OpenDXL ATD Fortinet

  • mohl1 added a new solution:

    Quote

    McAfee Advanced Threat Defense (ATD) will produce local threat intelligence that will be pushed via DXL. An OpenDXL wrapper will subscribe and parse IP indicators ATD produced and will automatically update Firewall rules.


    McAfee Advanced Threat Defense (ATD) is a malware analytics solution combining signatures and behavioral analysis techniques to rapidly identify malicious content and provides local threat intelligence. ATD exports IOC data in STIX format in several ways including the DXL. https://www.mcafee.com/in/prod…anced-threat-defense.aspx


    Fortinet Firewalls provide high performance network security protection platform. https://www.fortinet.com/produ…-generation-firewall.html

  • Hi, i setup everything as it should be but i still get error messages and the Adress-Group will not be generated.


    /usr/local/lib/python2.7/dist-packages/requests/packages/urllib3/connectionpool.py:852: InsecureRequestWarning: Unverified HTTPS request is being made. Adding certificate verification is strongly advised. See: urllib3.readthedocs.io/en/late…d-usage.html#ssl-warnings

    InsecureRequestWarning)

    LOGIN successful

    Traceback (most recent call last):

    File "forti_push.py", line 180, in <module>

    host = sys.argv[1]

    IndexError: list index out of range


    Related to the account needed at the fortigate ... do we need a REST Admin Account (wioht pki and API Key) or do we need a simple user account with some rights?

  • We have contacted the solution developer over this issue, if there is indeed a bug or some other problem (documentation, perhaps) it should be addressed in the near future.


    In the meantime, you can protect against this error by checking the length of the command line arguments supplied to the script to handle the problem gracefully. For example:


    Python: forti_push.py
    1. if __name__ == "__main__":
    2. fgt = FGT(fgt_ip)
    3. fgt.login(user,pw)
    4. if len(sys.argv) <1:
    5. # ---> Handle the scenario here <---
    6. else:
    7. host = sys.argv[1]
  • Hi Christoph,


    thanks for your post. How do you execute the scripts? The main purpose for the scripts is to receive the ATD DXL message and extract C2 communication.

    First you execute the atd_subscriber.py . This will start a ATD subscriber that will wait for DXL messages from ATD.

    As soon there is a DXL messages published, it will extract C2 communication and execute the forti_push.py script with the ip.


    Here some more details.

    Python: atd_subscriber.py
    1. try:
    2. # Get Destination IP and push to Fortinet
    3. ips = query['Summary']['Dst IP']
    4. if not ips:
    5. pass
    6. else:
    7. ipv4 = ips
    8. print ipv4
    9. os.system('python forti_push.py ' + ipv4)
    10. except: pass

    In line 39 you see that the atd_subscriber.py script executes the forti_push.py script incl. the first argument (in this case the IP).


    You can also execute the script directly e.g.


    python forti_push.py 199.199.199.199


    Please let us know how it goes.


    Martin

  • May I have some more detail on the Integration of DXL with fortinet Firewall.


    As Its confusing me phyton script need to run on ATD or DXL . Can anyone share me setp by step configuration

  • hi Mohl, Ncolter,


    i've setup the entire thing with an ATD Trial and let our developer adjust some code in the "atd_Publisher.py" to log to a seperate file.

    When i execute for example "ransomware petya" in our ATD we receive allot of information in our log, but the BadIPList on the fortigate isn't updated. I also don't see the startup of the file "forti_push.py" in our log


    In the analyzer profile on the ATD i disabled "Enable Malware Internet Access" for security reasons. We don't have a seperate internet breackout for testing.


    My question:

    Does an analyzer profile with dynamic analyze options enabled, capture network traffic of a threat with "Enable Malware Internet Access" disabled?


    I presume the virus petya contains some Public IP's for C&C which needs to be pushed to the Fortigate


    Fyi:


    forti_push allready tested with "python forti_push.py 199.199.199.199" and this works


    Thanks

    Christophe

  • Hi Christophe,


    In the 'atd_subscriber.txt' file that you attached, it appears that the ATD file report does not include a non-empty value for the "Dst IP" (see https://github.com/mohlcyber/O…1.0/atd_subscriber.py#L33) or "Ips" (see https://github.com/mohlcyber/OpenDXL-ATD-Fortinet/blob/v1.0/atd_subscriber.py#L44).


    For example:


    Quote

    INFO:root:{

    "Summary": {

    ...

    "Dst IP": "",


    Since no IPs are present in the report, it appears that the "atd_subscriber" script would not try to run the "forti_push.py" script.


    I don't immediately have any explanation as to why the the ATD report would not include any IP address information. Maybe Martin or Nolan would have an idea about this? Is there some other action with ATD that you might be able to trigger which would include IPs in the report to see that the basic Python script integration with Fortinet is functioning properly?

  • Hi Christophe,


    looks like that atd_subscriber and the forti_push.py work fine.

    Seems that there are no IPs identified during the ATD analysis process hence the forti_push.py didn't get executed.


    I've attached a DXL message from my ATD appliance (sample.txt). You can see in the DXL message the IP address that I am parsing out with the script to update Fortinet. My ATD has the following analyzer profile configured:




    My guess is that the "Enable Malware Internet Access" needs to be enabled to receive network information like IPs / URLs. I will get this confirmed by one of our Technology Specialist for ATD and provide you with an update.


    All the best,

    Martin