05-12-2016 09:22 PM
We have numerous PA firewalls that alert for vulnerabilities. I also have a product that scans for vulnerabilities in my network. The scanning device has CVE numbers in its events. The PA has PA's unique identifier in its event. Is there a way for me to pull in the CVE into the Pans threat event so I can correlate the PANs threat events to my existing vulnerability events based on CVE number?
05-13-2016 05:46 AM
Hello, Chuck, and good morning to you sir!
First, this appears to be a question better suited for the general discussion forum as it doesn't appear to pertain to custom signatures.
However, I would like to point out that if you click on a value populating the "NAME" column in the threat monitor, the metadata for that threat name should appear like so:
The CVE associated is part of this metadata. I don't believe a separate column can be created.
Respectfully,
rcole
05-13-2016 06:36 AM
Hi Chuck,
Welcome to our community.
You can issue "configuration mode" command, like below:
admin@Luciano-PA-VM# show predefined threats vulnerability [press ENTER, don't press tab or ?]
and you will get json output where you will have CVE description:
vulnerability {
35931 {
threatname "HP Data Protector OmniInet Opcode Buffer Overflow Vulnerability";
cve CVE-2011-1865;
category overflow;
severity high;
affected-host {
server yes;
}
default-action alert;
}
35933 {
threatname "HP Data Protector OmniInet Opcode 27 Buffer Overflow Vulnerability";
cve CVE-2011-1865;
category overflow;
severity high;
affected-host {
server yes;
}
default-action alert;
}
I think this is the only way to get something usable/useful, you could prolly run a script once a day (because you don't get updates more often) and just populate your fields what is the threat ID vs. the CVE.
Hope it helps, AFAIK this is the only (remotely) functional way to do it.
BR
Luciano
05-13-2016 08:29 AM
There is not currently a mechanism that I am aware of to see the CVE in the threat log of the PA Networks devices.
You might want to discuss this idea with your account team. They could tell you if a feature enhancement is in the system for this or not.
05-13-2016 11:18 AM
Just to let you know, because this was not related to the Custom Signatures, so I moved it to General Topics.
05-13-2016 04:26 PM
Try gonig to Vulmerbiliites profile and click on default profiel or any one and the open it and then click exception tab than check boxshow signatures box like below
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
