OpenDXL ATD Fortinet

  • mohl1 added a new solution:

    Quote

    McAfee Advanced Threat Defense (ATD) will produce local threat intelligence that will be pushed via DXL. An OpenDXL wrapper will subscribe and parse IP indicators ATD produced and will automatically update Firewall rules.


    McAfee Advanced Threat Defense (ATD) is a malware analytics solution combining signatures and behavioral analysis techniques to rapidly identify malicious content and provides local threat intelligence. ATD exports IOC data in STIX format in several ways including the DXL. https://www.mcafee.com/in/prod…anced-threat-defense.aspx


    Fortinet Firewalls provide high performance network security protection platform. https://www.fortinet.com/produ…-generation-firewall.html

  • Hi, i setup everything as it should be but i still get error messages and the Adress-Group will not be generated.


    /usr/local/lib/python2.7/dist-packages/requests/packages/urllib3/connectionpool.py:852: InsecureRequestWarning: Unverified HTTPS request is being made. Adding certificate verification is strongly advised. See: urllib3.readthedocs.io/en/late…d-usage.html#ssl-warnings

    InsecureRequestWarning)

    LOGIN successful

    Traceback (most recent call last):

    File "forti_push.py", line 180, in <module>

    host = sys.argv[1]

    IndexError: list index out of range


    Related to the account needed at the fortigate ... do we need a REST Admin Account (wioht pki and API Key) or do we need a simple user account with some rights?

  • We have contacted the solution developer over this issue, if there is indeed a bug or some other problem (documentation, perhaps) it should be addressed in the near future.


    In the meantime, you can protect against this error by checking the length of the command line arguments supplied to the script to handle the problem gracefully. For example:


    Python: forti_push.py
    1. if __name__ == "__main__":
    2. fgt = FGT(fgt_ip)
    3. fgt.login(user,pw)
    4. if len(sys.argv) <1:
    5. # ---> Handle the scenario here <---
    6. else:
    7. host = sys.argv[1]
  • Hi Christoph,


    thanks for your post. How do you execute the scripts? The main purpose for the scripts is to receive the ATD DXL message and extract C2 communication.

    First you execute the atd_subscriber.py . This will start a ATD subscriber that will wait for DXL messages from ATD.

    As soon there is a DXL messages published, it will extract C2 communication and execute the forti_push.py script with the ip.


    Here some more details.

    Python: atd_subscriber.py
    1. try:
    2. # Get Destination IP and push to Fortinet
    3. ips = query['Summary']['Dst IP']
    4. if not ips:
    5. pass
    6. else:
    7. ipv4 = ips
    8. print ipv4
    9. os.system('python forti_push.py ' + ipv4)
    10. except: pass

    In line 39 you see that the atd_subscriber.py script executes the forti_push.py script incl. the first argument (in this case the IP).


    You can also execute the script directly e.g.


    python forti_push.py 199.199.199.199


    Please let us know how it goes.


    Martin