cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2554
Views
0
Helpful
8
Replies

FireSight PIX Shun Remediation Module Error

awysocki
Level 1
Level 1

In my previous post, I was able to successfully load the PIX remediation v1.1 module into FMC running 6.0.1. I have since tried actually running the SHUN remediation against two firewalls, but am running into an error, and I'm hoping someone on the board may have this functioning in their environment.

Purpose: Not all of our firewalls have Sourcefire installed, however, when we detect an SQL attack occurring as an IPS event, our goal is to connect to the internet facing ASA's and enable a SHUN on the source IP of the attacker.

Setup: I've installed the PIX Shun module ver 1.1. I was able to create 2 instances (aka 2 firewall connections). Within each instance, I've created a remediation type 'Block Source'.  Under Policies->Correalation->Rule management, I've created a rule: If an intrusion event occurs, and it meets conditions where the Rule Message contains the string SQL, as well as some source/destination inclusions. Under policy management, I've created an entry, included the previous rule, and for responses, have included the 2 Pix Shun remediations, as well as email alerts to confirm when it occurs.

Verification: From the FMC console, I successfully SSH'd to both firewalls, logged in using the assigned credentials, and was able to execute the SHUN command. So in my opinion this piece is verified.

I had the rule with email remediations setup for over a week, and have successfully received emails when SQL attacks occur. So I'm able to rule out this part of the setup.  I only recently added the SHUN responses.

Results: On the first SQL attack, under Analysis->Correlation->Status, for the SHUN's, I received the result message "Error with input provided to remediation exec program"

I've read through the Remediation API guide for assistance. Within the Syslog, I see the following results:

May 18 2016 08:03:34 hostname msmtp: host=<email server> tls=off auth=off from=hostname@site.com recipients=me@work mailsize=588 smtpstatus=250 smtpmsg='250 2.6.0 [InternalId=16068633] Queued mail for delivery' exitcode=EX_OK 
May 18 2016 08:03:36 hostname SF-IMS[4150]: [4150] SFRemediateD:SFRemediateD [WARN] ChildHandler.c:386:updateLogEntry(): Non-zero exit status (1) (remediation = SQL-ATTACK-FW-01) (policy_sensor_id = 0) (policy_tv_sec = 1463573013) (policy_event_id = 29) 
May 18 2016 08:03:36 hostname SF-IMS[4150]: [4150] SFRemediateD:SFRemediateD [WARN] ChildHandler.c:386:updateLogEntry(): Non-zero exit status (1) (remediation = SQL-ATTACK-FW-02) (policy_sensor_id = 0) (policy_tv_sec = 1463573013) (policy_event_id = 29) 

I dug into the Constants.pm file in the module, and Exit code 1 notes an INPUT_ERR (with the comment Command Line Error).  I am able to confirm that the FMC did not attempt a connection to the firewalls as we have tacacs auditing, and there were no attempts. Seeing as it's the first error, it doesn't appear the event is even taking flight.

I checked the instance.conf file for each firewall under the /var/sf/remediations/cisco_pix_1.1/<firewall name>/ directory, and the IP, username, password, and enable password all appear correct. As well, the remediation shows up as well for blocksource. No edits were made to the original files of the module itself.

Possible items that come to mind:

1)Username may not comply?  (I have an underscore in the name, however, when checking the regex constraints for username, it should be ok).

2) Password has invalid characters? (I have tried a new password and am waiting on another attack, sadly, I'm not aware of a way to trigger a test event, if anyone knows of a way, please let me know).

3) The src_ip_addr may not be captured/passed along properly from the IPS event? (this is just a guess, and I'm guessing would need Tac to assist).

If the username or password are the issue, then I'll advise if it fixes the issue. However, if it's not that, I'm hoping someone may have ran into this and has a fix or some suggestions handy? Perhaps if there's some additional log/troubleshooting that can review what variables are being sent from the FMC to the remediation module, this could also pinpoint the issue? Your help is appreciated. 

Thanks in advance.

8 Replies 8

gbercsenyi
Level 1
Level 1

Hi,

Do you have any update on this topic?

Unfortunately I've got the same results.

Thank you,

Gabor

Nothing good unfortunately. I was told the framework changed between 5.x and 6.x, and the method used for PIX SHUN was based on 5.x. I was told to check this support forum and maybe someone would be able to assist. So far, I haven't seen anything.

Same here, upgrading to 6.1 broke my PIX remediation module I relied on. Totally broke my configuration... 

Hi,

Unfortunately I am not programmer either. But the first issue what we realized that if we login to FMC on CLI interface we can not ssh over to ASA. We could modify the config: ":/etc/ssh/ssh_config"

----ADDED PART-----

Host X.X.X.X (ASA IP address)
ForwardAgent no
ForwardX11 no
KexAlgorithms diffie-hellman-group1-sha1
Ciphers aes256-cbc,aes192-cbc,aes128-cbc,3des-cbc,aes128-ctr,aes192-ctr,aes256-ctr
Tunnel no
GatewayPorts no

----ORIG PART-----

Host *
ForwardAgent no
ForwardX11 no

After this modification the FMC could SSH to the ASA-s. 

The shun script can be moved over from the old FMC (Firesight 5.4) and you can add the script over the GUI.

You can tweak the scripts here: /var/sf/remediations/cisco_pix_1.1/

I hope this helps us someone who could solve this issue.

I have attached the cisco_pix.tgz remediation module from Firesight 5.4.

 

I turned the module back on, and again with the same syslog error:

Apr 05 2017 19:31:32 FIRESIGHT SF-IMS[6119]: [6119] SFRemediateD:SFRemediateD [WARN] ChildHandler.c:386:updateLogEntry(): Non-zero exit status (1) (remediation = ATTACK-FW-1) (policy_sensor_id = 0) (policy_tv_sec = 1491435091) (policy_event_id = 43)
Apr 05 2017 19:31:32 FIRESIGHT SF-IMS[6119]: [6119] SFRemediateD:SFRemediateD [WARN] ChildHandler.c:386:updateLogEntry(): Non-zero exit status (1) (remediation = ATTACK-FW-2) (policy_sensor_id = 0) (policy_tv_sec = 1491435091) (policy_event_id = 43)

As per my original post, the FireSight manager didn't even attempt an SSH session to the firewalls. It's likely the variables that are passed to the module are not functioning under the new framework, and they exit (status 1). Ultimately we need someone who programs and understands the new framework to be able to update the module to allow for the variables to pass correctly to the manager, then to SSH to the firewall, and execute the SHUN command.  Is there anybody out there?

tneuhuber
Level 1
Level 1

hi, it seems that i have same issue :-(

we are on fsmc 6.1.0.1.

Response Email is sent out, but no null route set on the ios router, no access registered on the device!

Does anyone have idea, how the troubleshoot the issue?

br, thomas

I received an email from sac-support. They had referred me to the 5.4 remediation API guide.

(http://www.cisco.com/c/en/us/td/docs/security/firesight/540/api/remediation/FireSIGHT-System-Remediation-API-Guide/WritingRemedClients.html)

I'm not a programmer, so if there are some keen and willing API writers out there, maybe they could assist in building a new ASA module under the 6.x framework. At least 3 of us would greatly appreciate it.

Hello guys, were you able to fix this? I am currently developing remediation modules for FMC 6.X and I am having this error, there seems to be no answer out there.

```
Mar 30 20:29:11 rmorenot-fmc SF-IMS[5947]: [5947] SFRemediateD:SFRemediateD [WARN] ChildHandler.c:386:updateLogEntry(): Non-zero exit status (11) (remediation = BlacklistSourceRemediationV2) (policy_sensor_id = 0) (policy_tv_sec = 1585600151) (policy_event_id = 45163)
Mar 30 20:29:13 rmorenot-fmc SF-IMS[5947]: [5947] SFRemediateD:SFRemediateD [WARN] ChildHandler.c:386:updateLogEntry(): Non-zero exit status (11) (remediation = BlacklistSourceRemediationV2) (policy_sensor_id = 0) (policy_tv_sec = 1585600153) (policy_event_id = 45165)
```

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: