search

MISP / MISP

MISP (core software) - Open Source Threat Intelligence and Sharing Platform
https://www.misp-project.org/
GNU Affero General Public License v3.0
5.41k stars 1.4k forks source link

Palo Alto External dynamic list - MISP Text based URL integration #6066

Open MySickSi opened 4 years ago

MySickSi commented 4 years ago

Hi, we are new to MISP and trying to get a few integrations working, one of them being Palo Alto. This feature would help MISP users who have a Palo Alto firewall and would like to use their MISP server as a source for an external dynamic list (EDL). Enabling EDLs is relatively straight forward and the text-based URLs provided by MISP are already in the correct format.

Is your feature request related to a problem? Please describe. There are currently no options to push IP, domain, or URL IOCs from MISP to a Palo Alto firewall using EDL. Palo Alto can access URLs with or without authentication. If authentication is required, it uses basic HTTP authentication.

Describe the solution you'd like Palo Alto EDL integrations require the URL to have no authentication or to allow authentication via an HTTP authorization request. Is there was a way to disable the authorization key required for specific feeds or enable authorization via HTTP authentication, or can this be enabled?

Describe alternatives you've considered I created a MISP a user with R/O auth privileges. I tried to use that as an input to the Palo Alto configuration, but I am receiving a "URL access error" in the firewall.

Additional context https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/policy/use-an-external-dynamic-list-in-policy/configure-the-firewall-to-access-an-external-dynamic-list.html

Here is a screenshot of the option to enable EDL using HTTP authentication from the linked post. image

stevelogik commented 3 years ago

Did you ever get MISP working with Palo Alto?

Womble-1 commented 3 years ago

I finally got mine working using the apikey in the get request. Fine in my network, probably not in most. e.g. https://host.domain.tld/attributes/restSearch/returnFormat:text/published:1/to_ids:1/type:domain||hostname/limit:2000/enforceWarninglist:true/apikey:fkljgfdlkgjhsfdlkjghsdflkjgh

MySickSi commented 3 years ago

@stevelogik Yes, I had to implement MineMeld as well. It has a miner you can download from github to pull IOCs from MISP.