Re: EmergingThreats.net

[Charlie Reitsma <reitsmac () DENISON EDU>]

Your processed list contains 10,689 lines. On a recent case with Palo Alto
I was told:
As i see in the case description that you were talking about address limits
on the firewall, i got the info for you. Here are the max limits for
PA-2050:

max-address: 10000
max-address-group: 1000
max-address-per-group: 500

The strength of the Palo Alto firewall is its
application/threat/vulnerability identification. So, I do block a few
hundred addresses but mostly depend on the ability to identify a threat and
block that.

As for updating addresses and groups in a running Palo Alto firewall you
might use their Pan Perl Package which can be downloaded from their support
DevCenter:
#read addresses from primary host
panxapi -t pa1 -srx "devices/entry/vsys/entry[@name='vsys1']/address"
> addresses.xml

#read address groups from primary host
panxapi -t pa1 -srx "devices/entry/vsys/entry[@name='vsys1']/address-group"
> groups.xml

These give you the addresses and address-groups in xml. For example:
  <entry name="verify1">
    <ip-netmask>114.207.244.143/32</ip-netmask>
  </entry>
  <entry name="verify2">
    <ip-netmask>114.207.244.144/32</ip-netmask>
  </entry>

  <entry name="block">
    <member>verify1</member>
    <member>verify2</member>
  </entry>

Change your script to add your addresses and groups in xml format. Then
write them back:

#write addresses to primary host
panxapi -t pa1 -e ./addresses.xml
"/config/devices/entry/vsys/entry[@name='vsys1']/address"

#write address groups to secondary host
panxapi -t pa1 -e ./groups.xml
"/config/devices/entry/vsys/entry[@name='vsys1']/address-group"

And commit the changes:
#commit changes on primary host
panxapi -t pa1 -C "<commit></commit>"

All I've ever done is read out the whole address list or group list, modify
it and write back the whole list again. I have not figured out how to
change just one group.

On Fri, Oct 5, 2012 at 1:50 PM, Di Fabio, Andrea <adifabio () nsu edu> wrote:

> I have had multiple requests for the script we have been using, so here it
> is for eveyone. If you improve on it, or see any issues with it (hopefully
> there are no issues since we have been using it for a few years J )
> please let me know … and yes, that long while-do line was a personal
> challenge that started small, l and grew to something I had to defeat J***
> *
>
> ** **
>
> wget --quiet --timeout=20 --no-cache
> --output-document=/var/log/security/EmergingThreats/FWrev
> http://rules.emergingthreats.net/fwrules/FWrev****
>
> # Compare new and old rev****
>
> if ! `cmp -s /var/log/security/EmergingThreats/FWrev
> /var/log/security/EmergingThreats/FWrev.old`; then echo "CHANGE"; else
> exit; fi****
>
> # get new list****
>
> wget --quiet --timeout=20 --no-cache
> --output-document=/var/log/security/EmergingThreats/emerging-Block-IPs.txt
> http://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt****
>
> # Filter the new list and remove our Nets and IPs for College use but
> hosted and possibly on the list****
>
> NSUNEWS=`nslookup nsunewsroom.com | grep Address | tail -1 | cut -d " "
> -f 2`****
>
> FAIRDATA=`nslookup www.fairdata2000.com | grep Address | tail -1 | cut -d
> " " -f 2`****
>
> cat /var/log/security/EmergingThreats/emerging-Block-IPs.txt | sed -e
> '/^[0-9]/!d' | sed -e 's/#.*//g' | sed -e '/^192\.168\./d' -e '/^172\.1[**
> **
>
> 6-9]\./d' -e '/^172\.2[0-9]\./d' -e '/^172\.3[0-1]\./d' -e '/^10\./d' -e
> '/^192\.68\.217\./d' -e '/^199\.112\.11[2-9]\./d' -e '/^199\.111\.12[****
>
> 0-7]\./d' -e '/^204\.155\.17[6-9]\./d' -e '/^204\.155\.18[0-9]\./d' -e
> '/^204\.155\.19[0-1]\./d' -e "/$NSUNEWS/d" -e "/$FAIRDATA/d" | sort | u***
> *
>
> niq > /var/log/security/EmergingThreats/emerging-Block-IPs.txt.processed**
> **
>
> # Print the Difference****
>
> diff
> /var/log/security/EmergingThreats/emerging-Block-IPs.txt.processed.old
> /var/log/security/EmergingThreats/emerging-Block-IPs.txt.processed****
>
> # Write some nice ACL****
>
> echo;echo; echo CISCO Command to execute; echo****
>
> echo object-group network Net_EmergingThreats****
>
> diff
> /var/log/security/EmergingThreats/emerging-Block-IPs.txt.processed.old
> /var/log/security/EmergingThreats/emerging-Block-IPs.txt.processed****
>
> |  while read line; do   if echo $line | grep "<" ; then   if echo $line |
> grep "/"; then  echo "no network-object" `echo $line | cut -d " "****
>
> -f 2 | cut -d "/" -f 1` `whatmask \`echo $line | cut -d " " -f 2 |  cut -d
> "/" -f 2\`|grep "Netmask ="| cut -d " " -f4`;  else echo "no networ****
>
> k-object host" `echo $line | cut -d " " -f 2`;  fi;   fi;  if echo $line |
> grep ">" ; then   if echo $line | grep "/"; then  echo "network-obj****
>
> ect" `echo $line | cut -d " " -f 2 | cut -d "/" -f 1` `whatmask \`echo
> $line | cut -d " " -f 2 |  cut -d "/" -f 2\`|grep "Netmask ="| cut -d "***
> *
>
> " -f4`;  else echo "network-object host" `echo $line | cut -d " " -f 2`;
> fi;   fi;  done | grep network-object****
>
> # Back up the old list****
>
> cp /var/log/security/EmergingThreats/FWrev
> /var/log/security/EmergingThreats/FWrev.old****
>
> cp /var/log/security/EmergingThreats/emerging-Block-IPs.txt.processed
> /var/log/security/EmergingThreats/emerging-Block-IPs.txt.processed.old****
>
> ** **
>
> ** **
>
> *From:* The EDUCAUSE Security Constituent Group Listserv [mailto:
> SECURITY () LISTSERV EDUCAUSE EDU] *On Behalf Of *Di Fabio, Andrea
> *Sent:* Thursday, October 04, 2012 10:53 AM
> *To:* SECURITY () LISTSERV EDUCAUSE EDU
> *Subject:* [SECURITY] EmergingThreats.net****
>
> ** **
>
> Experts,****
>
> ** **
>
> We have been using the following for many years now
> http://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt on our
> border CISCO ASA firewalls with great success and little to no issues. A
> script pulls the new list, compares it with the old one and applies the
> delta.  We are currently switching to PaloAlto FWs and it appears that
> scripting/importing this large list may not be as easy as it was with the
> ASA. ****
>
> ** **
>
> Can those of you who use the ET list with PaloAlto give us some
> feedback/scripts/API on how you implemented it? We are also considering
> moving it to our border CISCO router either as an ACL or as a Null route,
> any feedback with the latter and/or scripts you may be using? My primary
> concern with using Null route is the fact that as far as I understand it,
> it can only block outbound traffic. The router ACL can accomplish blocking
> in/out, but my concern is with performance. What say you?****
>
> ** **
>
> ** **