OpenDXL-WildFireTIE

  • jnetz added a new solution:

    Quote

    Customers are regularly challenged by having made multiple high dollar investments in disjointed best of breed solutions. As such, point-to-point integration is usually required to bridge the gap in architectures offering synergistic value to the organization. And, since WildFire is a very popular sandbox technology from PaloAlto Networks that many customers employ, this module integrates the value of WildFire sandboxing technologies, cloud or on premise appliances, with the effective threat mitigation at the endpoint offered by McAfee's Threat Intelligence Exchange (TIE).


    Icon by Vecteezy licensed under Attribution-ShareAlike 3.0 Unported (CC BY-SA 3.0).

    Jesse Netz, CISSP, C|EH, ITIL

    McAfee Systems Engineer, Pre-Sales Engineering East

    M: 302.608.4758

  • Hi, i ran into an issues with this module ... after staring the wf.py i will get the following Errors...


    #############################################


    python dxlwildfiretie/wf.py


    dxlclient.exceptions.WaitTimeoutException: Timeout waiting for response to message: {2dec0cf3-327a-4471-a3be-b7aeddc23f93}


    Any hints or suggestions ?

  • I am not very informed on this particular integration, but based on the error message and the fact that it is attempting to set a TIE reputation, my guess is that it is an authorization issue.


    The client that is running this script must be authorized to set TIE reputations.


    The FAQ for the TIE DXL Python Client Library contains the following:

    Q: I receive a timeout, "dxlclient.exceptions.WaitTimeoutException: Timeout waiting for response to message", when attempting to set the reputation of a file/certificate


    A: This typically occurs due to the Python client not having permission to send messages to the /mcafee/service/tie/file/reputation/set topic (for files) and the /mcafee/service/tie/cert/reputation/set topic (for certificates).


    The following page provides an example of authorizing a Python client to send messages to an authorization group. While the example is based on McAfee Active Response (MAR), the instructions are the same with the exception of swapping the TIE Server Set Enterprise Reputation authorization group in place of Active Response Server API:


    https://opendxl.github.io/open…on/pydoc/marsendauth.html


    Hope this helps,

    Chris

  • I'm having the same error above, but with this in front of it:


    2017-10-13 20:43:11,150 dxlclient.broker - ERROR - Socket could not be created. Error Code : None Message timed out

    2017-10-13 20:43:11,206 dxlclient.broker - ERROR - Socket could not be created. Error Code : None Message timed out


    I have added the certificate to the Topic Authorizations as well.


  • Those errors indicate that the client is unable to connect to some of the broker(s) that are listed in the dxlclient.config file. Many times those errors can be ignored if the client is ultimately able to connect to one of the brokers listed.


    Do the OpenDXL client samples run successfully?


    Thanks,

    Chris

  • Hi!


    i see this error when running the wf.py:


    Traceback (most recent call last):

    File "wf.py", line 165, in <module>

    reputations_dict[FileProvider.GTI]["trustLevel"]==TrustLevel.NOT_SET) or \

    KeyError: 1


    did i miss some configuration?

  • OK - I see. This error exists because its expecting GTI to be available. Please enable GTI in your TIE policy. I'll update to handle the exception more gracefully.

    Jesse Netz, CISSP, C|EH, ITIL

    McAfee Systems Engineer, Pre-Sales Engineering East

    M: 302.608.4758

  • Hello,


    I recently started to get the following error:



    Traceback (most recent call last):

    File "wf.py", line 159, in <module>

    HashType.SHA256: currentSHA256

    File "build/bdist.linux-x86_64/egg/dxltieclient/client.py", line 306, in get_file_reputation

    File "/home/wildfire/.local/lib/python2.7/site-packages/dxlbootstrap/client.py", line 56, in _dxl_sync_request

    raise Exception("Error: " + res.error_message + " (" + str(res.error_code) + ")")

    Exception: Error: Error during request handling. (0)


    The process runs but does not complete. If I wait a few hours and run the process again a few more reputations will get set before it errors out. Tie does show the few reputations it does set.



    Not sure if the issue is with PAN and it not yet having generated a hash?

  • It seems possible that the problem could be due to the PAN having supplied empty values for the MD5 and SHA256 values. I can recreate that error message manually by doing the following:

    Code
    1. currentMD5 = ""
    2. currentSHA256 = ""
    3. reputations_dict = \
    4. tie_client.get_file_reputation({
    5. HashType.MD5: currentMD5,
    6. HashType.SHA256: currentSHA256
    7. })

    The above produces the same error message that you mentioned:

    Quote

    Exception: Error: Error during request handling. (0)

    Have you tried modifying the "wf.py" source code to print out the value of the currentMD5 and currentSHA256 variables so you can see what they are when the error occurs?


    Jesse - if this is something you expect could happen in the Wildfire feed, do you think the DXL integration should case around it to avoid trying to make calls to TIE for invalid hash values? Something like...

    Code
    1. if currentMD5 and currentSHA256:
    2.     reputations_dict = \
    3. tie_client.get_file_reputation({
    4.           HashType.MD5: currentMD5,
    5. HashType.SHA256: currentSHA256
    6. })
    7. ...
  • amgkcgc


    Humbly, I admit that I never thought about this particular case. But the fact that if you wait and run it again in a few hours you get results, then it tells me that there is either a nill case where the key/value pair is missing from PAN's response... or the results are missing all together.


    I'll private message you to help troubleshoot before suggesting a fix.

    camlow325 thanks for the suggestion. Based on what we find out, that may just work ;)

    Jesse Netz, CISSP, C|EH, ITIL

    McAfee Systems Engineer, Pre-Sales Engineering East

    M: 302.608.4758

    Edited 2 times, last by jnetz ().

  • UPDATE: It appears that lack of resources on @amgkcgc's TIE VM (2GB) may have caused the TIE server to become overloaded and failed to respond or created an error response when replying to the TIE get_file_reputation call. So far, increasing system resources seems to have resolved the issue.


    In examining the output from WF's XML, all values are set appropriately and we were not witnessing null/empty SHA256 values.

    Jesse Netz, CISSP, C|EH, ITIL

    McAfee Systems Engineer, Pre-Sales Engineering East

    M: 302.608.4758