Having problems with your account or logging in?
A lot of changes are happening in the community right now. Some may affect you. READ MORE HERE
Bechara Super Contributor.
Super Contributor.
1030 views

Integrate ESM to send commands to ASA/Firewalls

Jump to solution

Hello,

Do you have an idea how to run a script when a rule is fired?

this rule will send commands to firewall eg cisco ASA.

Labels (3)
0 Likes
1 Solution

Accepted Solutions
Highlighted
Bechara Super Contributor.
Super Contributor.

Re: Integrate ESM to send commands to ASA/Firewalls

Jump to solution

I Created a python script, that will run command on ASA, and from the rule set execute action to point to the script residing in Red Hat system of ArcSight

0 Likes
8 Replies
shezaf1 Acclaimed Contributor.
Acclaimed Contributor.

Re: Integrate ESM to send commands to ASA/Firewalls

Jump to solution

See the "Executing commands from ArcSight" section of


~ Ofer

0 Likes
jring1 Frequent Contributor.
Frequent Contributor.

Re: Integrate ESM to send commands to ASA/Firewalls

Jump to solution

Hi,

Ofer has pointed in the right direction. But if you do this be very careful to not create a DOSable construction.

Let me just explain - imagine I am a hacker doing recon on your net and while I'm happily portscanning with a synscan - I'm on sb. elses rooted box, so I don't care about hiding - I see that I'm being blocked. That sucks, so I quickly change to another rooted box and count the packets needed to block me. Then I start to write a little script to send syn packets with faked sender addresses to your fw - just enough for each address to trigger your rule...

Regards,

Joachim

0 Likes
Bechara Super Contributor.
Super Contributor.

Re: Integrate ESM to send commands to ASA/Firewalls

Jump to solution

Good Point thanks

0 Likes
Highlighted
Bechara Super Contributor.
Super Contributor.

Re: Integrate ESM to send commands to ASA/Firewalls

Jump to solution

I Created a python script, that will run command on ASA, and from the rule set execute action to point to the script residing in Red Hat system of ArcSight

0 Likes
cmhamilton211 Respected Contributor.
Respected Contributor.

Re: Integrate ESM to send commands to ASA/Firewalls

Jump to solution

Don't forget to whitelist your critical assets from your rule/script/integration command.

0 Likes
shezaf1 Acclaimed Contributor.
Acclaimed Contributor.

Re: Integrate ESM to send commands to ASA/Firewalls

Jump to solution

Any chance you can share the script with the community?

0 Likes
Bechara Super Contributor.
Super Contributor.

Re: Integrate ESM to send commands to ASA/Firewalls

Jump to solution

Sure,

one thing to machine that the script should store the username and password in clear text.

  1. import paramiko
  2. ip = 'x.x.x.x'
  3. username = 'test'
  4. password = 'test'
  5. JM=paramiko.SSHClient()
  6. JM.set_missing_host_key_policy(paramiko.AutoAddPolicy())
  7. JM.connect(ip, username=username, password=password,
  8.                         look_for_keys=False, allow_agent=False)
  9. ssh = JM.invoke_shell()
  10. output = ssh.recv(65535)
  11. ssh.send("en\n")
  12. ssh.send("conf t\n")
  13. ssh.send("int g0/7\n")
  14. ssh.send("shut\n")
  15. output = ssh.recv(65535)
  16. print output

next we need to create the rule and the action should be

0 Likes
Super Contributor.. simon.simcic@sr Super Contributor..
Super Contributor..

Re: Integrate ESM to send commands to ASA/Firewalls

Jump to solution

I managed to do this with powershell:

We have prepared an object group that has a deny rule bound to it. I also needed a SSH library - that I got here :

PowerShell SSH Module for Nonstandard Devices Like Cisco ASA

param([string]$IP)

Import-Module SshShell

#Import-Module WASP 

$elevatedPrompt = "#.$"

$configPrompt = "\(config\)#.$"

$objectPrompt = "object\)#.$"

$asaIP = "xx.xxx.xxx.xxx"

$user = "xxxx"

$password = "XXXX"

#$csv = Get-Content C:\OSINT\Test\short.txt

$description ="Tor Node"

$objectId = "TOR"

#$hostIP = "1.1.1.1"

$elevatedPassword="xxxxxx"

 

$s = New-SshSession -SshHost $asaIP -User $user -Password $password

Send-SshCommand $s "enable" -Expect "Password:"

Send-SshCommand $s $elevatedPassword -Expect $elevatedPrompt

Send-SshCommand $s "conf t" -Expect $configPrompt

#Send-SshCommand $s "no access-list in line 1 deny ip any object-group TOR"

#Send-SshCommand $s "no object-group network ExplicitDeny"

Send-SshCommand $s "object-group network ExplicitDeny"

Send-SshCommand $s "network-object host $IP"

Send-SshCommand $s "access-list in line 1 deny ip any object-group ExplicitDeny"

Send-SshCommand $s "end" -Expect $elevatedPrompt

Send-SshCommand $s "write mem" -Expect "[OK]" -WaitUnlimitedOn "Building|Cryptochecksum|copied"

Close-SshSession $s

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.