topic Re: Multiple malicious scans from the same source address - can I block IP automatically in General Topics

Multiple malicious scans from the same source address - can I block IP automatically

LucaMarchiori — Fri, 28 Jul 2017 14:39:37 GMT

Occasionally, I notice that the firewall has been blocking tens or even hundreds of attempts from a single source address for multiple threats. In a case like this, it seems obvious, for someone looking at the logs, that that source IP should have been temporarily blocked and possibly banned, but that does not happen automatically.

We do have some exception in our vulnerability profile that change the action from reset to block-IP, for instance, but this only applies to a specific TID. When you have a host combining say 5 or 10 different exploits in one minute, is there a way to configure the firewall to automatically block the offending IP?

Thanks,

Luca

Re: Multiple malicious scans from the same source address - can I block IP automatically

Remo — Fri, 28 Jul 2017 14:45:15 GMT

Hi @LucaMarchiori

Are you already on PAN-OS 8 and is a temporary block required or is it ok to ban such source IP's?

Re: Multiple malicious scans from the same source address - can I block IP automatically

LucaMarchiori — Fri, 28 Jul 2017 14:47:39 GMT

Hi vsys_remo,

We are on 7.1.11. Ban would be OK, preferable to no action. I end up putting those addresses in our internal EDL first chance I get, but that does not happen automatically, of course.

Re: Multiple malicious scans from the same source address - can I block IP automatically

BPry — Fri, 28 Jul 2017 15:10:02 GMT

Few things.

1) Have you looked into DoS profiles for things such as session limits, pps limits, and stuff like that. This tends to help in situations like this as if the profiles were set correctly it would likely have crossed the threshold.

2) How much do you love the API and how good is your scripting ability. All of this can be done automatically with the proper scripts and log processing, essentially making a SIEM without having to purchase anything and the IPs would be listing in something MineMeld can grab and you can control directly if needed, but it also gives you that automated response.

3) In your Vulnerability Protection Profile you can setup Rules for stuff like this with a 'Block IP' option. Here you can specify the Block IP action, host type, category, CVE, and Vendor ID options so that the Rule doesn't trip on something you don't want to. You just have to be careful that you don't unintentially start blocking something because of a false postive; depending on your SLAs that may be acceptable or it might not.

Re: Multiple malicious scans from the same source address - can I block IP automatically

LucaMarchiori — Fri, 28 Jul 2017 16:04:35 GMT

Hi BPry,

We have a Zone Protection Profile, but apparently is enabled for the WAN zone only...? This latest attack, for instance, was targetting a host residing in the DMZ (most are). On this one host, all ports 1 to 10,000 were scanned in less than 2 minutes. I'm thinking I should add the Zone protection profile to the DMZ zone, right? Unfortunately, I would not know were to start to script something myself, I was hoping a feature along those lines already existed .

Luca

Re: Multiple malicious scans from the same source address - can I block IP automatically

BPry — Fri, 28 Jul 2017 17:38:07 GMT

@LucaMarchiori,

I'm assuming that the hosts in your DMZ are internet facing through NAT correct? I would both recommend a Zone Protection Profile on the DMZ along with individual DoS profiles for anything that you have public facing. The DoS profiles could have prevented this type of situation as it gives you similar protections as the Zone Protection Profile, but limits it to the actual hosts that you specify. This allows you to baseline a normal PSS and resource limits that one would expect from normal traffic and drop the traffic such as this.

Kiwi put together a pretty good document that you can find here https://live.paloaltonetworks.com/t5/Tutorials/How-to-Set-Up-DoS-Protection/ta-p/71164

Let me know if you need additional help on the DoS profiles; but I would seriously consider setting up both a DoS profile for the services you have facing the public and putting a Zone Protection Profile on your DMZ zone.

Re: Multiple malicious scans from the same source address - can I block IP automatically

LucaMarchiori — Fri, 28 Jul 2017 20:16:26 GMT

Hi BPry,

Hosts in our DMZ are using public addresses. I'll definitely look into setting up a DoS profile to cover these hosts.

Luca

Re: Multiple malicious scans from the same source address - can I block IP automatically

Remo — Sat, 29 Jul 2017 17:55:42 GMT

Hi @LucaMarchiori

This will be definately a good idea to set this up as proposed by @BPry.

In addition to that there are many creative ways to block attacking IPs after the first attempt. In PAN-OS 8 you could tag attacking IPs based on specific filters (for example when a critical vulnerability was blocked or even one specific vulnerability). With this tag you are then able to create a dynamic addressgroup and use this group in your policy to drop connections from there completely. At least I think this is a very nice feature to lock out these attackers.

It is also possible to send syslog messages to a Minemeld installation and created extended dynamic lists based on informations in these syslog messages. The advantage of using this method is, that you can automatically remove ips from the lists after (for example) 30 days. And of course with Minemeld you have quite a few other possibilities 😉

But to block port scans, the easiest way to block them remains the Zone Protection / DoS Rules even if a simple port scan is probably not too worrysome...

Re: Multiple malicious scans from the same source address - can I block IP automatically

LucaMarchiori — Mon, 31 Jul 2017 15:04:17 GMT

Hi vsys_remo,

I implemented zone protection for the DMZ. Any drawbacks to expanding ZP to the LAN interface as well?

I have had MineMeld in place for a few months, but I'm just using the HC feed. How complicated woud be to create a feed based on syslog data - any examples I can look at?

Luca

edit: this new feature you mention for PanOS 8.x sounds pretty much what I was hoping for. We'll not be moving to ver. 8 for some time though.

Re: Multiple malicious scans from the same source address - can I block IP automatically

Remo — Tue, 01 Aug 2017 08:24:55 GMT

Hi @LucaMarchiori

If you configure the PPS values not too aggressive there should be no drawback. Of course some packet based attack protections could sometimes be problematic for specific applications, but this unfortunately is something you simply have to test.

Regarding minemeld and the syslog miner: just type "minemeld syslog" to the search bar and you should find the informations you need to do this.

Re: Multiple malicious scans from the same source address - can I block IP automatically

LucaMarchiori — Tue, 01 Aug 2017 16:42:46 GMT

Hi vsys_remo,

I've cloned syslogMiner node in MineMeld, and added (rigth after our Splunk server) the MMeld server to the syslog profile, port UDP 13514. It seems that the new node is not receiving any data. Also attempted creating a separate syslog server profile.

I've been following instructions contained in this doc:

https://live.paloaltonetworks.com/t5/MineMeld-Articles/Using-the-syslog-Miner/ta-p/77262

Luca

Re: Multiple malicious scans from the same source address - can I block IP automatically

Remo — Tue, 01 Aug 2017 17:30:51 GMT

Hi @LucaMarchiori

This now more and more belongs into the minemeld forum;)

You also configured the local firewall (iptables) to allow this traffic and if needed edited the rsyslog.conf file?

Sounds like something similar as in this topic: https://live.paloaltonetworks.com/t5/MineMeld-Discussions/MineMeld-need-help-importing-and-processing-syslog-data/m-p/101312#M247

Re: Multiple malicious scans from the same source address - can I block IP automatically

LucaMarchiori — Tue, 01 Aug 2017 20:53:53 GMT

Hi vsys_remo,

I agree. I'll post this in the MineMeld forum, if needed. I'd like to thank you and BPry for your help thus far.

Luca

edit: the port was already opened on the ubuntu server, but it's using port TCP 13514, not UDP 13514. 🙂

TCP clearly shows in the doc I linked, I simply missed that.

Re: Multiple malicious scans from the same source address - can I block IP automatically

ash83 — Tue, 14 May 2019 16:36:43 GMT

@Remo could you please explain how the following can be implemented:

"In PAN-OS 8 you could tag attacking IPs based on specific filters (for example when a critical vulnerability was blocked or even one specific vulnerability). With this tag you are then able to create a dynamic addressgroup and use this group in your policy to drop connections from there completely. "

Thanks.

Re: Multiple malicious scans from the same source address - can I block IP automatically

ash83 — Wed, 15 May 2019 09:23:27 GMT

Anyone know how to tag attacking IPs based on specific filters (for example when a critical vulnerability was blocked or even one specific vulnerability). With this tag you are then able to create a dynamic addressgroup and use this group in your policy to drop connections from there completely.

Thanks,

Re: Multiple malicious scans from the same source address - can I block IP automatically

Remo — Wed, 15 May 2019 21:43:04 GMT

Hi @ash83

You need to start with a log forwarding profile, there you define a specific filter for the threatlogs (you either filter on the severity or on specific threat ID or something completely different). As action you then choose to tag the source or destination IP (depending on your filter) and assign a Tag to these IPs. After that you create a dynamic address group with the criteria the tag you created for that. From this point you can use the address group in your policy to block connections from or to these IPs.

Hope this helps.