topic Listing all of vulnerability or phone-home signature in Automation/API Discussions

Listing all of vulnerability or phone-home signature

tmyzw — Mon, 25 Mar 2013 23:24:13 GMT

I created a script that shows all vulnerability or phone-home signature with CSV format.

Python and some modules are required but you can run on Mac(Mountain Lion) without installing additional module.

This may help when you want to list default action/vendorID/CVE of vulnerability or default action of phone home.

example.

List all vulnerability signatures

$ python siglist.py -t vul 192.168.0.1

List all phone home signatures

$ python siglist.py -t ph 192.168.0.1

Please feel free to askl me know if you have any questions and requests.

Thanks,

Takahiro

Re: Listing all of vulnerability or phone-home signature

ksteves1 — Wed, 27 Mar 2013 02:03:05 GMT

thanks. I used a reporting template system to build something similar.

using PAN-python and PAN-ksteves and with the jsont/threats.jsont

template below you can do something like this:

$ panxapi.py -t pa-200 -rxg /config/predefined/threats|

> panconf.py --config - --json|

> panjsont.py --jt threats.jsont --json -

get: success

phone-home 10585 "CIA_1_22 Get password" data-theft high alert

phone-home 10313 "Ezula_Toptext Popup" adware low alert

phone-home 10328 "FeRAT_1" adware high alert

phone-home 10373 "Wintective_Keylogger" keylogger high alert

phone-home 10046 "Scar User-Agent Traffic" spyware medium alert

phone-home 10522 "SearchBossToolbar" adware low alert

phone-home 10223 "FunBuddyIcons View Fub Buddy icons" browser-hijack low alert

phone-home 10286 "Virtumonde info post" adware low alert

phone-home 10353 "Opwin_Trojan_1_1 connection and action commands:" adware high alert

phone-home 10766 "Hornet_1_0 fetch processes list" adware high alert

...

........................................................................

{# $Id: threats.jsont,v 1.1 2012/08/07 00:17:30 stevesk Exp $ }

{# use output from: $ panxapi -rxg /config/predefined/threats}

{.section threats}

{.section phone-home}

{.repeated section entry}

phone-home {name} "{threatname}" {category} {severity} {default-action}

{.end}

{.section scan}

{.repeated section entry}

scan {id} "{name}" {severity}

{.end}

{.section vulnerability}

{.repeated section entry}

vulnerability {name} "{threatname}" {category} {severity} {.default-action?}{default-action}{.or}_no-default-action_{.end}

{.end}

Re: Listing all of vulnerability or phone-home signature

tmyzw — Wed, 19 Jun 2013 09:43:56 GMT

I created version 2 of this program since I found "description" of threats provided in API as well.

Please note this program gets the descriptions one by one so will take around one hour, and CPU usage of management plane could be increased.

This is a special purpose program and I'd recommend to use PAN-python when you don't want to use/learn multiple programs.

Thanks,

Takahiro

Re: Listing all of vulnerability or phone-home signature

tmyzw — Thu, 20 Jun 2013 01:55:32 GMT

I made a small change. The description of threats contains comma so TAB is suitable for field separation instead of comma. Output of this script now uses TSV(Tab Separated Value).