Educause Security Discussion mailing list archives

Previous By Date Next
Previous By Thread Next

Re: EmergingThreats.net

From: Will Froning <will.froning () GMAIL COM>
Date: Tue, 6 Nov 2012 13:52:21 +0400
Hello All,

Just to follow-up on this thread, PAN-OS 5.0 was just released (not yet
announced though). The Admin guide has a new object type, "Dynamic Block
Lists."

=====Admin Guide 5.0=====
Use the Dynamic Block Lists page to create an address object based on an
imported list of IP addresses. The source of the list must be a text
file and must be located on a web server. You can set the Repeat option
to automatically update the list on the device hourly, daily, weekly, or
monthly. After creating a dynamic block list object, you can then use
the address object in the source and destination fields for security
policies. Each imported list can contain up to 5,000 IP addresses (IPv4
and/or IPv6), IP ranges, or subnets.
The list must contain one IP address, range, or subnet per line, for
example:
“192.168.80.150/32” indicates one address, and “192.168.80.0/24”
indicates all addresses from 192.168.80.0 through 192.168.80.255.
Example:
“2001:db8:123:1::1” or “2001:db8:123:1::/64”
=========================

I haven't installed 5.0 on my lab machines, so I don't know if the
max-address limit still applies considering this can support 5000 lines
per object. We would still have to cut the emergingthreats file into 3,
but it at least seems possible now.

Also NAT64 is supported on 5.0, woohoo.

Thanks,
Will

Charlie Reitsma wrote:

Your processed list contains 10,689 lines. On a recent case with Palo
Alto I was told:
As i see in the case description that you were talking about address
limits on the firewall, i got the info for you. Here are the max limits
for PA-2050: 

max-address: 10000 
max-address-group: 1000 
max-address-per-group: 500 

The strength of the Palo Alto firewall is its
application/threat/vulnerability identification. So, I do block a few
hundred addresses but mostly depend on the ability to identify a threat
and block that.

As for updating addresses and groups in a running Palo Alto firewall you
might use their Pan Perl Package which can be downloaded from their
support DevCenter:
#read addresses from primary host
panxapi -t pa1 -srx "devices/entry/vsys/entry[@name='vsys1']/address"

addresses.xml


#read address groups from primary host
panxapi -t pa1 -srx
"devices/entry/vsys/entry[@name='vsys1']/address-group" >groups.xml

These give you the addresses and address-groups in xml. For example:
  <entry name="verify1">
    <ip-netmask>114.207.244.143/32 <http://114.207.244.143/32></ip-netmask>
  </entry>
  <entry name="verify2">
    <ip-netmask>114.207.244.144/32 <http://114.207.244.144/32></ip-netmask>
  </entry>

  <entry name="block">
    <member>verify1</member>
    <member>verify2</member>
  </entry>

Change your script to add your addresses and groups in xml format. Then
write them back:

#write addresses to primary host
panxapi -t pa1 -e ./addresses.xml
"/config/devices/entry/vsys/entry[@name='vsys1']/address"

#write address groups to secondary host
panxapi -t pa1 -e ./groups.xml
"/config/devices/entry/vsys/entry[@name='vsys1']/address-group"

And commit the changes:
#commit changes on primary host
panxapi -t pa1 -C "<commit></commit>"

All I've ever done is read out the whole address list or group list,
modify it and write back the whole list again. I have not figured out
how to change just one group.

On Fri, Oct 5, 2012 at 1:50 PM, Di Fabio, Andrea <adifabio () nsu edu
<mailto:adifabio () nsu edu>> wrote:

    I have had multiple requests for the script we have been using, so
    here it is for eveyone. If you improve on it, or see any issues with
    it (hopefully there are no issues since we have been using it for a
    few years J) please let me know … and yes, that long while-do line
    was a personal challenge that started small, l and grew to something
    I had to defeat J____

    __ __

    wget --quiet --timeout=20 --no-cache
    --output-document=/var/log/security/EmergingThreats/FWrev
    http://rules.emergingthreats.net/fwrules/FWrev____

    # Compare new and old rev____

    if ! `cmp -s /var/log/security/EmergingThreats/FWrev
    /var/log/security/EmergingThreats/FWrev.old`; then echo "CHANGE";
    else exit; fi____

    # get new list____

    wget --quiet --timeout=20 --no-cache
    --output-document=/var/log/security/EmergingThreats/emerging-Block-IPs.txt
    http://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt____

    # Filter the new list and remove our Nets and IPs for College use
    but hosted and possibly on the list____

    NSUNEWS=`nslookup nsunewsroom.com <http://nsunewsroom.com> | grep
    Address | tail -1 | cut -d " " -f 2`____

    FAIRDATA=`nslookup www.fairdata2000.com
    <http://www.fairdata2000.com> | grep Address | tail -1 | cut -d " "
    -f 2`____

    cat /var/log/security/EmergingThreats/emerging-Block-IPs.txt | sed
    -e '/^[0-9]/!d' | sed -e 's/#.*//g' | sed -e '/^192\.168\./d' -e
    '/^172\.1[____

    6-9]\./d' -e '/^172\.2[0-9]\./d' -e '/^172\.3[0-1]\./d' -e
    '/^10\./d' -e '/^192\.68\.217\./d' -e '/^199\.112\.11[2-9]\./d' -e
    '/^199\.111\.12[____

    0-7]\./d' -e '/^204\.155\.17[6-9]\./d' -e '/^204\.155\.18[0-9]\./d'
    -e '/^204\.155\.19[0-1]\./d' -e "/$NSUNEWS/d" -e "/$FAIRDATA/d" |
    sort | u____

    niq >
    /var/log/security/EmergingThreats/emerging-Block-IPs.txt.processed____

    # Print the Difference____

    diff
    /var/log/security/EmergingThreats/emerging-Block-IPs.txt.processed.old
    /var/log/security/EmergingThreats/emerging-Block-IPs.txt.processed____

    # Write some nice ACL____

    echo;echo; echo CISCO Command to execute; echo____

    echo object-group network Net_EmergingThreats____

    diff
    /var/log/security/EmergingThreats/emerging-Block-IPs.txt.processed.old
    /var/log/security/EmergingThreats/emerging-Block-IPs.txt.processed____

    |  while read line; do   if echo $line | grep "<" ; then   if echo
    $line | grep "/"; then  echo "no network-object" `echo $line | cut
    -d " "____

    -f 2 | cut -d "/" -f 1` `whatmask \`echo $line | cut -d " " -f 2 | 
    cut -d "/" -f 2\`|grep "Netmask ="| cut -d " " -f4`;  else echo "no
    networ____

    k-object host" `echo $line | cut -d " " -f 2`;  fi;   fi;  if echo
    $line | grep ">" ; then   if echo $line | grep "/"; then  echo
    "network-obj____

    ect" `echo $line | cut -d " " -f 2 | cut -d "/" -f 1` `whatmask
    \`echo $line | cut -d " " -f 2 |  cut -d "/" -f 2\`|grep "Netmask
    ="| cut -d "____

    " -f4`;  else echo "network-object host" `echo $line | cut -d " " -f
    2`;  fi;   fi;  done | grep network-object____

    # Back up the old list____

    cp /var/log/security/EmergingThreats/FWrev
    /var/log/security/EmergingThreats/FWrev.old____

    cp
    /var/log/security/EmergingThreats/emerging-Block-IPs.txt.processed
    /var/log/security/EmergingThreats/emerging-Block-IPs.txt.processed.old____

    __ __

    __ __

    *From:*The EDUCAUSE Security Constituent Group Listserv
    [mailto:SECURITY () LISTSERV EDUCAUSE EDU
    <mailto:SECURITY () LISTSERV EDUCAUSE EDU>] *On Behalf Of *Di Fabio, Andrea
    *Sent:* Thursday, October 04, 2012 10:53 AM
    *To:* SECURITY () LISTSERV EDUCAUSE EDU
    <mailto:SECURITY () LISTSERV EDUCAUSE EDU>
    *Subject:* [SECURITY] EmergingThreats.net____

    __ __

    Experts,____

    __ __

    We have been using the following for many years now
    http://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt on
    our border CISCO ASA firewalls with great success and little to no
    issues. A script pulls the new list, compares it with the old one
    and applies the delta.  We are currently switching to PaloAlto FWs
    and it appears that scripting/importing this large list may not be
    as easy as it was with the ASA. ____

    __ __

    Can those of you who use the ET list with PaloAlto give us some
    feedback/scripts/API on how you implemented it? We are also
    considering moving it to our border CISCO router either as an ACL or
    as a Null route, any feedback with the latter and/or scripts you may
    be using? My primary concern with using Null route is the fact that
    as far as I understand it, it can only block outbound traffic. The
    router ACL can accomplish blocking in/out, but my concern is with
    performance. What say you?____

    __ __

    __ __




-- 
Will Froning
Will.Froning () GMail com
Previous By Date Next
Previous By Thread Next

Current thread: