Home page logo

educause logo Educause Security Discussion mailing list archives

Re: EmergingThreats.net
From: "Di Fabio, Andrea" <adifabio () NSU EDU>
Date: Tue, 6 Nov 2012 11:53:32 -0500

I read through the release notes and I see some great stuff. Any of you who are in the beta test program using 5.0 in 
production already? Your thoughts and any gotcha for the migration? Any new features you are taking advantage of and 
see value in implementing?

The information in this email and any attachments is covered under the Freedom of Information Act (FOIA) and may be 
partially or fully disclosed.

-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Will 
Sent: Tuesday, November 06, 2012 4:52 AM
Subject: Re: [SECURITY] EmergingThreats.net

Hello All,

Just to follow-up on this thread, PAN-OS 5.0 was just released (not yet
announced though). The Admin guide has a new object type, "Dynamic Block

=====Admin Guide 5.0=====
Use the Dynamic Block Lists page to create an address object based on an
imported list of IP addresses. The source of the list must be a text
file and must be located on a web server. You can set the Repeat option
to automatically update the list on the device hourly, daily, weekly, or
monthly. After creating a dynamic block list object, you can then use
the address object in the source and destination fields for security
policies. Each imported list can contain up to 5,000 IP addresses (IPv4
and/or IPv6), IP ranges, or subnets.
The list must contain one IP address, range, or subnet per line, for
“” indicates one address, and “”
indicates all addresses from through
“2001:db8:123:1::1” or “2001:db8:123:1::/64”

I haven't installed 5.0 on my lab machines, so I don't know if the
max-address limit still applies considering this can support 5000 lines
per object. We would still have to cut the emergingthreats file into 3,
but it at least seems possible now.

Also NAT64 is supported on 5.0, woohoo.


Charlie Reitsma wrote:
Your processed list contains 10,689 lines. On a recent case with Palo
Alto I was told:
As i see in the case description that you were talking about address
limits on the firewall, i got the info for you. Here are the max limits
for PA-2050: 

max-address: 10000 
max-address-group: 1000 
max-address-per-group: 500 

The strength of the Palo Alto firewall is its
application/threat/vulnerability identification. So, I do block a few
hundred addresses but mostly depend on the ability to identify a threat
and block that.

As for updating addresses and groups in a running Palo Alto firewall you
might use their Pan Perl Package which can be downloaded from their
support DevCenter:
#read addresses from primary host
panxapi -t pa1 -srx "devices/entry/vsys/entry[ () name='vsys1']/address"

#read address groups from primary host
panxapi -t pa1 -srx
"devices/entry/vsys/entry[ () name='vsys1']/address-group" >groups.xml

These give you the addresses and address-groups in xml. For example:
  <entry name="verify1">
    <ip-netmask> <></ip-netmask>
  <entry name="verify2">
    <ip-netmask> <></ip-netmask>

  <entry name="block">

Change your script to add your addresses and groups in xml format. Then
write them back:

#write addresses to primary host
panxapi -t pa1 -e ./addresses.xml
"/config/devices/entry/vsys/entry[ () name='vsys1']/address"

#write address groups to secondary host
panxapi -t pa1 -e ./groups.xml
"/config/devices/entry/vsys/entry[ () name='vsys1']/address-group"

And commit the changes:
#commit changes on primary host
panxapi -t pa1 -C "<commit></commit>"

All I've ever done is read out the whole address list or group list,
modify it and write back the whole list again. I have not figured out
how to change just one group.

On Fri, Oct 5, 2012 at 1:50 PM, Di Fabio, Andrea <adifabio () nsu edu
<mailto:adifabio () nsu edu>> wrote:

    I have had multiple requests for the script we have been using, so
    here it is for eveyone. If you improve on it, or see any issues with
    it (hopefully there are no issues since we have been using it for a
    few years J) please let me know … and yes, that long while-do line
    was a personal challenge that started small, l and grew to something
    I had to defeat J____

    __ __

    wget --quiet --timeout=20 --no-cache

    # Compare new and old rev____

    if ! `cmp -s /var/log/security/EmergingThreats/FWrev
    /var/log/security/EmergingThreats/FWrev.old`; then echo "CHANGE";
    else exit; fi____

    # get new list____

    wget --quiet --timeout=20 --no-cache

    # Filter the new list and remove our Nets and IPs for College use
    but hosted and possibly on the list____

    NSUNEWS=`nslookup nsunewsroom.com <http://nsunewsroom.com> | grep
    Address | tail -1 | cut -d " " -f 2`____

    FAIRDATA=`nslookup www.fairdata2000.com
    <http://www.fairdata2000.com> | grep Address | tail -1 | cut -d " "
    -f 2`____

    cat /var/log/security/EmergingThreats/emerging-Block-IPs.txt | sed
    -e '/^[0-9]/!d' | sed -e 's/#.*//g' | sed -e '/^192\.168\./d' -e

    6-9]\./d' -e '/^172\.2[0-9]\./d' -e '/^172\.3[0-1]\./d' -e
    '/^10\./d' -e '/^192\.68\.217\./d' -e '/^199\.112\.11[2-9]\./d' -e

    0-7]\./d' -e '/^204\.155\.17[6-9]\./d' -e '/^204\.155\.18[0-9]\./d'
    -e '/^204\.155\.19[0-1]\./d' -e "/$NSUNEWS/d" -e "/$FAIRDATA/d" |
    sort | u____

    niq >

    # Print the Difference____


    # Write some nice ACL____

    echo;echo; echo CISCO Command to execute; echo____

    echo object-group network Net_EmergingThreats____


    |  while read line; do   if echo $line | grep "<" ; then   if echo
    $line | grep "/"; then  echo "no network-object" `echo $line | cut
    -d " "____

    -f 2 | cut -d "/" -f 1` `whatmask \`echo $line | cut -d " " -f 2 | 
    cut -d "/" -f 2\`|grep "Netmask ="| cut -d " " -f4`;  else echo "no

    k-object host" `echo $line | cut -d " " -f 2`;  fi;   fi;  if echo
    $line | grep ">" ; then   if echo $line | grep "/"; then  echo

    ect" `echo $line | cut -d " " -f 2 | cut -d "/" -f 1` `whatmask
    \`echo $line | cut -d " " -f 2 |  cut -d "/" -f 2\`|grep "Netmask
    ="| cut -d "____

    " -f4`;  else echo "network-object host" `echo $line | cut -d " " -f
    2`;  fi;   fi;  done | grep network-object____

    # Back up the old list____

    cp /var/log/security/EmergingThreats/FWrev


    __ __

    __ __

    *From:*The EDUCAUSE Security Constituent Group Listserv
    <mailto:SECURITY () LISTSERV EDUCAUSE EDU>] *On Behalf Of *Di Fabio, Andrea
    *Sent:* Thursday, October 04, 2012 10:53 AM
    *Subject:* [SECURITY] EmergingThreats.net____

    __ __


    __ __

    We have been using the following for many years now
    http://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt on
    our border CISCO ASA firewalls with great success and little to no
    issues. A script pulls the new list, compares it with the old one
    and applies the delta.  We are currently switching to PaloAlto FWs
    and it appears that scripting/importing this large list may not be
    as easy as it was with the ASA. ____

    __ __

    Can those of you who use the ET list with PaloAlto give us some
    feedback/scripts/API on how you implemented it? We are also
    considering moving it to our border CISCO router either as an ACL or
    as a Null route, any feedback with the latter and/or scripts you may
    be using? My primary concern with using Null route is the fact that
    as far as I understand it, it can only block outbound traffic. The
    router ACL can accomplish blocking in/out, but my concern is with
    performance. What say you?____

    __ __

    __ __

Will Froning
Will.Froning () GMail com

Attachment: smime.p7s

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]