03-25-2013 04:24 PM
I created a script that shows all vulnerability or phone-home signature with CSV format.
Python and some modules are required but you can run on Mac(Mountain Lion) without installing additional module.
This may help when you want to list default action/vendorID/CVE of vulnerability or default action of phone home.
example.
List all vulnerability signatures
$ python siglist.py -t vul 192.168.0.1
List all phone home signatures
$ python siglist.py -t ph 192.168.0.1
Please feel free to askl me know if you have any questions and requests.
Thanks,
Takahiro
03-26-2013 07:03 PM
thanks. I used a reporting template system to build something similar.
using PAN-python and PAN-ksteves and with the jsont/threats.jsont
template below you can do something like this:
$ panxapi.py -t pa-200 -rxg /config/predefined/threats|
> panconf.py --config - --json|
> panjsont.py --jt threats.jsont --json -
get: success
phone-home 10585 "CIA_1_22 Get password" data-theft high alert
phone-home 10313 "Ezula_Toptext Popup" adware low alert
phone-home 10328 "FeRAT_1" adware high alert
phone-home 10373 "Wintective_Keylogger" keylogger high alert
phone-home 10046 "Scar User-Agent Traffic" spyware medium alert
phone-home 10522 "SearchBossToolbar" adware low alert
phone-home 10223 "FunBuddyIcons View Fub Buddy icons" browser-hijack low alert
phone-home 10286 "Virtumonde info post" adware low alert
phone-home 10353 "Opwin_Trojan_1_1 connection and action commands:" adware high alert
phone-home 10766 "Hornet_1_0 fetch processes list" adware high alert
...
........................................................................
{# $Id: threats.jsont,v 1.1 2012/08/07 00:17:30 stevesk Exp $ }
{# use output from: $ panxapi -rxg /config/predefined/threats}
{.section threats}
{.section phone-home}
{.repeated section entry}
phone-home {name} "{threatname}" {category} {severity} {default-action}
{.end}
{.end}
{.section scan}
{.repeated section entry}
scan {id} "{name}" {severity}
{.end}
{.end}
{.section vulnerability}
{.repeated section entry}
vulnerability {name} "{threatname}" {category} {severity} {.default-action?}{default-action}{.or}_no-default-action_{.end}
{.end}
{.end}
{.end}
06-19-2013 02:43 AM
I created version 2 of this program since I found "description" of threats provided in API as well.
Please note this program gets the descriptions one by one so will take around one hour, and CPU usage of management plane could be increased.
This is a special purpose program and I'd recommend to use PAN-python when you don't want to use/learn multiple programs.
Thanks,
Takahiro
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
