About SeanEngelbrecht

Updated to fix silly mistakes: <# Author: Sean Engelbrecht Version: 2017.02.02.0.3 Version History Version: 2017.02.02.0.3 Fix: Corrected logic flow on verifying the indicator Enhance: Error output will alert if ssl error was reason for failure. Version: 2017.01.04.0.2 Fix: Help Content Get-Help Add-Indicator -Full would not properly display information Fix: Variable Types Some variables were set to String Arrays, corrected not all string variables are type string Version: 2016.12.28.0.1 Original Code #> Function Add-Indicator { <# .SYNOPSIS Add indicators to MineMeld feeds utilized by Palo Alto Firewalls .DESCRIPTION This cmdlet can be utilized to add threat indicators to fields listed in minemeld ( A Palo Alto open source threat aggregation tool). Mandatory functions for this function include; Server, FeedList, IndicatorList, Type and Indicator. .PARAMETER Server This Parameter contains the ip-address or FQDN of the MineMeld server. Parameter has no Default Value .PARAMETER Indicator This Parameter contains the Indicator to be added to the MineMeld server. Parameter has no Default Value .PARAMETER Type This Parameter contains the type of indicator to be added to the the MineMeld server (IPv4 or URL). Parameter Default Value: URL .PARAMETER IndicatorList This Parameter contains the name of the input stream/list where the indicator should be added. Parameter Default Value: dvn_Malware_List .PARAMETER FeedList This Parameter contains the name of the output stream/list where the indicator should be added. Parameter Default Value: HC_URL_List .PARAMETER IncludeSubDomain If this parameter is present and the Type is URL an additional indicator will be added containing a wildcard token. .PARAMETER BypassSSLError If this parameter is present self-signed certificate errors will be bypassed. .EXAMPLE Add-Indicator -Server 192.168.1.10 -Indicator "evil.com" This will add the url evil.com to the default list on minemeld server (192.168.1.1) .EXAMPLE Add-Indicator -Server 192.168.1.10 -Indicator "evil.com" -IncludeSubDomain Will add the url's evil.com and *.evil.com to the default list on minemeld server (192.168.1.1) .EXAMPLE Add-Indicator -Server 192.168.1.10 -Indicator "evil.com" -BypassSSLError This will add the url evil.com to the default list on minemeld server (192.168.1.1) and bypass and SSL certificate errors caused by self-signed SSL certs. .EXAMPLE Add-Indicator -Server 192.168.1.10 -Indicator "172.16.12.21" -Type IPv4 -FeedList "mm_dc_list" -IndicatorList "DC_IP_List" Will Add ip address 172.16.21.21 to mm_dc_list on minemeld server (192.168.1.1) #> [CmdletBinding()] Param( [parameter(Mandatory=$true, valueFromPipelineByPropertyName=$true, HelpMessage="IP-Address or FQDN of MineMeld Server:", Position=0)] [String] $Server, [parameter(Mandatory=$false, valueFromPipelineByPropertyName=$true, HelpMessage="Output stream of threat feed:", Position=3)] [String] $FeedList = "HC_URL_List", [parameter(Mandatory=$false, valueFromPipelineByPropertyName=$true, HelpMessage="Input stream to add threat indicator to:", Position=4)] [String] $IndicatorList = "dvn_Malware_List", [parameter(Mandatory=$false, valueFromPipelineByPropertyName=$true, HelpMessage="Indicator type[IPv4 or URL]:", Position=1)] [string] [validateSet("IPv4","URL")] $Type = "URL", [parameter(Mandatory=$false, valueFromPipelineByPropertyName=$true, HelpMessage="Indicator type[IPv4 or URL]:", Position=5)] [string] [validateSet("green","yellow","red")] $ShareLevel = "red", [parameter(Mandatory=$true, valueFromPipelineByPropertyName=$true, HelpMessage="Threat indicator to Add:", Position=2)] [String] $Indicator, [parameter(Mandatory=$false, valueFromPipelineByPropertyName=$true, HelpMessage="Bypass any SSL Errors:", Position=7)] [switch] $BypassSSLError, [parameter(Mandatory=$false, valueFromPipelineByPropertyName=$true, HelpMessage="Include wildcard character to for subdomains *.evil.com:", Position=6)] [switch] $IncludeSubDomain ) Begin { #Set Initial Variables and check for errors If ($BypassSSLError) { #if (-not ([System.Management.Automation.PSTypeName]'TrustAllCertsPolicy').Type) #{ add-type @" using System.Net; using System.Security.Cryptography.X509Certificates; public class TrustAllCertsPolicy : ICertificatePolicy { public bool CheckValidationResult( ServicePoint srvPoint, X509Certificate certificate, WebRequest request, int certificateProblem) { return true; } } "@ [System.Net.ServicePointManager]::CertificatePolicy = New-Object TrustAllCertsPolicy #} } # Variabel used to the while loop needed to include a wildcard for subdomains $exitLoop = $false } Process { $url = "https://" + $Server + "/feeds/" + $FeedList Try { $Error.Clear() $stage = 1 # Retrieve the current feed list, this prevents duplicate entries. $currentList = Invoke-WebRequest $url -TimeoutSec 30 $stage = 2 #Credentials can be passed using basic authentication # * Simply base46 encode {username}:{password} and add that string to the headers # * Be sure to include the ':' between the strings $userPass = [Convert]::ToBase64String([Text.Encoding]::ASCII.GetBytes("$($user):$($passwd)")) # Adding the Authentication string to the post request headers $Headers = @{ Authorization = 'Basic ' + $userPass } while ( -not $exitLoop) { # Check if indicator exists if ( -not $currentList.Content.Contains($Indicator) ) { # to add date and time to the comments field for each indicator $dateTime = get-date -format F $Comment = 'Indicator added with Powershell on ' + $dateTime # Array that will be converted to JSON format for POST request $indicatorArr = @{ indicator = "$Indicator" type = "$Type" share_level = "$ShareLevel" comment = "$Comment" } $requestBody = $indicatorArr | ConvertTo-Json $url = "https://" + $Server + "/config/data/" + $IndicatorList + "_indicators/append?h=" + $IndicatorList $Response = Invoke-RestMethod $url -Method Post -Body $requestBody -ContentType 'application/json' -Headers $Headers Write-out "The Following Indicator was added: $indicator" } else { Write-out "The Following Indicator was skipped, already in the list: $indicator" } if ( "$Type" -eq "URL" ) { # Process structure for URL Indicators if ( ($IncludeSubDomain -and $Indicator.Contains("*.") ) -or -not $IncludeSubDomain ) { # If the wildcard has been processed already, or there is no need to include sub-domains, exit the loop. $exitLoop = $true } else # Since sub-domains are to be included, loop back around and add additional indicator with wildcard token. { $Indicator = "*.$Indicator" $stage = 3 } } else # If the Indicator is an IPv4 type, simply exit the loop. { $exitLoop = $true } } } catch { switch ($stage) { 1 { if ( $Error.Item(0).toString().Contains("Could not establish trust relationship for the SSL" )) { throw "Error: Could not establish trust relationship for the SSL/TLS secure channel for '$url', Indicators cannot be added at this time." } else { throw "Error retrieving data from '$url', Indicators cannot be added at this time." } } 2 { throw "Error adding Indicator, ($Indicator) to $IndicatorList on $Server." } 3 { throw "Error adding Wildcard Indicator, ($Indicator) to $IndicatorList on $Server." } default {"Unknown Error... Thanks Obama!"} } } } end { #Print function status and cleanup Write-Verbose "Done" } } ... View more

FYI - Just wanted the dev's to be aware....   I too ran into an error last week with similar ui issues and system locking up.    Turned out to be self inflicted, I was playing around with the API adding indicators. Turns out there is little error checking on the JSON object being added and some objects were added to minemeld incorrectly formatted.   No errors were thrown but when I would view objects in the list (https://{minemeld-server}/#/nodes/{list_Name})  ... errors would occur and service restarts are the only way I could restore service.    I would also manually modify the files on the server (deleting the incorrectly formatted entry), this resolved all my problems ... or so I thought.   When I accessed the Logs (h ttps:// {minemeld-server} /#/logs, the errors came back. Turns out I had to delete the binary log object (I cannot remember the file extension), that contained any entries that included the incorrectly formatted entries. This completely fixed my troubles.   I am updating my Poweshell script to do some validation prior to commiting to minemeld   Not a very fun adventure... but that's why this is beta.   --Sean Engelbrecht ... View more

For those that are working in MS Windows shops here is something i worked up in powershell today. Please forgive me because I am not a coder so some logic could probably be improved and I am not complete with all error checking.   My original use case was to pull a list of all our Domain Controller IP's and add them to a EDL, for some obvious reasons to those on this this. Powershell made the most sense and I began going down that rabbit hole.   First was a powershell script to retrieve the DC: Get-ADDomainController -Filter * | foreach { if ($ip.Length -gt 7) { #Some block of code to add the IP address addIndicator($ip) } } That was simple enough ... The next part was  a little more complicated but non the less here is the function that actually adds the IP addresses:   $mineMeldHost = "https://{minemeldServer-FQDN-or-IP}" #indicatorOutput is the output/feed list name that the indicators should exist in $indicatorOutput = "Domain_Controller_List" $url = $mineMeldHost + "/feeds/" + $indicatorOutput $currentList = Invoke-WebRequest $url Function addIndicator ($indicator) { #Verify the IP address is not already included in the list if ( -not $currentList.Content.Contains($indicator) ) { $IndicatorList = "Domain_Controllers" #Credentials can be passed using basic authentication # * Simply base46 encode {username}:{password} and add that string to the headers # * Be sure to include the ':' between the strings # * $userPass = [Convert]::ToBase64String([Text.Encoding]::ASCII.GetBytes("$($user):$($passwd)")) $userPass = "{Base64String}" # Adding the Authentication string to the post request headers $headers = @{ Authorization = 'Basic ' + $userPass } # to add date and time to the comments field for each indicator $dateTime = get-date -format F $comment = 'Indicator added with Powershell on ' + $dateTime $indicatorArr = @{ indicator = $indicator type = 'IPv4' share_level = 'red' comment = $comment } $json = $indicatorArr | ConvertTo-Json $url = $mineMeldHost + "/config/data/" + $IndicatorList + "_indicators/append?h=" + $IndicatorList $response = Invoke-RestMethod $url -Method Post -Body $json -ContentType 'application/json' -Headers $headers $response Write-Output "The Following Indicator was added: $indicator" } } I have since seen some potential to include this is some Incident Response Scenarios so started working on cleaning the code up and giving it some switches and options.    There are a few defaults that need to be changed, and the base64encoded username:password needs to be included .   <# Author: Sean Engelbrecht Version: 2016.12.29.0.1 Version History Version: 2016.12.29.0.1 Original Code #> Function Add-Indicator <# .Synopsis Add indicators to MineMeld feeds utilized by Palo Alto Firewalls .DESCRIPTION This cmdlet can be utilized to add threat indicators to fields listed in minemeld ( A Palo Alto open source threat aggregation tool). Mandatory functions for this function include; Server, FeedList, IndicatorList, Type and Indicator. .PARRAMETER Server This Parameter contains the ip-address or FQDN of the MineMeld server. Parameter has no Default Value .PARAMETER Indicator This Parameter contains the Indicator to be added to the MineMeld server. Parameter has no Default Value .PARAMETER Type This Parameter contains the type of indicator to be added to the the MineMeld server (IPv4 or URL). Parameter Default Value: URL .PARAMETER IndicatorList This Parameter contains the name of the input stream/list where the indicator should be added. Parameter Default Value: {name-of-your-input-stream} .PARAMETER FeedList This Parameter contains the name of the output stream/list where the indicator should be added. Parameter Default Value: {name-of-your-output-stream} .PARAMETER IncludeSubDomain If this parameter is present and the Type is URL an additional indicator will be added containing a wildcard token. .PARAMETER BypassSSLError If this parameter is present self-signed certificate errors will be bypassed. .PARAMETER ShareLevel This Parameter contains the share level of indicator to be added to the the MineMeld server. Parameter Default Value: red .EXAMPLE Add-Indicator -Server 192.168.1.10 -Indicator "evil.com" This will add the url evil.com to the default list on minemeld server (192.168.1.1) .EXAMPLE Add-Indicator -Server 192.168.1.10 -Indicator "evil.com" -IncludeSubDomain Will add the url's evil.com and *.evil.com to the default list on minemeld server (192.168.1.1) .EXAMPLE Add-Indicator -Server 192.168.1.10 -Indicator "evil.com" -BypassSSLError This will add the url evil.com to the default list on minemeld server (192.168.1.1) and bypass and SSL certificate errors caused by self-signed SSL certs. .EXAMPLE Add-Indicator -Server 192.168.1.10 -Indicator "172.16.12.21" -Type IPv4 -FeedList "mm_dc_list" -IndicatorList "DC_IP_List" Will Add ip address 172.16.21.21 to mm_dc_list on minemeld server (192.168.1.1) #> { [CmdletBinding()] Param( [parameter(Mandatory=$true, valueFromPipelineByPropertyName=$true, HelpMessage="IP-Address or FQDN of MineMeld Server:", Position=0)] [String[]] $Server, [parameter(Mandatory=$false, valueFromPipelineByPropertyName=$true, HelpMessage="Output stream of threat feed:", Position=3)] [String[]] $FeedList = "{name-of-your-output-stream}", [parameter(Mandatory=$false, valueFromPipelineByPropertyName=$true, HelpMessage="Input stream to add threat indicator to:", Position=4)] [String[]] $IndicatorList = "{name-of-your-input-stream}", [parameter(Mandatory=$false, valueFromPipelineByPropertyName=$true, HelpMessage="Indicator type[IPv4 or URL]:", Position=1)] [string] [validateSet("IPv4","URL")] $Type = "URL", [parameter(Mandatory=$false, valueFromPipelineByPropertyName=$true, HelpMessage="Indicator type[IPv4 or URL]:", Position=5)] [string] [validateSet("green","yellow","red")] $ShareLevel = "red", [parameter(Mandatory=$true, valueFromPipelineByPropertyName=$true, HelpMessage="Threat indicator to Add:", Position=2)] [String[]] $Indicator, [parameter(Mandatory=$false, valueFromPipelineByPropertyName=$true, HelpMessage="Bypass any SSL Errors:", Position=7)] [switch] $BypassSSLError, [parameter(Mandatory=$false, valueFromPipelineByPropertyName=$true, HelpMessage="Include wildcard character to for subdomains *.evil.com:", Position=6)] [switch] $IncludeSubDomain ) Begin { #Set Initial Variables and check for errors If ($BypassSSLError) { if (-not ([System.Management.Automation.PSTypeName]'TrustAllCertsPolicy').Type) { add-type @" using System.Net; using System.Security.Cryptography.X509Certificates; public class TrustAllCertsPolicy : ICertificatePolicy { public bool CheckValidationResult( ServicePoint srvPoint, X509Certificate certificate, WebRequest request, int certificateProblem) { return true; } } "@ [System.Net.ServicePointManager]::CertificatePolicy = New-Object TrustAllCertsPolicy } } $stage = 0 # Variable used to the while loop needed to include a wildcard for subdomains $exitLoop = $false } Process { $url = "https://" + $Server + "/feeds/" + $FeedList Try { $stage = 1 # Retrieve the current feed list, this prevents duplicate entries. $currentList = Invoke-WebRequest $url -TimeoutSec 30 $stage = 2 # Check if indicator exists if ( -not $currentList.Content.Contains($Indicator) ) { #Credentials can be passed using basic authentication # * Simply base46 encode {username}:{password} and add that string to the headers # * Be sure to include the ':' between the strings # * $userPass = [Convert]::ToBase64String([Text.Encoding]::ASCII.GetBytes("$($user):$($passwd)")) $userPass = "{base64-of-your-username:password}" # Adding the Authentication string to the post request headers $Headers = @{ Authorization = 'Basic ' + $userPass } while ( -not $exitLoop) { # to add date and time to the comments field for each indicator $dateTime = get-date -format F $Comment = 'Indicator added with Powershell on ' + $dateTime # Array that will be converted to JSON format for POST request $indicatorArr = @{ indicator = "$Indicator" type = "$Type" share_level = "$ShareLevel" comment = "$Comment" } $requestBody = $indicatorArr | ConvertTo-Json $url = "https://" + $Server + "/config/data/" + $IndicatorList + "_indicators/append?h=" + $IndicatorList $Response = Invoke-RestMethod $url -Method Post -Body $requestBody -ContentType 'application/json' -Headers $Headers Write-Output "The Following Indicator was added: $indicator" if ( "$Type" -eq "URL" ) { # Process structure for URL Indicators if ( ($IncludeSubDomain -and $Indicator.Get(0).Contains("*.") ) -or -not $IncludeSubDomain ) { # If the wildcard has been processed already, or there is no need to include sub-domains, exit the loop. $exitLoop = $true } else # Since sub-domains are to be included, loop back around and add additional indicator with wildcard token. { $Indicator = "*.$Indicator" } } else # If the Indicator is an IPv4 type, simply exit the loop. { $exitLoop = $true } } } } catch { switch ($stage) { 1 { throw "Error retrieving data from '$url', Indicators cannot be added at this time." } 2 { throw "Error adding Indicator, ($Indicator) to $IndicatorList on $Server." } default {"Unknown Error..."} } } } end { #Print function status and cleanup Write-Host "Done" } } Feel free to use, update and modify as needed.   --Sean ... View more