We got a lot of external ressources, and we subissing a huge amount of flooding attacks. These attacks blocked by security policies, but as firewalls compute each packets using CPU our CPU's cluster reach 100% all day long. So we created a DoS protection policy. First we create Custom Report - which select top 25 source addresses from external which are allowed and session end reason due to aged-out. We collect these informations and export it using API to our InfluxDB. We put it on list and update ou external dynamic list using minemeld. (Scripts are avalaible) And we create a Dos Protection policy. We execute these scripts every 5minutes and we synchronize our EDL every 5minutes too. This script is currently used for a PanOS 8.1 (XML response content) #!/usr/bin/env python
# -*- coding: utf-8 -*-
# *************************************************************************
# **** Script Dos Protection PALOALTO ****
# **** Get IP Source which try to flood our network ****
# **** and put it on DoS protection rule through Minemeld ****
# *************************************************************************
# **** AMU - DOSI-Pôle réseau ****
# **** Contact: cyril.rimbault@univ-amu.fr ****
# *************************************************************************
import xml.etree.ElementTree as ET
import requests
import time
import json
from influxdb import InfluxDBClient
import dns.reversename
import dns.resolver
from dns.exception import DNSException
import subprocess
#############################
# Get API key from each FW
#############################
def GetApiKey(url,user,password, *args):
querystring = {"type":"keygen" , "user": user , "password":password}
header = {'Accept':"application/json"}
response = requests.request("GET", url , headers=header, params=querystring)
tree = ET.fromstring(response.content)
for child in tree.iter('result'):
for key in child:
key = key.text
# print key
return key
#############################
# Get report ID
#############################
def GetReportID(url,key,reportname, *args):
querystring = {"type":"report" , "async":"yes" , "reporttype":"custom" , "vsys":"vsys2" , "reportname": reportname , "key":key}
header = {'Accept':"application/json"}
response = requests.request("GET", url , headers=header, params=querystring)
tree = ET.fromstring(response.content)
for child in tree.iter('result'):
for job in child:
job = job.text
# print job
return job
#############################
# Get XML result
#############################
def GetResponse(url,key,job,report,aged, *args):
n=5
if aged==True:
n=20
file = "./tmp/data"
if url == "https://pa-5260-stj/api":
file = file + "-STJ"
else:
file = file + "-STC"
job = str(job)
cmd = "<show><report><id>"+job+"</id></report></show>"
querystring = {"type":"op","cmd":cmd , "key":key}
header = {'Accept':"application/json"}
time.sleep(n)
response = requests.request("GET", url , headers=header, params=querystring)
time.sleep(n)
data = open(file,"w")
data.write(response.content)
data.close()
return file
#############################
# Parsing and sending informations to InfluxDB
#############################
def Sendfile(url,report,file,aged, *args):
if url == "https://pa-5260-stj/api":
report = report + "-STJ"
else:
report = report + "-STC"
user = #InfluxDB User
pwd = #DB Password
client = InfluxDBClient(host = "YourDB", port=8086, username = user, password = pwd)
client.switch_database('PALOALTO')
arbre=ET.parse(file)
root=arbre.getroot()
tag = root.tag
dict = {}
for child in root.iter():
if child.tag == 'src':
src=child.text.strip()
#print src
if child.tag == 'resolved-src':
ressrc=child.text.strip()
if child.tag == 'sessions':
session = child.text.strip()
dict[src]=int(session)
if child.tag == 'repeatcnt':
count = child.text.strip()
dict[src]=int(count)
for src, value in sorted(dict.items(), key=lambda item:item[1], reverse= True ):
json_body = [ {
"measurement": report,
"tags": {
"src":src,
},
"fields": {
"count":dict[src]
#"resolve-name":ressrc
}
}
]
try:
client.write_points(json_body)
except Exception as e:
print e
# print ("SEND OK"+":"+report)
return report,aged
#############################
# Requesting source IP which is over thresold
#############################
def Querydb (dbname,aged, *args):
user = #InfluxDB User
pwd = #DB Password
client = InfluxDBClient(host = 'YourDB', port=8086, username = user, password = pwd)
client.switch_database('PALOALTO')
if aged == True:
query = "SELECT \"src\",\"count\" FROM \"" + dbname + "\" WHERE (\"count\" > 500 AND TIME >= now() - 15m)"
else:
query = "SELECT \"src\",\"count\" FROM \"" + dbname + "\" WHERE (\"count\" > 200 AND TIME >= now() - 15m)"
rs = client.query(query)
result = list(rs.get_points(measurement=dbname))
data = open("./tmp/IP2ban","a")
# print json.dumps(result, indent = 4)
for item in result:
data.write(item["src"])
data.write("\n")
data.close()
#############################
# Aggregate host IP to subnet
#############################
def AggregIP():
command = ["perl","./AgregRzo","./tmp/IP2ban","./tmp/listeAGGR"]
try:
process = subprocess.Popen(command,stdout=subprocess.PIPE, stderr=subprocess.STDOUT)
process.communicate()
except Exception as e:
print ("Erreur script aggreg",e)
pass
def main():
url = #list your firewalls
user = #Api Username
password = #PassWordSECURE
reportname = #Create your custom report Monitor>Manage Custom Reports> Add
data = open("./tmp/IP2ban","w") # Temporary file
data.close()
aged = False
for site in url:
key = GetApiKey(site,user,password)
for report in reportname:
if report=="TOP_AGED-OUT":
aged = True
job = GetReportID(site,key,report)
file = GetResponse(site,key,job,report,aged)
name = Sendfile(site,report,file,aged)
Querydb(name[0],name[1])
AggregIP()
if __name__ == '__main__':
main()
... View more
