Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- LIVEcommunity
- ›
- About KlausGroeger
About KlausGroeger
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
07-23-2020
15Posts
5Likes
0Solutions
Jul 23, 2020Last Visited
User
Activity
User
Profile
Latest posts by KlausGroeger
| Subject | Views | Posted |
|---|---|---|
| 913 | 10-15-2019 12:02 PM | |
| 5193 | 11-10-2018 09:57 AM | |
| 5198 | 11-10-2018 09:44 AM | |
| 2300 | 10-31-2018 01:09 PM | |
| 2374 | 10-29-2018 12:05 PM |
My Liked Posts
| Subject | Likes | Posted |
|---|---|---|
| 1 | 10-15-2019 12:02 PM | |
| 2 | 11-10-2018 09:57 AM | |
| 2 | 01-28-2017 12:54 PM |
Posts I Liked
| Subject | Likes | Author | Latest Post |
|---|---|---|---|
| 6 | |||
| 1 | |||
| 2 | |||
| 7 | |||
| 1 |
User Badges
Public Statistics
| Date Registered | 12-21-2014 11:52 AM |
| Date Last Visited | 07-23-2020 03:40 PM |
| Total Messages Posted | 74 |
| Total Likes Received | 5 |
10-15-2019
12:02 PM
1 Kudo
Hi community,
I installed a fresh ubuntu 16.04.6 and updated the installation to the newest packages. When I create the PAN-OS syslsog receiver as from "stdlib.syslogMiner" prototype, the miner does not receive anything.While doing a tcpdump capture on the inemeld device I can see syslog coming in to the rsyslogd via port 13514. PCAP shows the content I expect to see (syslog messages from PAN-OS). After investigating further I found in the local /var/log/syslog the following messages:
Oct 15 16:35:17 minemeld rsyslogd: [origin software="rsyslogd" swVersion="8.16.0" x-pid="971" x-info="http://www.rsyslog.com"] exiting on signal 15. Oct 15 16:35:17 minemeld rsyslogd: [origin software="rsyslogd" swVersion="8.16.0" x-pid="1755" x-info="http://www.rsyslog.com"] start Oct 15 16:35:17 minemeld systemd[1]: Stopping System Logging Service... Oct 15 16:35:17 minemeld systemd[1]: Stopped System Logging Service. Oct 15 16:35:17 minemeld rsyslogd-2222: command 'KLogPermitNonKernelFacility' is currently not permitted - did you already set it via a RainerScript command (v6+ config)? [v8.16.0 try http://www.rsyslog.com/e/2222 ] Oct 15 16:35:17 minemeld systemd[1]: Starting System Logging Service... Oct 15 16:35:17 minemeld rsyslogd-2066: could not load module '/usr/lib/rsyslog/pmpanngfw.so', dlopen: /usr/lib/rsyslog/pmpanngfw.so: cannot open shared object file: No such file or directory [v8.16.0 try http://www.rsyslog.com/e/2066 ] Oct 15 16:35:17 minemeld rsyslogd-2066: could not load module '/usr/lib/rsyslog/mmnormalize.so', dlopen: /usr/lib/rsyslog/mmnormalize.so: cannot open shared object file: No such file or directory [v8.16.0 try http://www.rsyslog.com/e/2066 ] Oct 15 16:35:17 minemeld rsyslogd-2066: could not load module '/usr/lib/rsyslog/omrabbitmq.so', dlopen: /usr/lib/rsyslog/omrabbitmq.so: cannot open shared object file: No such file or directory [v8.16.0 try http://www.rsyslog.com/e/2066 ] Oct 15 16:35:17 minemeld rsyslogd-2209: module name 'mmnormalize' is unknown [v8.16.0 try http://www.rsyslog.com/e/2209 ] Oct 15 16:35:17 minemeld rsyslogd-2207: error during parsing file /etc/rsyslog.d/60-syslog-minemeld.conf, on or before line 9: errors occured in file '/etc/rsyslog.d/60-syslog-minemeld.conf' around line 9 [v8.16.0 try http://www.rsyslog.com/e/2207 ] Oct 15 16:35:17 minemeld rsyslogd-2209: module name 'omrabbitmq' is unknown [v8.16.0 try http://www.rsyslog.com/e/2209 ] Oct 15 16:35:17 minemeld rsyslogd-2207: error during parsing file /etc/rsyslog.d/60-syslog-minemeld.conf, on or before line 22: errors occured in file '/etc/rsyslog.d/60-syslog-minemeld.conf' around line 22 [v8.16.0 try http://www.rsyslog.com/e/2207 ] Oct 15 16:35:17 minemeld rsyslogd-2159: error: parser 'rsyslog.panngfw' unknown at this time (maybe defined too late in rsyslog.conf?) [v8.16.0 try http://www.rsyslog.com/e/2159 ] Oct 15 16:35:17 minemeld rsyslogd: rsyslogd's groupid changed to 108 Oct 15 16:35:17 minemeld rsyslogd: rsyslogd's userid changed to 104 Oct 15 16:35:17 minemeld rsyslogd-2039: Could not open output pipe '/dev/xconsole':: No such file or directory [v8.16.0 try http://www.rsyslog.com/e/2039 ] Oct 15 16:35:17 minemeld rsyslogd-2007: action 'action 10' suspended, next retry is Tue Oct 15 16:35:47 2019 [v8.16.0 try http://www.rsyslog.com/e/2007 ]
When I take a look in directory /usr/lib/rsyslog/ I cannot find the modules that are complained about in syslog:
root@minemeld:/var/log# ls -l /usr/lib/rsyslog/ total 640 -rw-r--r-- 1 root root 36960 Mar 25 2019 imfile.so -rw-r--r-- 1 root root 24320 Mar 25 2019 imjournal.so -rw-r--r-- 1 root root 19936 Mar 25 2019 imklog.so -rw-r--r-- 1 root root 15680 Mar 25 2019 imkmsg.so -rw-r--r-- 1 root root 11040 Mar 25 2019 immark.so -rw-r--r-- 1 root root 19856 Mar 25 2019 impstats.so -rw-r--r-- 1 root root 36992 Mar 25 2019 imptcp.so -rw-r--r-- 1 root root 20128 Mar 25 2019 imtcp.so -rw-r--r-- 1 root root 28624 Mar 25 2019 imudp.so -rw-r--r-- 1 root root 33072 Mar 25 2019 imuxsock.so -rw-r--r-- 1 root root 23648 Mar 25 2019 lmnet.so -rw-r--r-- 1 root root 20864 Mar 25 2019 lmnetstrms.so -rw-r--r-- 1 root root 25344 Mar 25 2019 lmnsd_ptcp.so -rw-r--r-- 1 root root 6304 Mar 25 2019 lmregexp.so -rw-r--r-- 1 root root 21088 Mar 25 2019 lmstrmsrv.so -rw-r--r-- 1 root root 10496 Mar 25 2019 lmtcpclt.so -rw-r--r-- 1 root root 33952 Mar 25 2019 lmtcpsrv.so -rw-r--r-- 1 root root 10432 Mar 25 2019 lmzlibw.so -rw-r--r-- 1 root root 14704 Mar 25 2019 mmanon.so -rw-r--r-- 1 root root 19040 Mar 25 2019 mmexternal.so -rw-r--r-- 1 root root 14832 Mar 25 2019 mmjsonparse.so -rw-r--r-- 1 root root 14688 Mar 25 2019 mmpstrucdata.so -rw-r--r-- 1 root root 14816 Mar 25 2019 mmsequence.so -rw-r--r-- 1 root root 10592 Mar 25 2019 mmutf8fix.so -rw-r--r-- 1 root root 10488 Mar 25 2019 omjournal.so -rw-r--r-- 1 root root 19584 Mar 25 2019 ommail.so -rw-r--r-- 1 root root 19056 Mar 25 2019 omprog.so -rw-r--r-- 1 root root 15200 Mar 25 2019 omuxsock.so -rw-r--r-- 1 root root 11176 Mar 25 2019 pmaixforwardedfrom.so -rw-r--r-- 1 root root 11168 Mar 25 2019 pmcisconames.so -rw-r--r-- 1 root root 11200 Mar 25 2019 pmlastmsg.so -rw-r--r-- 1 root root 11168 Mar 25 2019 pmsnare.so -rwxr-xr-x 1 root root 140 Mar 20 2019 rsyslog-rotate
So, there must be something wrong with the binary install.
... View more
11-10-2018
09:57 AM
2 Kudos
Just become root on your expedition server and install ntp and ntpdate:
apt-get install ntpdate
apt-get install ntp
Go on with the above.
... View more
- Tags:
- Expedition
- ntp
- ubuntu
11-10-2018
09:44 AM
SSH to Expedition and change the /etc/ntp.conf settings
ssh -l expedition <ip.of.your.server>
sudo -s . (passwd: paloalto)
nano /etc/ntp.conf
comment out all lines starting with "pool ..." and insert a "server statement:
# Use servers from the NTP Pool Project. Approved by Ubuntu Technical Board # on 2011-02-08 (LP: #104525). See http://www.pool.ntp.org/join.html for # more information. # pool 0.ubuntu.pool.ntp.org iburst # pool 1.ubuntu.pool.ntp.org iburst # pool 2.ubuntu.pool.ntp.org iburst # pool 3.ubuntu.pool.ntp.org iburst
# Use Ubuntu's ntp server as a fallback. # pool ntp.ubuntu.com
server 192.168.123.123
Restart NTP: service ntp restart
or stop and run ntpdate and start again
service ntp stop
ntpdate 192.168.123.123
service ntp start
... View more
10-29-2018
12:05 PM
Do you run a brand new install? Did you tried to upgrade to the latest version first? When I installed the image, the BPA did not run at all . - same outcome. After upgrade to latest version, it runs (with issues, but that's another thng).
Best, Klaus
... View more
10-28-2018
05:21 AM
How does the Best Practice remediate function work? I cannot find any documentation. Do I have to select the specific option in the template first or will Expedition/BP remediate all the rd x-ed optioons without asking?
While using Remediate and chose "SAME Template" how can I update the Panorama/Device configuration? Where is the template stored and how to export it beack to the device/panorama?
... View more
10-28-2018
05:11 AM
Is it possible to derive the progress of changes over time in Best Pratices? Of course I would like to see the changes over time like we can do in online BPA.
... View more
10-28-2018
04:50 AM
Version: 1.0.107
BPA: 3.6.1
In BEST PRATICES under "Threat Practice" dropdowns are empty, nothing to chose from:
... View more
10-28-2018
04:32 AM
Have the same issue here. Running latest version 1.0.107 with BPA 3.6.1. All policies have tags red x-ed while only four out of 73 policies has no tag.
... View more
- Tags:
- .
01-29-2017
07:36 AM
How is the API-Key configured in dag.pusher? Via WebUI one is only able to put in the user:passwd combo.
... View more
01-28-2017
02:41 PM
1 Kudo
Some of you might have a Lab-In-A-Box environment and/or want to use the local windows server for certificate maintenance like I do. Nearly all of my certs are certified by the windows domain CA, even if I have a registration authority (RA) on my PAN firewall - I only use it for local services like GP and others.
While I want (and with Rome [8.0] I have) to use a trusted certificate with the nginx webserver (on the minemeld box), I want additional DNS entries and an IP address in the subject - for convenience and to fulfill some dependencies of Rome. Think about CNAME and "domain search". Don't you want to use "https://minemeld" instead of "https://minemeld.servers.yourdomain.local" and have a valid connection with a valid certificate?
I use to answer cert-requests via the web-GUI on my AD server (https://my-server.mydomain.local/certsrv). But setting up the server is a completely other beast!
Your Windows CA server (2012 in my case) has to support alternative DNS-entries. Prepare your Windows Authority to support certificates with alternative names:
On your Windows Domain and Certificate Server login as Administrator, open a cmd window and paste the following:
certutil -setreg policy\EditFlags +EDITF_ATTRIBUTESUBJECTALTNAME2
Restart your Certificate Authority. In services restart "Active Directory Certificate Services”.
Now you have to create a Private Key and a Certificate Signing Request (CSR) on your minemeld box, then sign the request in your windows CA (via web-gui), copy the sigend certificate to your minemeld box, create a .pem file on the minemeld box and finally copy the .cer and .pem to the right location. I will go through it step by step (it's up to you transfering files to or from your minemeld server, but I recommend using 'scp' or other tools like putty, SecureCrt or others).
Create a Certificate Signing Request:
Become root on your minemeld server after login as ubuntu:
$ su - or
$ sudo bash
Create a private key:
# openssl genrsa -aes256 -out minemeld.key 2048
- Enter your passphrase
Create a CSR (certificate signing request) - of course you will replace the values with your own:
# openssl req -new -key minemeld.key -sha256 -nodes -subj '/C=DE/ST=NRW/L=Duesseldorf/O=Klauzi Private/OU=Admin Team/CN=minemeld.servers.klauzi.local/emailAddress=admin@klauzi.local' > minemeld.csr
- Enter your pass phrase for the private key (minemeld.key)
# cat minemeld.csr
-----BEGIN CERTIFICATE REQUEST-----
MIIC6zCCAdMCAQAwgaUxCzAJBgNVBAYTAkRFMQwwCgYDVQQIDANOUlcxEDAOBgNV
BAcMB0hvZXh0ZXIxFjAUBgNVBAoMDUtsYXVzIFByaXZhdGUxEzARBgNVBAsMCkFk
bWluIFRlYW0xJjAkBgNVBAMMHW1pbmVtZWxkLnNlcnZlcnMua2xhdXppLmxvY2Fs
MSEwHwYJKoZIhvcNAQkBFhJhZG1pbkBrbGF1emkubG9jYWwwggEiMA0GCSqGSIb3
DQEBAQUAA4IBDwAwggEKAoIBAQCsY+cka1aODaNJIZ9ft4DcGUZCQXQjXdG9U+C2
pisXaXHdYHkdpmOSWqWmxIAlIIDjVITjvnviO/g7yEIaY6HR4EBdFKcZU7Tqh0Ze
ojFoCiZVy+MQiXFfxhM1GhIeN4mIm1CxNig5aKkj5uitmyqtb/bMK1QDCxA5kUUG
/PLV1okaMCB8hboV4q/4UrjO99OkFEdWGn7z1p+GJ5G7Tkpp2ml4Rw6ltT4iCmrZ
0nLFz7fGaFNz8fCZ4/NMVkiJxqaJfjrBtHnnpBXXpx5BYhBXOgUOGzIh/D9Dpfol
BW1I3yfNuN1vwnSq+AfFgixf2mYdzTUHsCtMk++9v3kUKeCzAgMBAAGgADANBgkq
hkiG9w0BAQsFAAOCAQEAZWkORNHiNu7rkQ/tJ6yvbsZ5f6lom360KuT1IgZoKgcq
ibkumHeB/t4AWMSqMiAxELkPXVzmLcs1dPoUQp72iacCCRoE8Ch/XjXXF0bOM0Pg
zn8CM1zAESuv7Iny7X/3gPcfBrPB1pJkn1VSa7Zxl0egQbCmLxbYqRcTxY9oJjjt
mlB/u7iHPSP1Vpnr8wMOhOrRlJ2tKz9dDiMn1cxbz7CABmon/4Ocl+IDO1bb6x3B
9cYL7gty1WOe/hI9V/SIG1HDfqyFc31HPHcoUh+KzUoRGMuaCYHrqSAxTgre95XY
NKjgCBKgaQIl5NT4UWVHup+wr0yH5Z4C0H13Go5geA==
-----END CERTIFICATE REQUEST-----
You will have to copy the whole output of the "cat" command to paste it into the windows certificate signing request dialog.
Sign your CSR:
Open your CA webgui: https://your-ad-server/certsrv, <click> on "Request a certificate", <click> on "advanced certificate request".
Paste your output from above in the edit box "Saved request", chose "Web Server" as template and edit "Attributes". The string in the "Attributes: edit window" has to be something like: san:parameter=value¶meter=value¶meter=value
san:ipaddress=192.168.5.20&dns=192.168.5.20&dns=minemeld.klauzi.local&dns=minemeld
Submit and chose "(x) Base 64 encoded" in the next screen before "Download certificate". Save it as minemeld.cer"
Install your certificate on your minemeld box:
Copy the file "minemeld.cer" to your minemeld box via "scp" (or other tool) to your ubuntu account:
$ scp minemeld.cer ubuntu@<ip.add.re.ss>:
On your minemeld box you should now have three minemeld.* files:
- minemeld.key
- minemeld.csr
- minemeld.cer
Next steps are creating a .pem file and copy the files to the nginx config directory and restart the server:
Create .pem file: # openssl rsa -in minemeld.cer -in minemeld.key -out minemeld.pem
- Enter your pass phrase
Backup your files: # cp /etc/ngnix/minemeld.cer /etc/nginx/minemeld.cer.orig # cp /etc/nginx/minemeld.pem /etc/nginx/minemeld.pem.orig
Copy the new files to "/etc/nginx/":
# cp minemeld.pem minemeld.cer /etc/nginx/
Restart nginx server:
# /etc/init.d/nginx restart
That should make it!
... View more
01-28-2017
12:54 PM
2 Kudos
Clone a new indicator list from prototype ' stdlib.listIPv4Generic'. For example name it My_BlackList.
Create a new entry with the attributes you like.
Login to your minemeld console via ssh.
Have a look at your indicator list (be aware, the example is my list with my preferred attributes):
$ head /opt/minemeld/local/config/BlackList_indicators.yml
- {indicator: 60.190.98.50, share_level: red}
- {indicator: 60.7.70.94, share_level: red}
- {indicator: 91.148.217.244, share_level: red}
- {indicator: 123.183.209.138, share_level: red}
Create your indicator list in the same format (use awk or something like that).
Just copy the resulting file over the existing one. The MineMeld engine takes care of the new updates immediately
You may also just edit the indicator file wiht 'nano' or 'vi' an insert the indicators in correct format.
Always use the same format. Do not try to create a entries with differnet attributes. (of course you can do it for exercise and find out what's happening)
Cheers!
Klaus
... View more
01-28-2017
12:19 PM
Hi,
usually the update should not cange the username:password. But maybe the locals,keymap other was changed. Did you tred to login directly on the console or did you tried to login via ssh?
You know in the default password for user ubuntu is a "z" - maybe you should try "y" instead?
No other ideas here ...
... View more
01-03-2017
02:59 AM
I tried to use wildcards in threat_name but did not succeed. Even if threat_name contains a string the use of ':' (colon) is not allowed. So this one would not work:
- threat_name == 'SCAN: TCP Port Scan(8001)'
We definitely need the ability to use wildcards but I fear YAML does not support it.
... View more
01-02-2017
02:26 PM
I am not sure if the matching rule-set supports regex, but I definitly want regex here and some more features to configure on syslog.Miner - eg. age_out: and other.
If you want to test use a ".*" at the end of the string:
"HTTP SQL Injection Attempt.*"
I believe you already tried this, did you?
Best, Klaus
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
07-23-2020
03:40 PM
|
Latest Blogs
Latest Posts
Copyright 2007 - 2021 - Palo Alto Networks
