This website uses cookies essential to its operation, for analytics, and for personalized content. By continuing to browse this site, you acknowledge the use of cookies.
For details on cookie usage on our site, read our Privacy Policy
For details on cookie usage on our site, read our Privacy Policy
About LucaMarchiori
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- LIVEcommunity
- About LucaMarchiori
57Posts
1Like
0Solutions
Last Visited
User
Activity
User
Profile
Latest posts by LucaMarchiori
| Subject | Views | Posted |
|---|---|---|
| 1838 | 01-15-2018 08:16 AM | |
| 6662 | 01-05-2018 07:44 AM | |
| 6675 | 01-02-2018 08:33 AM | |
| 7023 | 12-04-2017 11:48 AM | |
| 7174 | 11-09-2017 11:05 AM | |
| 7307 | 11-03-2017 08:48 AM | |
| 4670 | 10-26-2017 08:47 AM | |
| 4860 | 10-26-2017 08:11 AM | |
| 4884 | 10-25-2017 02:37 PM | |
| 4942 | 10-23-2017 10:10 AM |
My Liked Posts
| Subject | Likes | Posted |
|---|---|---|
| 1 Like | 10-26-2017 08:47 AM |
Posts I Liked
| Subject | Likes | Author | Latest Post |
|---|---|---|---|
| 1 Like | |||
| 1 Like | |||
| 1 Like | |||
| 4 Likes | |||
| 3 Likes |
User Badges
Community Statistics
| Member Since | 08-05-2015 08:10 AM |
| Date Last Visited | |
| Posts | 57 |
| Total Likes Received | 1 |
01-15-2018
08:16 AM
Specifically for: 38407 (TLS Network Security Protocol Information Disclosure Vulnerability - ROBOT) 31127 ( Multiple CPUs Side-Channel Information Disclosure Vulnerability - Spectre - Meltdown) 30276 (Multiple CPUs Side-Channel Information Disclosure Vulnerability - Spectre - Meltdown) action is to 'alert' only. The last two vulns are severity 'critical'. Should we create exceptions and block these connections?
... View more
01-05-2018
07:44 AM
Hi @lmori
your solution worked for Heartbleed. For threats that have no such distinctive name, would you think it's possible to use directly the threat ID?
For instance:
- contains(threat_name, '(36397)') == true
... View more
01-02-2018
08:33 AM
Hi @lmori
Just as a side note, validation turned this:
- contains(threat_name, ' Heartbleed ') == true
into this:
- 'contains(threat_name, ''Heartbleed'') == true'
I'm giving it a try.
... View more
12-04-2017
11:48 AM
Hi @lmori
I was wondering if you had a chance to check on threat_name lenght issue. Any threats with longer names, for instance:
threat_name == "OpenSSL TLS Malformed Heartbeat Request Found - Heartbleed(36397)"
after yaml verification becomes:
- >- threat_name == "OpenSSL TLS Malformed Heartbeat Request Found - Heartbleed(36397)"
which does not seem to be working.
... View more
11-09-2017
11:05 AM
Hi @lmori
Thank you for your response. I'll test the syntax you have suggested as soon as I can. Do you happen to know if there is a lenght limit in place as well?
For instance, a somewhat longer threat name like:
threat_name == "LinkSys E-series Routers Remote Code Execution Vulnerability(36358)"
after validation invariably becomes:
- >-
threat_name == "LinkSys E-series Routers Remote Code Execution
Vulnerability(36358)"
which does not seem to work. Several spaces get automatically added between Execution and Vulnerability. If I shorten the threat name a few characters, it passes validation just fine. Initially I thought the "-" character was causing the problem, but may be the treat name is too long?
EDIT: your suggested syntax is working for FTP: login Brute Force attempt(40001).
... View more
11-03-2017
08:48 AM
Hi,
I have a rule for Panos syslog miner to block FTP brute force login attempt that is not working. I suspect this is because the threat_name has a colon in it, and is not being parsed properly. This is what my rule looks like:
conditions:
- type == "THREAT"
- log_subtype == "vulnerability"
- severity == "high"
- src_zone == "WAN"
- dest_zone == "DMZ"
- 'threat_name == "FTP'':'' login Brute Force attempt(40001)"'
fields:
- log_subtype
- threat_name
indicators:
- src_ip
I first needed to add extra quatation marks around the colon to pass the yaml validation, and after that more quotation marks are automatically added upon saving the rule. I've tried removing the threat_name line altogether, and replacing it with
signature_id == 40001
but that does not seem to be working either.
tldr: Anyone know what is the proper way to escape characters like ":" or "-" in MineMeld?
... View more
10-26-2017
08:47 AM
1 Kudo
Hi @lmori
Thanks for pointing me in the right direction. I think that the problem was I had manually created a copy of a config file. After deleting that file, export works just fine! A little (linux) knowledge... 🙂
Rule issue fixed as well... There was a typo (dst_zone) that got into some of the rules. "dest_zone" is the correct field.
Luca
... View more
10-26-2017
08:11 AM
Hi @lmori
That "Download backup" windows just never appears. After clicking on the "Export Backup" button and typing the backup password, both the Export and Restore Backup buttons are grayed out, and stay like that until I click on a different tab and then back to System. I've waited over 10-15 minutes. I use Chrome (popup blocker is disabled for the site), but also tried Firefox.
As previously mentioned, manual backup fails as well.
I will try simplyfing the vulnerability rules to see if I'm getting anywhere with that.
Thanks,
Luca
... View more
10-25-2017
02:37 PM
Anyone? The only difference I can think of between rule working / not working is that the flood rules hit a DoS policy, while the others just hit a security rule (allow) then dropped as critical vulnerabilites. Both type of events are logged in the same Panorama log profile.
... View more
10-23-2017
10:10 AM
Hi,
I have a couple of problems with MineMeld (on a VM from ova template).
1. I recently seem to have lost the ability to export a system backup (which was working until recently). In the log, I can see a bunch of "GET /jobs/status-backup/.....", but the actual download never starts.
[2017-10-23 16:12:19 UTC] [1971] [INFO] AUDIT - {"msg": null, "action": "POST /status/backup", "params": [["jsonbody", "{\"p\": \"password\"}"]], "user": "admin/luca.admin"}
[2017-10-23 16:12:19 UTC] [1971] [INFO] redis connection pool: in use: 0 available: 1
127.0.0.1 - - [23/Oct/2017:16:12:19 +0000] "POST /status/backup?_=1508775151 HTTP/1.0" 200 55 "https://10.0.50.65/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36"
[2017-10-23 16:12:19 UTC] [1971] [INFO] Executing job mm-jobs-status-backup-e1db206f-a1e3-4988-898d-ca0f02c9e23c - ['/usr/bin/7z', 'a', '-ppassword', '-y', '/tmp/mm-local-backupn9IHT9.zip', '/opt/minemeld/local/prototypes', '/opt/minemeld/local/config'] cwd: /tmp/mm-jobs-status-backup-e1db206f-a1e3-4988-898d-ca0f02c9e23cXTBsCU logfile: /opt/minemeld/log/mm-jobs-status-backup-e1db206f-a1e3-4988-898d-ca0f02c9e23c.log
[2017-10-23 16:12:22 UTC] [1971] [DEBUG] redis session connection pool: in use: 0 available: 5
[2017-10-23 16:12:22 UTC] [1971] [INFO] redis connection pool: in use: 0 available: 1
127.0.0.1 - - [23/Oct/2017:16:12:22 +0000] "GET /jobs/status-backup/e1db206f-a1e3-4988-898d-ca0f02c9e23c?_=1508775154 HTTP/1.0" 200 463 "https://10.0.50.65/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36"
[2017-10-23 16:12:25 UTC] [1971] [DEBUG] redis session connection pool: in use: 0 available: 5
[2017-10-23 16:12:25 UTC] [1971] [INFO] redis connection pool: in use: 0 available: 1
127.0.0.1 - - [23/Oct/2017:16:12:25 +0000] "GET /jobs/status-backup/e1db206f-a1e3-4988-898d-ca0f02c9e23c?_=1508775157 HTTP/1.0" 200 463 "https://10.0.50.65/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36"
[2017-10-23 16:12:28 UTC] [1971] [DEBUG] redis session connection pool: in use: 0 available: 5
[2017-10-23 16:12:28 UTC] [1971] [INFO] redis connection pool: in use: 0 available: 1
127.0.0.1 - - [23/Oct/2017:16:12:28 +0000] "GET /jobs/status-backup/e1db206f-a1e3-4988-898d-ca0f02c9e23c?_=1508775161 HTTP/1.0" 200 463 "https://10.0.50.65/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36"
[2017-10-23 16:12:31 UTC] [1971] [DEBUG] redis session connection pool: in use: 0 available: 5
[2017-10-23 16:12:31 UTC] [1971] [INFO] redis connection pool: in use: 0 available: 1
127.0.0.1 - - [23/Oct/2017:16:12:31 +0000] "GET /jobs/status-backup/e1db206f-a1e3-4988-898d-ca0f02c9e23c?_=1508775164 HTTP/1.0" 200 463 "https://10.0.50.65/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36"
[2017-10-23 16:12:33 UTC] [1971] [DEBUG] redis session connection pool: in use: 0 available: 5
127.0.0.1 - - [23/Oct/2017:16:12:33 +0000] "GET /supervisor?_=1508775165 HTTP/1.0" 200 594 "https://10.0.50.65/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36"
[2017-10-23 16:12:34 UTC] [1971] [DEBUG] redis session connection pool: in use: 0 available: 5
If I try a manual back from SSH (ubuntu user), I get this (permission denied?):
ubuntu@minemeld:/tmp$ sudo service minemeld stop
* Stopping: minemeld minemeld-supervisord-listener: stopped
minemeld-traced: stopped
minemeld-engine: stopped
minemeld-web: stopped
[ OK ]
ubuntu@minemeld:/tmp$ tar -cvzf backup.tar.gz /opt/minemeld/local/config/ /opt/minemeld/local/prototypes/
tar: Removing leading `/' from member names
/opt/minemeld/local/config/
tar: /opt/minemeld/local/config/wlWhiteListIPv4_indicators.yml.copy: Cannot open: Permission denied
tar: /opt/minemeld/local/config/node-syslog-miner-local-30d_rules.yml.copy: Cannot open: Permission denied
tar: /opt/minemeld/local/config/committed-config.yml: Cannot open: Permission denied
/opt/minemeld/local/config/api/
/opt/minemeld/local/config/api/20-local.yml
/opt/minemeld/local/config/api/10-defaults.yml
tar: /opt/minemeld/local/config/api/50-api-users-attrs.yml: Cannot open: Permission denied
/opt/minemeld/local/config/api/wsgi.htpasswd
tar: /opt/minemeld/local/config/running-config.yml.1508772314: Cannot open: Permission denied
tar: /opt/minemeld/local/config/running-config.yml: Cannot open: Permission denied
tar: /opt/minemeld/local/config/running-config.yml.1508771982: Cannot open: Permission denied
tar: /opt/minemeld/local/config/node-syslog-miner-local-30d_rules.yml: Cannot open: Permission denied
tar: /opt/minemeld/local/config/committed-config.yml.copy: Cannot open: Permission denied
/opt/minemeld/local/config/traced/
/opt/minemeld/local/config/traced/traced.yml
tar: /opt/minemeld/local/config/wlWhiteListIPv4_indicators.yml: Cannot open: Permission denied
/opt/minemeld/local/prototypes/
tar: /opt/minemeld/local/prototypes/minemeldlocal.yml.copy: Cannot open: Permission denied
tar: /opt/minemeld/local/prototypes/minemeldlocal.yml: Cannot open: Permission denied
tar: Exiting with failure status due to previous errors
ubuntu@minemeld:/tmp$
2. I setup a panos syslog miner. It's working great for log_subtype = flood, but not at all for subtype vulnerability. I cannot get any vulnerability events to generate a hit on the correspondent rule(s). Very similar flood rules are working perfectly. Example of a rule that is not working:
conditions:
- type == 'THREAT'
- log_subtype == 'vulnerability'
- severity == 'critical'
- src_zone == 'WAN'
- dst_zone == 'DMZ'
fields:
- log_subtype
- threat_name
indicators:
- src_ip
Example of a rule that is working:
conditions:
- type == "THREAT"
- log_subtype == "flood"
- severity == "critical"
- src_zone == "WAN"
- dest_zone == "DMZ"
- action == "drop"
fields:
- log_subtype
- threat_name
indicators:
- src_ip
I tried making the log_subtype vulnerability rules more specific, for instance by adding a threat name:
threat_name == 'Wireless IP Camera Pre-Auth Info Leak Vulnerability(33556)'
or an action:
action == 'block-ip'
Nothing has worked so far. I can see the events in the THREAT log that match the rules conditions, but the rules are not picking those up. Any ideas?
... View more
10-16-2017
10:59 AM
@xhoms It looks as though deleting the sudden_death line did the trick, thanks.
Luca
... View more
10-13-2017
02:26 PM
@xhoms: Sorry I think I spoke too soon. I created a new local prototype with confidence 80, and added the section you provided. Everything worked, except records kept being aged out in a little over an hour (unless they are cought again by a rule in the meantime). So basically the age_out statemement was not being applied.
This is what the config file (/opt/minemeld/local/prototypes/minemeldlocal.yml) looked like:
author: minemeld-web
description: Local prototype library managed via MineMeld WebUI
prototypes:
stdlib_syslogMiner_local:
class: minemeld.ft.syslog.SyslogMiner
config:
attributes:
confidence: 80
share_level: green
config:
age_out:
default: first_seen+30d
interval: 3600
sudden_death: false
source_name: panos.syslog
description: 'Miner for PAN-OS syslog messages
'
development_status: EXPERIMENTAL
indicator_types:
- URL
- IPv4
- IPv6
node_type: miner
tags:
- ConfidenceHigh
I thought the problem was that I goofed out, and inserted an extra "config:" in the... config section, so I've tried editing out that extra "config:" line:
author: minemeld-web
description: Local prototype library managed via MineMeld WebUI
prototypes:
stdlib_syslogMiner_Local:
class: minemeld.ft.syslog.SyslogMiner
config:
age_out:
default: first_seen+30d
interval: 1800
sudden_death: false
attributes:
confidence: 80
share_level: green
source_name: panos.syslog
description: 'Miner for PAN-OS syslog messages
'
development_status: EXPERIMENTAL
indicator_types:
- URL
- IPv4
- IPv6
node_type: miner
tags:
- ConfidenceHigh
Unfortunately, with the edited minemeldlocal.yml (above), the Minemeld engine is not happy, and refuses to start. It just goes through a couple of starting / backup backoff cycles and then gives up. To summarize: config one everything works, except age_out (still one hour); config two MMeld engine does not start.
Before I started editing the config file, I looked for a way to change the local protoype from the WebUI, but could not find it. It's very possible I'm just having a senior moment, 🙂
Luca
... View more
10-13-2017
11:12 AM
@AndreasTrautmann: Got you. Definitely the SYSLOG.PROCESSED counter starts moving even with zero rules present on the node itself, so that's what needs fixing first (as you already pointed out).
... View more
10-13-2017
10:11 AM
@AndreasTrautmann: I'm quite new at this myself but yes, after you have syslog showing up in statistics > SYSLOG.PROCESSED, the next step is to create some rules.
I found this thread helpful:
https://live.paloaltonetworks.com/t5/MineMeld-Articles/Using-the-syslog-Miner/ta-p/77262
... View more
10-13-2017
09:28 AM
@xhoms: Thank you, that worked! Also changed the confidence level to 80.
... View more
LEGAL NOTICES
Copyright 2007 - 2023 - Palo Alto Networks