This website uses cookies essential to its operation, for analytics, and for personalized content. By continuing to browse this site, you acknowledge the use of cookies.
For details on cookie usage on our site, read our Privacy Policy
Accept
Reject
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

About KlausGroeger

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
KlausGroeger
‎07-23-2020
since ‎12-21-2014
L3 Networker
User Activity
User Profile
User Badges
Community Statistics
Member Since ‎12-21-2014 11:52 AM
Date Last Visited ‎07-23-2020 03:40 PM
Posts 74
Total Likes Received 7

syslog (stdlib.syslogMiner) does not work for PAN-OS generated logs

by in General Topics
‎10-15-2019 12:02 PM
1 Kudo
‎10-15-2019 12:02 PM
1 Kudo
Hi community,   I installed a fresh ubuntu 16.04.6 and updated the installation to the newest packages. When I create the PAN-OS syslsog receiver as from "stdlib.syslogMiner" prototype, the miner does not receive anything.While doing a tcpdump capture on the inemeld device I can see syslog coming in to the rsyslogd via port 13514. PCAP shows the content I expect to see (syslog messages from PAN-OS). After investigating further I found in the local /var/log/syslog the following messages:   Oct 15 16:35:17 minemeld rsyslogd: [origin software="rsyslogd" swVersion="8.16.0" x-pid="971" x-info="http://www.rsyslog.com"] exiting on signal 15. Oct 15 16:35:17 minemeld rsyslogd: [origin software="rsyslogd" swVersion="8.16.0" x-pid="1755" x-info="http://www.rsyslog.com"] start Oct 15 16:35:17 minemeld systemd[1]: Stopping System Logging Service... Oct 15 16:35:17 minemeld systemd[1]: Stopped System Logging Service. Oct 15 16:35:17 minemeld rsyslogd-2222: command 'KLogPermitNonKernelFacility' is currently not permitted - did you already set it via a RainerScript command (v6+ config)? [v8.16.0 try http://www.rsyslog.com/e/2222 ] Oct 15 16:35:17 minemeld systemd[1]: Starting System Logging Service... Oct 15 16:35:17 minemeld rsyslogd-2066: could not load module '/usr/lib/rsyslog/pmpanngfw.so', dlopen: /usr/lib/rsyslog/pmpanngfw.so: cannot open shared object file: No such file or directory [v8.16.0 try http://www.rsyslog.com/e/2066 ] Oct 15 16:35:17 minemeld rsyslogd-2066: could not load module '/usr/lib/rsyslog/mmnormalize.so', dlopen: /usr/lib/rsyslog/mmnormalize.so: cannot open shared object file: No such file or directory [v8.16.0 try http://www.rsyslog.com/e/2066 ] Oct 15 16:35:17 minemeld rsyslogd-2066: could not load module '/usr/lib/rsyslog/omrabbitmq.so', dlopen: /usr/lib/rsyslog/omrabbitmq.so: cannot open shared object file: No such file or directory [v8.16.0 try http://www.rsyslog.com/e/2066 ] Oct 15 16:35:17 minemeld rsyslogd-2209: module name 'mmnormalize' is unknown [v8.16.0 try http://www.rsyslog.com/e/2209 ] Oct 15 16:35:17 minemeld rsyslogd-2207: error during parsing file /etc/rsyslog.d/60-syslog-minemeld.conf, on or before line 9: errors occured in file '/etc/rsyslog.d/60-syslog-minemeld.conf' around line 9 [v8.16.0 try http://www.rsyslog.com/e/2207 ] Oct 15 16:35:17 minemeld rsyslogd-2209: module name 'omrabbitmq' is unknown [v8.16.0 try http://www.rsyslog.com/e/2209 ] Oct 15 16:35:17 minemeld rsyslogd-2207: error during parsing file /etc/rsyslog.d/60-syslog-minemeld.conf, on or before line 22: errors occured in file '/etc/rsyslog.d/60-syslog-minemeld.conf' around line 22 [v8.16.0 try http://www.rsyslog.com/e/2207 ] Oct 15 16:35:17 minemeld rsyslogd-2159: error: parser 'rsyslog.panngfw' unknown at this time (maybe defined too late in rsyslog.conf?) [v8.16.0 try http://www.rsyslog.com/e/2159 ] Oct 15 16:35:17 minemeld rsyslogd: rsyslogd's groupid changed to 108 Oct 15 16:35:17 minemeld rsyslogd: rsyslogd's userid changed to 104 Oct 15 16:35:17 minemeld rsyslogd-2039: Could not open output pipe '/dev/xconsole':: No such file or directory [v8.16.0 try http://www.rsyslog.com/e/2039 ] Oct 15 16:35:17 minemeld rsyslogd-2007: action 'action 10' suspended, next retry is Tue Oct 15 16:35:47 2019 [v8.16.0 try http://www.rsyslog.com/e/2007 ]   When I take a look in directory /usr/lib/rsyslog/ I cannot find the modules that are complained about in syslog: root@minemeld:/var/log# ls -l /usr/lib/rsyslog/ total 640 -rw-r--r-- 1 root root 36960 Mar 25 2019 imfile.so -rw-r--r-- 1 root root 24320 Mar 25 2019 imjournal.so -rw-r--r-- 1 root root 19936 Mar 25 2019 imklog.so -rw-r--r-- 1 root root 15680 Mar 25 2019 imkmsg.so -rw-r--r-- 1 root root 11040 Mar 25 2019 immark.so -rw-r--r-- 1 root root 19856 Mar 25 2019 impstats.so -rw-r--r-- 1 root root 36992 Mar 25 2019 imptcp.so -rw-r--r-- 1 root root 20128 Mar 25 2019 imtcp.so -rw-r--r-- 1 root root 28624 Mar 25 2019 imudp.so -rw-r--r-- 1 root root 33072 Mar 25 2019 imuxsock.so -rw-r--r-- 1 root root 23648 Mar 25 2019 lmnet.so -rw-r--r-- 1 root root 20864 Mar 25 2019 lmnetstrms.so -rw-r--r-- 1 root root 25344 Mar 25 2019 lmnsd_ptcp.so -rw-r--r-- 1 root root 6304 Mar 25 2019 lmregexp.so -rw-r--r-- 1 root root 21088 Mar 25 2019 lmstrmsrv.so -rw-r--r-- 1 root root 10496 Mar 25 2019 lmtcpclt.so -rw-r--r-- 1 root root 33952 Mar 25 2019 lmtcpsrv.so -rw-r--r-- 1 root root 10432 Mar 25 2019 lmzlibw.so -rw-r--r-- 1 root root 14704 Mar 25 2019 mmanon.so -rw-r--r-- 1 root root 19040 Mar 25 2019 mmexternal.so -rw-r--r-- 1 root root 14832 Mar 25 2019 mmjsonparse.so -rw-r--r-- 1 root root 14688 Mar 25 2019 mmpstrucdata.so -rw-r--r-- 1 root root 14816 Mar 25 2019 mmsequence.so -rw-r--r-- 1 root root 10592 Mar 25 2019 mmutf8fix.so -rw-r--r-- 1 root root 10488 Mar 25 2019 omjournal.so -rw-r--r-- 1 root root 19584 Mar 25 2019 ommail.so -rw-r--r-- 1 root root 19056 Mar 25 2019 omprog.so -rw-r--r-- 1 root root 15200 Mar 25 2019 omuxsock.so -rw-r--r-- 1 root root 11176 Mar 25 2019 pmaixforwardedfrom.so -rw-r--r-- 1 root root 11168 Mar 25 2019 pmcisconames.so -rw-r--r-- 1 root root 11200 Mar 25 2019 pmlastmsg.so -rw-r--r-- 1 root root 11168 Mar 25 2019 pmsnare.so -rwxr-xr-x 1 root root 140 Mar 20 2019 rsyslog-rotate   So, there must be something wrong with the binary install. ... View more

Re: NTP setting in Expedition

by in Expedition Discussions
‎11-10-2018 09:57 AM
2 Kudos
‎11-10-2018 09:57 AM
2 Kudos
Just become root on your expedition server and install ntp and ntpdate:   apt-get install ntpdate apt-get install ntp   Go on with the above. ... View more

Re: NTP setting in Expedition

by in Expedition Discussions
‎11-10-2018 09:44 AM
‎11-10-2018 09:44 AM
SSH to Expedition and change the /etc/ntp.conf settings   ssh -l expedition <ip.of.your.server> sudo -s . (passwd: paloalto) nano /etc/ntp.conf comment out all lines starting with "pool ..." and insert  a "server statement:   # Use servers from the NTP Pool Project. Approved by Ubuntu Technical Board # on 2011-02-08 (LP: #104525). See http://www.pool.ntp.org/join.html for # more information. # pool 0.ubuntu.pool.ntp.org iburst # pool 1.ubuntu.pool.ntp.org iburst # pool 2.ubuntu.pool.ntp.org iburst # pool 3.ubuntu.pool.ntp.org iburst # Use Ubuntu's ntp server as a fallback. # pool ntp.ubuntu.com server 192.168.123.123   Restart NTP: service ntp restart or stop and run ntpdate and start again service ntp stop ntpdate 192.168.123.123 service ntp start     ... View more

Re: BP - Histroy of Changes/Progess

by in Expedition Discussions
‎10-31-2018 01:09 PM
‎10-31-2018 01:09 PM
Any way to support this FR (vote for it)? ... View more

Re: BPA Tool Not Running?

by in Expedition Discussions
‎10-29-2018 12:05 PM
‎10-29-2018 12:05 PM
Do you run a brand new install? Did you tried to upgrade to the latest version first? When I installed the image, the BPA did not run at all . - same outcome. After upgrade to latest version, it runs (with issues, but that's another thng).   Best, Klaus ... View more

BP - How does Remediate work?

by in Expedition Discussions
‎10-28-2018 05:21 AM
‎10-28-2018 05:21 AM
How does the Best Practice remediate function work? I cannot find any documentation. Do I have to select the specific option in the template first or will Expedition/BP remediate all the rd x-ed optioons without asking?   While using Remediate and chose "SAME Template" how can I update the Panorama/Device configuration? Where is the template stored and how to export it beack to the device/panorama? ... View more

BP - Histroy of Changes/Progess

by in Expedition Discussions
‎10-28-2018 05:11 AM
‎10-28-2018 05:11 AM
Is it possible to derive the progress of changes over time in Best Pratices? Of course I would like to see the changes over time like we can do in online BPA. ... View more

BP - Threat Practice

by in Expedition Discussions
‎10-28-2018 04:50 AM
‎10-28-2018 04:50 AM
Version: 1.0.107 BPA: 3.6.1   In BEST PRATICES under "Threat Practice" dropdowns are empty, nothing to chose from: ... View more

Re: Inconsistent BPA Results

by in Expedition Discussions
‎10-28-2018 04:32 AM
‎10-28-2018 04:32 AM
Have the same issue here. Running latest version 1.0.107 with BPA 3.6.1. All policies have tags red x-ed while only four out of 73 policies has no tag. ... View more

Re: What's new in MineMeld 0.9.30

by in General Topics
‎01-29-2017 07:36 AM
‎01-29-2017 07:36 AM
How is the API-Key configured in dag.pusher? Via WebUI one is only able to put in the user:passwd combo. ... View more

Re: How to Generate New MineMeld HTTPS Cert

by in General Articles
‎01-28-2017 02:41 PM
3 Kudos
‎01-28-2017 02:41 PM
3 Kudos
  Some of you might have a Lab-In-A-Box environment and/or want to use the local windows server for certificate maintenance like I do. Nearly all of my certs are certified by the windows domain CA, even if I have a registration authority (RA) on my PAN firewall - I only use it for local services like GP and others. While I want (and with Rome [8.0] I have) to use a trusted certificate with the nginx webserver (on the minemeld box), I want additional DNS entries and an IP address in the subject - for convenience and to fulfill some dependencies of Rome. Think about CNAME and "domain search". Don't you want to use "https://minemeld" instead of "https://minemeld.servers.yourdomain.local" and have a valid connection with a valid certificate?   I use to answer cert-requests via the web-GUI on my AD server (https://my-server.mydomain.local/certsrv). But setting up the server is a completely other beast!     Your Windows CA server (2012 in my case) has to support alternative DNS-entries. Prepare your Windows Authority to support certificates with alternative names:   On your Windows Domain and Certificate Server login as Administrator, open a cmd window and paste the following: certutil -setreg policy\EditFlags +EDITF_ATTRIBUTESUBJECTALTNAME2 Restart your Certificate Authority. In services restart "Active Directory Certificate Services”.   Now you have to create a Private Key and a Certificate Signing Request (CSR) on your minemeld box, then sign the request in your windows CA (via web-gui), copy the sigend certificate to your minemeld box, create a .pem file on the minemeld box and finally copy the .cer and .pem to the right location. I will go through it step by step (it's up to you transfering files to or from your minemeld server, but I recommend using 'scp' or other tools like putty, SecureCrt or others).   Create a Certificate Signing Request: Become root on your minemeld server after login as ubuntu: $ su - or $ sudo bash Create a private key: # openssl genrsa -aes256 -out minemeld.key 2048 - Enter your passphrase Create a CSR (certificate signing request) - of course you will replace the values with your own: # openssl req -new -key minemeld.key -sha256 -nodes -subj '/C=DE/ST=NRW/L=Duesseldorf/O=Klauzi Private/OU=Admin Team/CN=minemeld.servers.klauzi.local/emailAddress=admin@klauzi.local' > minemeld.csr - Enter your pass phrase for the private key (minemeld.key) # cat minemeld.csr -----BEGIN CERTIFICATE REQUEST----- MIIC6zCCAdMCAQAwgaUxCzAJBgNVBAYTAkRFMQwwCgYDVQQIDANOUlcxEDAOBgNV BAcMB0hvZXh0ZXIxFjAUBgNVBAoMDUtsYXVzIFByaXZhdGUxEzARBgNVBAsMCkFk bWluIFRlYW0xJjAkBgNVBAMMHW1pbmVtZWxkLnNlcnZlcnMua2xhdXppLmxvY2Fs MSEwHwYJKoZIhvcNAQkBFhJhZG1pbkBrbGF1emkubG9jYWwwggEiMA0GCSqGSIb3 DQEBAQUAA4IBDwAwggEKAoIBAQCsY+cka1aODaNJIZ9ft4DcGUZCQXQjXdG9U+C2 pisXaXHdYHkdpmOSWqWmxIAlIIDjVITjvnviO/g7yEIaY6HR4EBdFKcZU7Tqh0Ze ojFoCiZVy+MQiXFfxhM1GhIeN4mIm1CxNig5aKkj5uitmyqtb/bMK1QDCxA5kUUG /PLV1okaMCB8hboV4q/4UrjO99OkFEdWGn7z1p+GJ5G7Tkpp2ml4Rw6ltT4iCmrZ 0nLFz7fGaFNz8fCZ4/NMVkiJxqaJfjrBtHnnpBXXpx5BYhBXOgUOGzIh/D9Dpfol BW1I3yfNuN1vwnSq+AfFgixf2mYdzTUHsCtMk++9v3kUKeCzAgMBAAGgADANBgkq hkiG9w0BAQsFAAOCAQEAZWkORNHiNu7rkQ/tJ6yvbsZ5f6lom360KuT1IgZoKgcq ibkumHeB/t4AWMSqMiAxELkPXVzmLcs1dPoUQp72iacCCRoE8Ch/XjXXF0bOM0Pg zn8CM1zAESuv7Iny7X/3gPcfBrPB1pJkn1VSa7Zxl0egQbCmLxbYqRcTxY9oJjjt mlB/u7iHPSP1Vpnr8wMOhOrRlJ2tKz9dDiMn1cxbz7CABmon/4Ocl+IDO1bb6x3B 9cYL7gty1WOe/hI9V/SIG1HDfqyFc31HPHcoUh+KzUoRGMuaCYHrqSAxTgre95XY NKjgCBKgaQIl5NT4UWVHup+wr0yH5Z4C0H13Go5geA== -----END CERTIFICATE REQUEST-----   You will have to copy the whole output of the "cat" command to paste it into the windows certificate signing request dialog.   Sign your CSR: Open your CA webgui: https://your-ad-server/certsrv, <click> on "Request a certificate", <click> on "advanced certificate request".  Paste your output from above in the edit box "Saved request", chose "Web Server" as template and edit "Attributes". The string in the "Attributes: edit window" has to be something like: san:parameter=value&parameter=value&parameter=value san:ipaddress=192.168.5.20&dns=192.168.5.20&dns=minemeld.klauzi.local&dns=minemeld   Submit and chose "(x) Base 64 encoded" in the next screen before "Download certificate". Save it as minemeld.cer"   Install your certificate on your minemeld box: Copy the file "minemeld.cer" to your minemeld box via "scp" (or other tool) to your ubuntu account:   $ scp minemeld.cer ubuntu@<ip.add.re.ss>:   On your minemeld box you should now have three minemeld.* files: - minemeld.key - minemeld.csr - minemeld.cer   Next steps are creating a .pem file and copy the files to the nginx config directory and restart the server:   Create .pem file: # openssl rsa -in minemeld.cer -in minemeld.key -out minemeld.pem - Enter your pass phrase Backup your files: # cp /etc/ngnix/minemeld.cer /etc/nginx/minemeld.cer.orig # cp /etc/nginx/minemeld.pem /etc/nginx/minemeld.pem.orig Copy the new files to "/etc/nginx/": # cp minemeld.pem minemeld.cer /etc/nginx/ Restart nginx server: # /etc/init.d/nginx restart That should make it!   ... View more

Re: how to add my own bulk IOCs into Minemeld

by in General Topics
‎01-28-2017 12:54 PM
2 Kudos
‎01-28-2017 12:54 PM
2 Kudos
Clone a new indicator list from prototype ' stdlib.listIPv4Generic'. For example name it My_BlackList. Create a new entry with the attributes you like. Login to your minemeld console via ssh. Have a look at your indicator list (be aware, the example is my list with my preferred attributes): $ head /opt/minemeld/local/config/BlackList_indicators.yml - {indicator: 60.190.98.50, share_level: red} - {indicator: 60.7.70.94, share_level: red} - {indicator: 91.148.217.244, share_level: red} - {indicator: 123.183.209.138, share_level: red} Create your indicator list in the same format (use awk or something like that). Just copy the resulting file over the existing one. The MineMeld engine takes care of the new updates immediately You may also just edit the indicator file wiht 'nano' or 'vi' an insert the indicators in correct format. Always use the same format. Do not try to create a entries with differnet attributes. (of course you can do it for exercise and find out what's happening)   Cheers! Klaus ... View more

Re: Updated Ubuntu now cannot login

by in General Topics
‎01-28-2017 12:19 PM
‎01-28-2017 12:19 PM
Hi, usually the update should not cange the username:password. But maybe the locals,keymap other was changed. Did you tred to login directly on the console or did you tried to login via ssh? You know in the default password for user ubuntu is a "z" - maybe you should try "y" instead? No other ideas here ... ... View more

Re: Syslog miner indicator

by in General Topics
‎01-03-2017 02:59 AM
‎01-03-2017 02:59 AM
I tried to use wildcards in threat_name but did not succeed. Even if threat_name contains a string the use of ':' (colon) is not allowed. So this one would not work:     - threat_name == 'SCAN: TCP Port Scan(8001)' We definitely need the ability to use wildcards but I fear YAML does not support it. ... View more

Re: Syslog miner indicator

by in General Topics
‎01-02-2017 02:26 PM
‎01-02-2017 02:26 PM
I am not sure if the matching rule-set supports regex, but I definitly want regex here and some more features to configure on syslog.Miner - eg. age_out: and other. If you want to test use a ".*" at the end of the string:  "HTTP SQL Injection Attempt.*"   I believe you already tried this, did you?   Best, Klaus ... View more
Register or Sign-in
Contact Me
Online Status
Offline
Date Last Visited
‎07-23-2020 03:40 PM
Likes Given To
View All
LEGAL NOTICES
RESOURCES
Copyright 2007 - 2022 - Palo Alto Networks