Couple of issues with MineMeld 0.9.42, PanOS 7.1.11

Reply
L3 Networker

Couple of issues with MineMeld 0.9.42, PanOS 7.1.11

Hi,

 

I have a couple of problems with MineMeld (on a VM from ova template).

 

1.  I recently seem to have lost the ability to export a system backup (which was working until recently).  In the log, I can see a bunch of "GET /jobs/status-backup/.....", but the actual download never starts.  

 

[2017-10-23 16:12:19 UTC] [1971] [INFO] AUDIT - {"msg": null, "action": "POST /status/backup", "params": [["jsonbody", "{\"p\": \"password\"}"]], "user": "admin/luca.admin"}
[2017-10-23 16:12:19 UTC] [1971] [INFO] redis connection pool: in use: 0 available: 1
127.0.0.1 - - [23/Oct/2017:16:12:19 +0000] "POST /status/backup?_=1508775151 HTTP/1.0" 200 55 "https://10.0.50.65/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36"
[2017-10-23 16:12:19 UTC] [1971] [INFO] Executing job mm-jobs-status-backup-e1db206f-a1e3-4988-898d-ca0f02c9e23c - ['/usr/bin/7z', 'a', '-ppassword', '-y', '/tmp/mm-local-backupn9IHT9.zip', '/opt/minemeld/local/prototypes', '/opt/minemeld/local/config'] cwd: /tmp/mm-jobs-status-backup-e1db206f-a1e3-4988-898d-ca0f02c9e23cXTBsCU logfile: /opt/minemeld/log/mm-jobs-status-backup-e1db206f-a1e3-4988-898d-ca0f02c9e23c.log
[2017-10-23 16:12:22 UTC] [1971] [DEBUG] redis session connection pool: in use: 0 available: 5
[2017-10-23 16:12:22 UTC] [1971] [INFO] redis connection pool: in use: 0 available: 1
127.0.0.1 - - [23/Oct/2017:16:12:22 +0000] "GET /jobs/status-backup/e1db206f-a1e3-4988-898d-ca0f02c9e23c?_=1508775154 HTTP/1.0" 200 463 "https://10.0.50.65/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36"
[2017-10-23 16:12:25 UTC] [1971] [DEBUG] redis session connection pool: in use: 0 available: 5
[2017-10-23 16:12:25 UTC] [1971] [INFO] redis connection pool: in use: 0 available: 1
127.0.0.1 - - [23/Oct/2017:16:12:25 +0000] "GET /jobs/status-backup/e1db206f-a1e3-4988-898d-ca0f02c9e23c?_=1508775157 HTTP/1.0" 200 463 "https://10.0.50.65/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36"
[2017-10-23 16:12:28 UTC] [1971] [DEBUG] redis session connection pool: in use: 0 available: 5
[2017-10-23 16:12:28 UTC] [1971] [INFO] redis connection pool: in use: 0 available: 1
127.0.0.1 - - [23/Oct/2017:16:12:28 +0000] "GET /jobs/status-backup/e1db206f-a1e3-4988-898d-ca0f02c9e23c?_=1508775161 HTTP/1.0" 200 463 "https://10.0.50.65/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36"
[2017-10-23 16:12:31 UTC] [1971] [DEBUG] redis session connection pool: in use: 0 available: 5
[2017-10-23 16:12:31 UTC] [1971] [INFO] redis connection pool: in use: 0 available: 1
127.0.0.1 - - [23/Oct/2017:16:12:31 +0000] "GET /jobs/status-backup/e1db206f-a1e3-4988-898d-ca0f02c9e23c?_=1508775164 HTTP/1.0" 200 463 "https://10.0.50.65/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36"
[2017-10-23 16:12:33 UTC] [1971] [DEBUG] redis session connection pool: in use: 0 available: 5
127.0.0.1 - - [23/Oct/2017:16:12:33 +0000] "GET /supervisor?_=1508775165 HTTP/1.0" 200 594 "https://10.0.50.65/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36"
[2017-10-23 16:12:34 UTC] [1971] [DEBUG] redis session connection pool: in use: 0 available: 5

 

If I try a manual back from SSH (ubuntu user), I get this (permission denied?):

 

ubuntu@minemeld:/tmp$ sudo service minemeld stop
 * Stopping: minemeld                                                                                                                                                                    minemeld-supervisord-listener: stopped
minemeld-traced: stopped
minemeld-engine: stopped
minemeld-web: stopped
                                                                                                                                                                                  [ OK ]
ubuntu@minemeld:/tmp$ tar -cvzf backup.tar.gz /opt/minemeld/local/config/ /opt/minemeld/local/prototypes/
tar: Removing leading `/' from member names
/opt/minemeld/local/config/
tar: /opt/minemeld/local/config/wlWhiteListIPv4_indicators.yml.copy: Cannot open: Permission denied
tar: /opt/minemeld/local/config/node-syslog-miner-local-30d_rules.yml.copy: Cannot open: Permission denied
tar: /opt/minemeld/local/config/committed-config.yml: Cannot open: Permission denied
/opt/minemeld/local/config/api/
/opt/minemeld/local/config/api/20-local.yml
/opt/minemeld/local/config/api/10-defaults.yml
tar: /opt/minemeld/local/config/api/50-api-users-attrs.yml: Cannot open: Permission denied
/opt/minemeld/local/config/api/wsgi.htpasswd
tar: /opt/minemeld/local/config/running-config.yml.1508772314: Cannot open: Permission denied
tar: /opt/minemeld/local/config/running-config.yml: Cannot open: Permission denied
tar: /opt/minemeld/local/config/running-config.yml.1508771982: Cannot open: Permission denied
tar: /opt/minemeld/local/config/node-syslog-miner-local-30d_rules.yml: Cannot open: Permission denied
tar: /opt/minemeld/local/config/committed-config.yml.copy: Cannot open: Permission denied
/opt/minemeld/local/config/traced/
/opt/minemeld/local/config/traced/traced.yml
tar: /opt/minemeld/local/config/wlWhiteListIPv4_indicators.yml: Cannot open: Permission denied
/opt/minemeld/local/prototypes/
tar: /opt/minemeld/local/prototypes/minemeldlocal.yml.copy: Cannot open: Permission denied
tar: /opt/minemeld/local/prototypes/minemeldlocal.yml: Cannot open: Permission denied
tar: Exiting with failure status due to previous errors
ubuntu@minemeld:/tmp$

 

 

 

2. I setup a panos syslog miner.  It's working great for log_subtype = flood, but not at all for subtype vulnerability.  I cannot get any vulnerability events to generate a hit on the correspondent rule(s).  Very similar flood rules are working perfectly.  Example of a rule that is not working:

 

conditions:
  - type == 'THREAT'
  - log_subtype == 'vulnerability'
  - severity == 'critical'
  - src_zone == 'WAN'
  - dst_zone == 'DMZ'
fields:
  - log_subtype
  - threat_name
indicators:
  - src_ip

 

Example of a rule that is working:

 

conditions:
  - type == "THREAT"
  - log_subtype == "flood"
  - severity == "critical"
  - src_zone == "WAN"
  - dest_zone == "DMZ"
  - action == "drop"
fields:
  - log_subtype
  - threat_name
indicators:
  - src_ip

I tried making the log_subtype vulnerability rules more specific, for instance by adding a threat name:

 

threat_name == 'Wireless IP Camera Pre-Auth Info Leak Vulnerability(33556)'

or an action:

 

action == 'block-ip'

Nothing has worked so far.  I can see the events in the THREAT log that match the rules conditions, but the rules are not picking those up.  Any ideas?

 

L3 Networker

Re: Couple of issues with MineMeld 0.9.42, PanOS 7.1.11

Anyone?  The only difference I can think of between rule working / not working is that the flood rules hit a DoS policy, while the others just hit a security rule (allow) then dropped as critical vulnerabilites.  Both type of events are logged in the same Panorama log profile.

Highlighted
L7 Applicator

Re: Couple of issues with MineMeld 0.9.42, PanOS 7.1.11

Hi @LucaMarchiori,

1 - when you press EXPORT BACKUP after some seconds you should see a window like this one, please click on here to download the encrypted zip file

MineMeld-backup.png

2 - have you tried simplifying the rule (just type and log_subtype) to see if it is matched ?

 

Thanks

L3 Networker

Re: Couple of issues with MineMeld 0.9.42, PanOS 7.1.11

Hi @lmori

 

That "Download backup" windows just never appears.  After clicking on  the "Export Backup" button and typing the backup password, both the Export and Restore Backup buttons are grayed out, and stay like that until I click on a different tab and then back to System.  I've waited over 10-15 minutes.  I use Chrome (popup blocker is disabled for the site), but also tried Firefox. 

As previously mentioned, manual backup fails as well.

 

I will try simplyfing the vulnerability rules to see if I'm getting anywhere with that.

 

Thanks,

Luca

L7 Applicator

Re: Couple of issues with MineMeld 0.9.42, PanOS 7.1.11

Hi @LucaMarchiori,

the reason manual backup is failing is that you need to be minemeld user to access some of those files, please try:

sudo -u minemeld tar -cvzf backup.tar.gz /opt/minemeld/local/config/ /opt/minemeld/local/prototypes/

In the directory /opt/minemeld/log you should find the logs of the backup logs, could you check them to see if there is a clue about the cause of the failures ?

 

Thanks,

luigi

L3 Networker

Re: Couple of issues with MineMeld 0.9.42, PanOS 7.1.11

Hi @lmori

 

Thanks for pointing me in the right direction.  I think that the problem was I had manually created a copy of a config file.  After deleting that file, export works just fine!  A little (linux) knowledge... :)

 

Rule issue fixed as well...   There was a typo (dst_zone) that got into some of the rules. "dest_zone" is the correct field.

 

 

Luca

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!