Home page logo
/

educause logo Educause Security Discussion mailing list archives

Re: EmergingThreats.net
From: Charlie Reitsma <reitsmac () DENISON EDU>
Date: Fri, 12 Oct 2012 11:54:50 -0400

Your processed list contains 10,689 lines. On a recent case with Palo Alto
I was told:
As i see in the case description that you were talking about address limits
on the firewall, i got the info for you. Here are the max limits for
PA-2050:

max-address: 10000
max-address-group: 1000
max-address-per-group: 500

The strength of the Palo Alto firewall is its
application/threat/vulnerability identification. So, I do block a few
hundred addresses but mostly depend on the ability to identify a threat and
block that.

As for updating addresses and groups in a running Palo Alto firewall you
might use their Pan Perl Package which can be downloaded from their support
DevCenter:
#read addresses from primary host
panxapi -t pa1 -srx "devices/entry/vsys/entry[ () name='vsys1']/address"
addresses.xml

#read address groups from primary host
panxapi -t pa1 -srx "devices/entry/vsys/entry[ () name='vsys1']/address-group"
groups.xml

These give you the addresses and address-groups in xml. For example:
  <entry name="verify1">
    <ip-netmask>114.207.244.143/32</ip-netmask>
  </entry>
  <entry name="verify2">
    <ip-netmask>114.207.244.144/32</ip-netmask>
  </entry>

  <entry name="block">
    <member>verify1</member>
    <member>verify2</member>
  </entry>

Change your script to add your addresses and groups in xml format. Then
write them back:

#write addresses to primary host
panxapi -t pa1 -e ./addresses.xml
"/config/devices/entry/vsys/entry[ () name='vsys1']/address"

#write address groups to secondary host
panxapi -t pa1 -e ./groups.xml
"/config/devices/entry/vsys/entry[ () name='vsys1']/address-group"

And commit the changes:
#commit changes on primary host
panxapi -t pa1 -C "<commit></commit>"

All I've ever done is read out the whole address list or group list, modify
it and write back the whole list again. I have not figured out how to
change just one group.

On Fri, Oct 5, 2012 at 1:50 PM, Di Fabio, Andrea <adifabio () nsu edu> wrote:

I have had multiple requests for the script we have been using, so here it
is for eveyone. If you improve on it, or see any issues with it (hopefully
there are no issues since we have been using it for a few years J )
please let me know … and yes, that long while-do line was a personal
challenge that started small, l and grew to something I had to defeat J***
*

** **

wget --quiet --timeout=20 --no-cache
--output-document=/var/log/security/EmergingThreats/FWrev
http://rules.emergingthreats.net/fwrules/FWrev****

# Compare new and old rev****

if ! `cmp -s /var/log/security/EmergingThreats/FWrev
/var/log/security/EmergingThreats/FWrev.old`; then echo "CHANGE"; else
exit; fi****

# get new list****

wget --quiet --timeout=20 --no-cache
--output-document=/var/log/security/EmergingThreats/emerging-Block-IPs.txt
http://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt****

# Filter the new list and remove our Nets and IPs for College use but
hosted and possibly on the list****

NSUNEWS=`nslookup nsunewsroom.com | grep Address | tail -1 | cut -d " "
-f 2`****

FAIRDATA=`nslookup www.fairdata2000.com | grep Address | tail -1 | cut -d
" " -f 2`****

cat /var/log/security/EmergingThreats/emerging-Block-IPs.txt | sed -e
'/^[0-9]/!d' | sed -e 's/#.*//g' | sed -e '/^192\.168\./d' -e '/^172\.1[**
**

6-9]\./d' -e '/^172\.2[0-9]\./d' -e '/^172\.3[0-1]\./d' -e '/^10\./d' -e
'/^192\.68\.217\./d' -e '/^199\.112\.11[2-9]\./d' -e '/^199\.111\.12[****

0-7]\./d' -e '/^204\.155\.17[6-9]\./d' -e '/^204\.155\.18[0-9]\./d' -e
'/^204\.155\.19[0-1]\./d' -e "/$NSUNEWS/d" -e "/$FAIRDATA/d" | sort | u***
*

niq > /var/log/security/EmergingThreats/emerging-Block-IPs.txt.processed**
**

# Print the Difference****

diff
/var/log/security/EmergingThreats/emerging-Block-IPs.txt.processed.old
/var/log/security/EmergingThreats/emerging-Block-IPs.txt.processed****

# Write some nice ACL****

echo;echo; echo CISCO Command to execute; echo****

echo object-group network Net_EmergingThreats****

diff
/var/log/security/EmergingThreats/emerging-Block-IPs.txt.processed.old
/var/log/security/EmergingThreats/emerging-Block-IPs.txt.processed****

|  while read line; do   if echo $line | grep "<" ; then   if echo $line |
grep "/"; then  echo "no network-object" `echo $line | cut -d " "****

-f 2 | cut -d "/" -f 1` `whatmask \`echo $line | cut -d " " -f 2 |  cut -d
"/" -f 2\`|grep "Netmask ="| cut -d " " -f4`;  else echo "no networ****

k-object host" `echo $line | cut -d " " -f 2`;  fi;   fi;  if echo $line |
grep ">" ; then   if echo $line | grep "/"; then  echo "network-obj****

ect" `echo $line | cut -d " " -f 2 | cut -d "/" -f 1` `whatmask \`echo
$line | cut -d " " -f 2 |  cut -d "/" -f 2\`|grep "Netmask ="| cut -d "***
*

" -f4`;  else echo "network-object host" `echo $line | cut -d " " -f 2`;
fi;   fi;  done | grep network-object****

# Back up the old list****

cp /var/log/security/EmergingThreats/FWrev
/var/log/security/EmergingThreats/FWrev.old****

cp /var/log/security/EmergingThreats/emerging-Block-IPs.txt.processed
/var/log/security/EmergingThreats/emerging-Block-IPs.txt.processed.old****

** **

** **

*From:* The EDUCAUSE Security Constituent Group Listserv [mailto:
SECURITY () LISTSERV EDUCAUSE EDU] *On Behalf Of *Di Fabio, Andrea
*Sent:* Thursday, October 04, 2012 10:53 AM
*To:* SECURITY () LISTSERV EDUCAUSE EDU
*Subject:* [SECURITY] EmergingThreats.net****

** **

Experts,****

** **

We have been using the following for many years now
http://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt on our
border CISCO ASA firewalls with great success and little to no issues. A
script pulls the new list, compares it with the old one and applies the
delta.  We are currently switching to PaloAlto FWs and it appears that
scripting/importing this large list may not be as easy as it was with the
ASA. ****

** **

Can those of you who use the ET list with PaloAlto give us some
feedback/scripts/API on how you implemented it? We are also considering
moving it to our border CISCO router either as an ACL or as a Null route,
any feedback with the latter and/or scripts you may be using? My primary
concern with using Null route is the fact that as far as I understand it,
it can only block outbound traffic. The router ACL can accomplish blocking
in/out, but my concern is with performance. What say you?****

** **

** **


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault