Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2662
Views
5
Helpful
8
Replies

Submit captured file for dynamic analysis

Kfir Mesika
Level 1
Level 1

‎01-18-2017 06:07 AM - edited ‎03-12-2019 06:15 AM

Hello,

I got firepower management center virtual 6.0.1 ,

and asa with firepower services 5555-x 6.0.0.1.

I have malware license.

My question is - which device is submiting the unknown captured file to dynamic analysis (cisco sandbox in the cloud) and where the file is stored?

When I am trying to submit a file to dynamic analysis from the management center manualy, in the capture files analysis page, I see that the Dynamic Analysis Status is 'Device Not Activared'.

Another thing , which is very odd, I can see a Threat Score only for MSOLE2-Office Document.

I am also attaching a screen shot of the management center.

Regards. 

1 person had this problem
Labels:
Preview file
24 KB
0 Helpful
8 Replies 8

Pranay Prasoon
Level 3
Level 3

‎01-18-2017 09:25 AM

In 6.x, ThreatGrid is used for Dynamic Analysis:

panacea.threatgrid.com

 

Access is needed from both Firepower and Firesight to threadgrid so that the files are sent from Firepower for dynamic analysis. The Firesight Manager then queries the cloud for the results of that analysis so it can populate the database accordingly.

Please make sure firepower can connect to this, you can check this by going to the CLI of the SFR module on your active ASA and from the expert,issue the following command

sudo curl -v panacea.threatgrid.com:443

Kfir Mesika
Level 1
Level 1
In response to Pranay Prasoon

‎01-18-2017 12:34 PM

Thank you very much, I will check and update you if the status of dynamic analysis wont be Device not Activated.

In addition, I'm trying to enable in the Network Analysis Policy the Rate-Based prevention For simultaneous connection. I want to protect my internal web server from ddos attack, so i configured it for destination rate-based protection and I did not checked the drop option in order to check the operation of this configuration.

From cisco documentation what i understand is that it will block attacks per source ip individualy.

I did not enabled the GID"135" from the intrusion policy.

In the intrusion events we could see alot of events from that rate-based singature.

One time the rate-based blocked one IP address even though I did not checked the drop option.

The block event happend for traffic that matched a rule with 'drop when inline' intrusion policy. - I dont know if it is related.

Maybe you can explain to me how to configure it correctly and what are the effects of each configuration?

One more question - why in the rate based you can only configure how many connections but you do not have the option to configure the time interval?

Thank you for the help.

0 Helpful

Kfir Mesika
Level 1
Level 1
In response to Pranay Prasoon

‎01-18-2017 12:40 PM

What is the correct output that i should see from the command:

sudo curl -v panacea.threatgrid.com:443  ?

Thanks.

0 Helpful

Pranay Prasoon
Level 3
Level 3
In response to Kfir Mesika

‎01-18-2017 09:47 PM

The output will shows you activities when firepower tries to connect to threadgrid and if connection is failure or success. Something like this in case of failure

* Recv failure: Connection reset by peer
* Closing connection 0

0 Helpful

Kfir Mesika
Level 1
Level 1
In response to Pranay Prasoon

‎01-18-2017 10:49 PM

* Rebuilt URL to: panacea.threatgrid.com:443/
* Trying 199.36.143.68...
* Connected to panacea.threatgrid.com (199.36.143.68) port 443 (#0)
> GET / HTTP/1.1
> Host: panacea.threatgrid.com:443
> User-Agent: curl/7.42.1
> Accept: */*
>
< HTTP/1.1 400 Bad Request
< Server: nginx/1.10.0 (Ubuntu)
< Date: Thu, 19 Jan 2017 06:48:39 GMT
< Content-Type: text/html
< Content-Length: 280
< Connection: close
<
<html>
<head><title>400 The plain HTTP request was sent to HTTPS port</title></head>
<body bgcolor="white">
<center><h1>400 Bad Request</h1></center>
<center>The plain HTTP request was sent to HTTPS port</center>
<hr><center>nginx/1.10.0 (Ubuntu)</center>
</body>
</html>
* Closing connection 0

Is this ok?

0 Helpful

Pranay Prasoon
Level 3
Level 3
In response to Kfir Mesika

‎01-18-2017 10:56 PM

yes, it can connect.  You did the test on firepower module or FMC?

0 Helpful

Kfir Mesika
Level 1
Level 1
In response to Pranay Prasoon

‎01-18-2017 11:15 PM

Not yet, I will test it next week.

I will update you/

thanks.

0 Helpful

mdieken011
Level 1
Level 1
In response to Pranay Prasoon

‎02-21-2018 09:32 AM

I have the same issue.  I have the same result from the curl command.  From the Dynamic Analysis Status I see a "Device Not Activated" when I try to analyze the file.

 

admin@cisco-fmc:~$ sudo curl -v panacea.threatgrid.com:443
Password:
* Rebuilt URL to: panacea.threatgrid.com:443/
*   Trying 4.14.36.148...
* Connected to panacea.threatgrid.com (4.14.36.148) port 443 (#0)
> GET / HTTP/1.1
> Host: panacea.threatgrid.com:443
> User-Agent: curl/7.48.0
> Accept: */*
>
< HTTP/1.1 400 Bad Request
< Server: nginx/1.10.0 (Ubuntu)
< Date: Wed, 21 Feb 2018 16:49:55 GMT
< Content-Type: text/html
< Content-Length: 280
< Connection: close
<
<html>
<head><title>400 The plain HTTP request was sent to HTTPS port</title></head>
<body bgcolor="white">
<center><h1>400 Bad Request</h1></center>
<center>The plain HTTP request was sent to HTTPS port</center>
<hr><center>nginx/1.10.0 (Ubuntu)</center>
</body>
</html>
* Closing connection 0
admin@cisco-fmc:~$

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card