Problem using URL-filterlists for PA

Reply
L1 Bithead

Problem using URL-filterlists for PA

Hello,

 

I am very happy, that I can create dynamical lists for using it in the PA. So I use ransomwaretracker.RW_URLBL with stdlib-aggregatorURL as prozessor and stdlib.feedHCGreen as output to create a URL-list. So I got a list like:

 

...
http://217.64.197.138/~rivista_ipi/4kkmkfz
http://237travellin.com/92nwao23
http://237travellin.com/telo70
...

 

I have tested it as described in:

 

https://live.paloaltonetworks.com/t5/PAN-OS-7-1-Videos/PAN-OS-7-1-URL-Filtering-Dynamic-Block-List-E...

 

But it does not work. It's works only, if the entries in the list not have a leading "http://". It's ok, the sites can also have https, and for checking a URL, it is not important. What's wrong? Have I make a mistake? Or is this a issue (Minemeld or PaloAlto?)?

 

Thanks for your efforts

L7 Applicator

Re: Problem using URL-filterlists for PA

Hi Bohem,

you should append "?v=panosurl"  to the URL of the feed inside the EDL configuration. Something like:

https://<minemeld>/feeds/ransomwarefeed?v=panosurl

 

This will instruct MineMeld to convert URL indicators into PAN-OS EDL format.

 

Luigi

L1 Bithead

Re: Problem using URL-filterlists for PA

Hi Luigi,

 

great (and very fast answer ;-) ) I have really search befor I ask this questions. ;-) Ok. Now it's works, and I will have a nice weekend. :-) Thank you very mutch.

 

Is there a list of options, which can used for fromatting the lists?

 

Ralf

L7 Applicator

Re: Problem using URL-filterlists for PA

Hi Ralf,

there is no much documentation about the format. Currently (0.9.18) you can use the following values for the v parameter:

<no v parameter> - output format is just a plain text list of indicators

json - output in JSON

json-seq - output in JSON SEQ format (RFC7464)

panosurl - for URL indicators, formatted in PAN-OS EDL compatible format

 

Note that for json and json-seq to show attributes of the indicators, the output node should be based on prototypes feed*WithValue. Example: if you use feedHCGreen you are only able to see the indicators in the output. If instead you use feedHCGreenWithValue, you are also able to see all the attributes of each indicator.

 

Thanks,

luigi

L2 Linker

Re: Problem using URL-filterlists for PA

Luigi, Thanks alot, i need this too, you never fail to impress us. =)

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!