Couple of issues with MineMeld 0.9.42, PanOS 7.1.11

LucaMarchiori — Mon, 23 Oct 2017 17:18:12 GMT

Hi,

I have a couple of problems with MineMeld (on a VM from ova template).

1. I recently seem to have lost the ability to export a system backup (which was working until recently). In the log, I can see a bunch of "GET /jobs/status-backup/.....", but the actual download never starts.

[2017-10-23 16:12:19 UTC] [1971] [INFO] AUDIT - {"msg": null, "action": "POST /status/backup", "params": [["jsonbody", "{\"p\": \"password\"}"]], "user": "admin/luca.admin"}
[2017-10-23 16:12:19 UTC] [1971] [INFO] redis connection pool: in use: 0 available: 1
127.0.0.1 - - [23/Oct/2017:16:12:19 +0000] "POST /status/backup?_=1508775151 HTTP/1.0" 200 55 "https://10.0.50.65/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36"
[2017-10-23 16:12:19 UTC] [1971] [INFO] Executing job mm-jobs-status-backup-e1db206f-a1e3-4988-898d-ca0f02c9e23c - ['/usr/bin/7z', 'a', '-ppassword', '-y', '/tmp/mm-local-backupn9IHT9.zip', '/opt/minemeld/local/prototypes', '/opt/minemeld/local/config'] cwd: /tmp/mm-jobs-status-backup-e1db206f-a1e3-4988-898d-ca0f02c9e23cXTBsCU logfile: /opt/minemeld/log/mm-jobs-status-backup-e1db206f-a1e3-4988-898d-ca0f02c9e23c.log
[2017-10-23 16:12:22 UTC] [1971] [DEBUG] redis session connection pool: in use: 0 available: 5
[2017-10-23 16:12:22 UTC] [1971] [INFO] redis connection pool: in use: 0 available: 1
127.0.0.1 - - [23/Oct/2017:16:12:22 +0000] "GET /jobs/status-backup/e1db206f-a1e3-4988-898d-ca0f02c9e23c?_=1508775154 HTTP/1.0" 200 463 "https://10.0.50.65/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36"
[2017-10-23 16:12:25 UTC] [1971] [DEBUG] redis session connection pool: in use: 0 available: 5
[2017-10-23 16:12:25 UTC] [1971] [INFO] redis connection pool: in use: 0 available: 1
127.0.0.1 - - [23/Oct/2017:16:12:25 +0000] "GET /jobs/status-backup/e1db206f-a1e3-4988-898d-ca0f02c9e23c?_=1508775157 HTTP/1.0" 200 463 "https://10.0.50.65/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36"
[2017-10-23 16:12:28 UTC] [1971] [DEBUG] redis session connection pool: in use: 0 available: 5
[2017-10-23 16:12:28 UTC] [1971] [INFO] redis connection pool: in use: 0 available: 1
127.0.0.1 - - [23/Oct/2017:16:12:28 +0000] "GET /jobs/status-backup/e1db206f-a1e3-4988-898d-ca0f02c9e23c?_=1508775161 HTTP/1.0" 200 463 "https://10.0.50.65/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36"
[2017-10-23 16:12:31 UTC] [1971] [DEBUG] redis session connection pool: in use: 0 available: 5
[2017-10-23 16:12:31 UTC] [1971] [INFO] redis connection pool: in use: 0 available: 1
127.0.0.1 - - [23/Oct/2017:16:12:31 +0000] "GET /jobs/status-backup/e1db206f-a1e3-4988-898d-ca0f02c9e23c?_=1508775164 HTTP/1.0" 200 463 "https://10.0.50.65/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36"
[2017-10-23 16:12:33 UTC] [1971] [DEBUG] redis session connection pool: in use: 0 available: 5
127.0.0.1 - - [23/Oct/2017:16:12:33 +0000] "GET /supervisor?_=1508775165 HTTP/1.0" 200 594 "https://10.0.50.65/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36"
[2017-10-23 16:12:34 UTC] [1971] [DEBUG] redis session connection pool: in use: 0 available: 5

If I try a manual back from SSH (ubuntu user), I get this (permission denied?):

ubuntu@minemeld:/tmp$ sudo service minemeld stop
 * Stopping: minemeld                                                                                                                                                                    minemeld-supervisord-listener: stopped
minemeld-traced: stopped
minemeld-engine: stopped
minemeld-web: stopped
                                                                                                                                                                                  [ OK ]
ubuntu@minemeld:/tmp$ tar -cvzf backup.tar.gz /opt/minemeld/local/config/ /opt/minemeld/local/prototypes/
tar: Removing leading `/' from member names
/opt/minemeld/local/config/
tar: /opt/minemeld/local/config/wlWhiteListIPv4_indicators.yml.copy: Cannot open: Permission denied
tar: /opt/minemeld/local/config/node-syslog-miner-local-30d_rules.yml.copy: Cannot open: Permission denied
tar: /opt/minemeld/local/config/committed-config.yml: Cannot open: Permission denied
/opt/minemeld/local/config/api/
/opt/minemeld/local/config/api/20-local.yml
/opt/minemeld/local/config/api/10-defaults.yml
tar: /opt/minemeld/local/config/api/50-api-users-attrs.yml: Cannot open: Permission denied
/opt/minemeld/local/config/api/wsgi.htpasswd
tar: /opt/minemeld/local/config/running-config.yml.1508772314: Cannot open: Permission denied
tar: /opt/minemeld/local/config/running-config.yml: Cannot open: Permission denied
tar: /opt/minemeld/local/config/running-config.yml.1508771982: Cannot open: Permission denied
tar: /opt/minemeld/local/config/node-syslog-miner-local-30d_rules.yml: Cannot open: Permission denied
tar: /opt/minemeld/local/config/committed-config.yml.copy: Cannot open: Permission denied
/opt/minemeld/local/config/traced/
/opt/minemeld/local/config/traced/traced.yml
tar: /opt/minemeld/local/config/wlWhiteListIPv4_indicators.yml: Cannot open: Permission denied
/opt/minemeld/local/prototypes/
tar: /opt/minemeld/local/prototypes/minemeldlocal.yml.copy: Cannot open: Permission denied
tar: /opt/minemeld/local/prototypes/minemeldlocal.yml: Cannot open: Permission denied
tar: Exiting with failure status due to previous errors
ubuntu@minemeld:/tmp$

2. I setup a panos syslog miner. It's working great for log_subtype = flood, but not at all for subtype vulnerability. I cannot get any vulnerability events to generate a hit on the correspondent rule(s). Very similar flood rules are working perfectly. Example of a rule that is not working:

conditions:
  - type == 'THREAT'
  - log_subtype == 'vulnerability'
  - severity == 'critical'
  - src_zone == 'WAN'
  - dst_zone == 'DMZ'
fields:
  - log_subtype
  - threat_name
indicators:
  - src_ip

Example of a rule that is working:

conditions:
  - type == "THREAT"
  - log_subtype == "flood"
  - severity == "critical"
  - src_zone == "WAN"
  - dest_zone == "DMZ"
  - action == "drop"
fields:
  - log_subtype
  - threat_name
indicators:
  - src_ip

I tried making the log_subtype vulnerability rules more specific, for instance by adding a threat name:

threat_name == 'Wireless IP Camera Pre-Auth Info Leak Vulnerability(33556)'

or an action:

action == 'block-ip'

Nothing has worked so far. I can see the events in the THREAT log that match the rules conditions, but the rules are not picking those up. Any ideas?

Re: Couple of issues with MineMeld 0.9.42, PanOS 7.1.11

LucaMarchiori — Wed, 25 Oct 2017 21:37:08 GMT

Anyone? The only difference I can think of between rule working / not working is that the flood rules hit a DoS policy, while the others just hit a security rule (allow) then dropped as critical vulnerabilites. Both type of events are logged in the same Panorama log profile.

Re: Couple of issues with MineMeld 0.9.42, PanOS 7.1.11

lmori — Thu, 26 Oct 2017 14:14:06 GMT

Hi @LucaMarchiori,

1 - when you press EXPORT BACKUP after some seconds you should see a window like this one, please click on here to download the encrypted zip file

2 - have you tried simplifying the rule (just type and log_subtype) to see if it is matched ?

Thanks

Re: Couple of issues with MineMeld 0.9.42, PanOS 7.1.11

LucaMarchiori — Thu, 26 Oct 2017 15:11:45 GMT

Hi @lmori

That "Download backup" windows just never appears. After clicking on the "Export Backup" button and typing the backup password, both the Export and Restore Backup buttons are grayed out, and stay like that until I click on a different tab and then back to System. I've waited over 10-15 minutes. I use Chrome (popup blocker is disabled for the site), but also tried Firefox.

As previously mentioned, manual backup fails as well.

I will try simplyfing the vulnerability rules to see if I'm getting anywhere with that.

Thanks,

Luca

Re: Couple of issues with MineMeld 0.9.42, PanOS 7.1.11

lmori — Thu, 26 Oct 2017 15:38:16 GMT

Hi @LucaMarchiori,

the reason manual backup is failing is that you need to be minemeld user to access some of those files, please try:

sudo -u minemeld tar -cvzf backup.tar.gz /opt/minemeld/local/config/ /opt/minemeld/local/prototypes/

In the directory /opt/minemeld/log you should find the logs of the backup logs, could you check them to see if there is a clue about the cause of the failures ?

Thanks,

luigi

Re: Couple of issues with MineMeld 0.9.42, PanOS 7.1.11

LucaMarchiori — Thu, 26 Oct 2017 21:21:47 GMT

Hi @lmori

Thanks for pointing me in the right direction. I think that the problem was I had manually created a copy of a config file. After deleting that file, export works just fine! A little (linux) knowledge... 🙂

Rule issue fixed as well... There was a typo (dst_zone) that got into some of the rules. "dest_zone" is the correct field.

Luca

topic Re: Couple of issues with MineMeld 0.9.42, PanOS 7.1.11 in General Topics

Couple of issues with MineMeld 0.9.42, PanOS 7.1.11

Re: Couple of issues with MineMeld 0.9.42, PanOS 7.1.11

Re: Couple of issues with MineMeld 0.9.42, PanOS 7.1.11

Re: Couple of issues with MineMeld 0.9.42, PanOS 7.1.11

Re: Couple of issues with MineMeld 0.9.42, PanOS 7.1.11

Re: Couple of issues with MineMeld 0.9.42, PanOS 7.1.11