DNS Sinkholing is not enabled-paloaltonetworks-panos

DNS Sinkholing is not enabled-paloaltonetworks-panos
0

DNS Sinkholing is not enabled-paloaltonetworks-panos

Vendor: paloaltonetworks

OS: panos

Description:
Indeni will alert if DNS Sinkholing is not enabled on one of the Anti-Spyware profiles.

Remediation Steps:
Ensure all Anti-Spyware profiles have dns sinkholing enabled.

How does this work?
This alert uses the Palo Alto Networks API interface to parse through the configured anti-spyware profiles and check if any of them does not have this feature enabled. The alarm should dump the name of the anti-spyware profile.

Why is this important?
DNS sinkholing helps to identify infected hosts on the protected network using DNS traffic in situations where the firewall cannot see the infected client’s DNS query. Infected hosts can then be easily identified in the traffic logs because any host that attempts to connect to the sinkhole IP address is most likely infected with malware.

Without Indeni how would you find this?
Login to the device’s web interface and click on “Objects” -> “Security Profiles” -> “Anti-Spyware” and check each profile manually.

panos-dns-sinkhole

name: panos-dns-sinkhole
description: Check all anti-spyware profiles have dns sinkholing enabled
type: monitoring
monitoring_interval: 60 minutes
requires:
    vendor: paloaltonetworks
    os.name: panos
    product: firewall
comments:
    panos-dns-sinkhole:
        why: |
            DNS sinkholing helps to identify infected hosts on the protected network using DNS traffic in situations where the firewall cannot see the infected client's DNS query. Infected hosts can then be easily identified in the traffic logs because any host that attempts to connect to the sinkhole IP address is most likely infected with malware.
        how: |
            This alert uses the Palo Alto Networks API interface to parse through the configured anti-spyware profiles and check if any of them does not have this feature enabled. The alarm should dump the name of the anti-spyware profile.
        can-with-snmp: false
        can-with-syslog: false
steps:
-   run:
        type: HTTP
        command: /api/?type=config&action=get&xpath=/config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys1']/profiles/spyware&key=${api-key}
    parse:
        type: XML
        file: panos-anti-spyware-dns-sinkhole.parser.1.xml.yaml
-   run:
        type: HTTP
        command: /api/?type=config&action=get&xpath=/config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys1']/profiles/spyware/entry[@name='${spyware_profile}']&key=${api-key}
    parse:
        type: XML
        file: panos-anti-spyware-dns-sinkhole.parser.2.xml.yaml

PanosAntiSpywareSinkholingRule

// Deprecation warning : Scala template-based rules are deprecated. Please use YAML format rules instead.

package com.indeni.server.rules.library.templatebased.paloaltonetworks

import com.indeni.server.rules.RuleContext
import com.indeni.server.rules.library.templates.StateDownTemplateRule
import com.indeni.server.sensor.models.managementprocess.alerts.dto.AlertSeverity
/**
  *
  */
case class PanosAntiSpywareSinkholingRule() extends StateDownTemplateRule(
  ruleName = "PanosAntiSpywareSinkholingRule",
  ruleFriendlyName = "Palo Alto Networks Firewalls: DNS Sinkholing is not enabled",
  ruleDescription = "Indeni will alert if DNS Sinkholing is not enabled on one of the Anti-Spyware profiles.",
  severity = AlertSeverity.WARN,
  metricName = "panos-dns-sinkhole",
  applicableMetricTag = "name",
  alertItemsHeader = "Anti-Spyware Profile Name",
  alertDescription = "DNS sinkholing helps to identify infected hosts on the protected network using DNS traffic in situations where the firewall cannot see the infected client's DNS query. Infected hosts can then be easily identified in the traffic logs because any host that attempts to connect to the sinkhole IP address is most likely infected with malware.",
  baseRemediationText = "Ensure all Anti-Spyware profiles have dns sinkholing enabled.")()