Listing all of vulnerability or phone-home signature

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Listing all of vulnerability or phone-home signature

L2 Linker

I created a script that shows all vulnerability or phone-home signature with CSV format.

Python and some modules are required but you can run on Mac(Mountain Lion) without installing additional module.

This may help when you want to list default action/vendorID/CVE of vulnerability or default action of phone home.

example.

List all vulnerability signatures

$ python siglist.py -t vul 192.168.0.1

List all phone home signatures

$ python siglist.py -t ph 192.168.0.1

Please feel free to askl me know if you have any questions and requests.

Thanks,

Takahiro

3 REPLIES 3

L3 Networker

thanks.  I used a reporting template system to build something similar.

using PAN-python and PAN-ksteves and with the jsont/threats.jsont

template below you can do something like this:

$ panxapi.py -t pa-200 -rxg /config/predefined/threats|

>  panconf.py --config - --json|

>  panjsont.py --jt threats.jsont --json -

get: success

phone-home 10585 "CIA_1_22 Get password" data-theft high alert

phone-home 10313 "Ezula_Toptext Popup" adware low alert

phone-home 10328 "FeRAT_1" adware high alert

phone-home 10373 "Wintective_Keylogger" keylogger high alert

phone-home 10046 "Scar User-Agent Traffic" spyware medium alert

phone-home 10522 "SearchBossToolbar" adware low alert

phone-home 10223 "FunBuddyIcons View Fub Buddy icons" browser-hijack low alert

phone-home 10286 "Virtumonde info post" adware low alert

phone-home 10353 "Opwin_Trojan_1_1 connection and action commands:" adware high alert

phone-home 10766 "Hornet_1_0 fetch processes list" adware high alert

...

........................................................................

{# $Id: threats.jsont,v 1.1 2012/08/07 00:17:30 stevesk Exp $ }

{# use output from: $ panxapi -rxg /config/predefined/threats}

{.section threats}

  {.section phone-home}

    {.repeated section entry}

phone-home {name} "{threatname}" {category} {severity} {default-action}

    {.end}

  {.end}

  {.section scan}

    {.repeated section entry}

scan {id} "{name}" {severity}

    {.end}

  {.end}

  {.section vulnerability}

    {.repeated section entry}

vulnerability {name} "{threatname}" {category} {severity} {.default-action?}{default-action}{.or}_no-default-action_{.end}

    {.end}

  {.end}

{.end}

L2 Linker

I created version 2 of this program since I found "description" of threats provided in API as well.

Please note this program gets the descriptions one by one so will take around one hour, and CPU usage of management plane could be increased.

This is a special purpose program and I'd recommend to use PAN-python when you don't want to use/learn multiple programs.

Thanks,

Takahiro

L2 Linker

I made a small change. The description of threats contains comma so TAB is suitable for field separation instead of comma. Output of this script now uses TSV(Tab Separated Value).

  • 4035 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!