonitored mailbox. Please do not reply to this email, as your response may not be received. If follow-up is required, please contact Palo Alto Networks support.

Regards, Palo Alto Networks

[mcs123]

Nice! that is great news, and quick! Thank you. I'm submitting it to our SOC team now.

[mcs123]

Our SOC team unblocked it, I'm back on track! Thank you again @lorengordon