About rickyboone

I'm evaluating Expedition to assist with an internal project, and while reviewing the installation script, I noticed a couple massive red flags.   First, the root account is given a hard-coded, easy to guess password: 'paloalto'.  This is done for both the Linux host, as well as the MariaDB service.  Second, the SSH service is reconfigured to allow root to log in remotely using a password.  These changes occur starting on line 97 of the initSetup.sh script.   printTitleWait "Changing CLI root password to 'paloalto'" echo -e "paloalto\npaloalto" | passwd root printTitleWait "Installing SSHD service" sudo apt-get install -y openssh-server printTitle "Enabling ROOT ssh access" filePath=/etc/ssh/sshd_config lineToChange=$(grep -n "PermitRootLogin prohibit-password" $filePath | awk -F ':' '{print $1}') sed -i "${lineToChange}s/.*/ PermitRootLogin yes/" $filePath;   I've reviewed multiple versions of the admin guide, hardening guide, installation video, etc.  It is mentioned that it is very important to change the GUI admin account and expedition CLI user (for the older OVA build), but nothing appears to be said about the root account of the server.  I've also confirmed that the root account can indeed be logged into using this password via SSH, post installation.   What in Expedition requires the ability for root to be logged into with this password?  Can the CLI root account be changed, and SSH password-based login for root disabled? ... View more

This is a custom vulnerability signature I created based on what I was seeing come through to our users.  Usually, the malicious Office files with macros were in either the binary Office 2003 format or the newer Office 2007+ format.  What I was seeing were Office XML (2003 era) files.   Note, this signature includes a specific string match for Word (since that was the only sample I had at the time), however it should be pretty simple to adjust for other patterns (Excel, etc.).  I based the signature on the sample I had, plus a few resources online such as the following YARA rule:  https://github.com/Neo23x0/signature-base/blob/master/yara/crime_dridex_xml.yar   set threats vulnerability 41000 signature standard "Office XML with Macros" and-condition "And Condition 1" or-condition "Or Condition 1" operator pattern-match pattern "<\?xml version=" set threats vulnerability 41000 signature standard "Office XML with Macros" and-condition "And Condition 1" or-condition "Or Condition 1" operator pattern-match context file-html-body set threats vulnerability 41000 signature standard "Office XML with Macros" and-condition "And Condition 1" or-condition "Or Condition 1" operator pattern-match negate no set threats vulnerability 41000 signature standard "Office XML with Macros" and-condition "And Condition 2" or-condition "Or Condition 1" operator pattern-match pattern '<\?mso\-application progid="Word\.Document"\?>' set threats vulnerability 41000 signature standard "Office XML with Macros" and-condition "And Condition 2" or-condition "Or Condition 1" operator pattern-match context file-html-body set threats vulnerability 41000 signature standard "Office XML with Macros" and-condition "And Condition 2" or-condition "Or Condition 1" operator pattern-match negate no set threats vulnerability 41000 signature standard "Office XML with Macros" and-condition "And Condition 3" or-condition "Or Condition 1" operator pattern-match pattern 'w:macrosPresent="yes"' set threats vulnerability 41000 signature standard "Office XML with Macros" and-condition "And Condition 3" or-condition "Or Condition 1" operator pattern-match context file-html-body set threats vulnerability 41000 signature standard "Office XML with Macros" and-condition "And Condition 3" or-condition "Or Condition 1" operator pattern-match negate no set threats vulnerability 41000 signature standard "Office XML with Macros" and-condition "And Condition 4" or-condition "Or Condition 1" operator pattern-match pattern "<w:binData w:name=" set threats vulnerability 41000 signature standard "Office XML with Macros" and-condition "And Condition 4" or-condition "Or Condition 1" operator pattern-match context file-html-body set threats vulnerability 41000 signature standard "Office XML with Macros" and-condition "And Condition 4" or-condition "Or Condition 1" operator pattern-match negate no set threats vulnerability 41000 signature standard "Office XML with Macros" order-free no set threats vulnerability 41000 signature standard "Office XML with Macros" scope protocol-data-unit set threats vulnerability 41000 default-action reset-both set threats vulnerability 41000 threatname "Office XML with Macros" set threats vulnerability 41000 severity high set threats vulnerability 41000 direction both set threats vulnerability 41000 affected-host client yes set threats vulnerability 41000 affected-host server yes ... View more

So I had a crazy idea and started poking around at the XML API on my firewall.  I wanted to see if there was a generally efficient way to automate a query against PAN-DB.  Seems straightforward enought; either test/url-info-cloud or test/url-info-host (depending on whether I want to check the MP cache or against the cloud... though I'm not sure if there are limitations for the latter, such as what WildFire's API has).  I realize there's a public web interface for this check, but that's not what I'm looking for.  I'm trying to automate a process.   What I'm not sure about is the formatting of the response/output.  For example, submitting the following against url-info-cloud for google.com returns an interesting response:   <test><url-info-cloud>google.com</url-info-cloud></test> <response cmd="status" status="success"><result>BM: google.com,9,5,search-engines ... BM: ... </result></response> (I've limited the output intentionally... not sure about how sensitive PA is to this)   And querying the same against url-info-host:   <test><url-info-host>google.com</url-info-host></test> <response cmd="status" status="success"><result>Ancestors info: BM: google.com,1,5,search-engines,, Descendants info: wallet.google.com,1,5,financial-services,, ... </result></response>   I'm expecting some differences between url-info-cloud and url-info-host due to PAN-DB's design, but I'm not sure what the all of the output means, other than the obvious stuff.  Strings like "BM:" and ",9,5," in url-info-cloud don't appear to have any corresponding documentation to explain their meaning.  The same goes for "Anscestors info:", "Decendants info:", ",1,5,", and the ",," at the end of the individual result.   When parsing out this response, should these strings and values mean something? ... View more