cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2895
Views
5
Helpful
8
Replies

Submit captured file for dynamic analysis

Kfir Mesika
Level 1
Level 1

Hello,

I got firepower management center virtual 6.0.1 ,

and asa with firepower services 5555-x 6.0.0.1.

I have malware license.

My question is - which device is submiting the unknown captured file to dynamic analysis (cisco sandbox in the cloud) and where the file is stored?

When I am trying to submit a file to dynamic analysis from the management center manualy, in the capture files analysis page, I see that the Dynamic Analysis Status is 'Device Not Activared'.

Another thing , which is very odd, I can see a Threat Score only for MSOLE2-Office Document.

I am also attaching a screen shot of the management center.

Regards. 

8 Replies 8

Pranay Prasoon
Level 3
Level 3

In 6.x, ThreatGrid is used for Dynamic Analysis:

panacea.threatgrid.com

 

Access is needed from both Firepower and Firesight to threadgrid so that the files are sent from Firepower for dynamic analysis. The Firesight Manager then queries the cloud for the results of that analysis so it can populate the database accordingly.

Please make sure firepower can connect to this, you can check this by going to the CLI of the SFR module on your active ASA and from the expert,issue the following command

sudo curl -v panacea.threatgrid.com:443

Thank you very much, I will check and update you if the status of dynamic analysis wont be Device not Activated.

In addition, I'm trying to enable in the Network Analysis Policy the Rate-Based prevention For simultaneous connection. I want to protect my internal web server from ddos attack, so i configured it for destination rate-based protection and I did not checked the drop option in order to check the operation of this configuration.

From cisco documentation what i understand is that it will block attacks per source ip individualy.

I did not enabled the GID"135" from the intrusion policy.

In the intrusion events we could see alot of events from that rate-based singature.

One time the rate-based blocked one IP address even though I did not checked the drop option.

The block event happend for traffic that matched a rule with 'drop when inline' intrusion policy. - I dont know if it is related.

Maybe you can explain to me how to configure it correctly and what are the effects of each configuration?

One more question - why in the rate based you can only configure how many connections but you do not have the option to configure the time interval?

Thank you for the help.

What is the correct output that i should see from the command:

sudo curl -v panacea.threatgrid.com:443  ?

Thanks.

The output will shows you activities when firepower tries to connect to threadgrid and if connection is failure or success. Something like this in case of failure

* Recv failure: Connection reset by peer
* Closing connection 0

* Rebuilt URL to: panacea.threatgrid.com:443/
* Trying 199.36.143.68...
* Connected to panacea.threatgrid.com (199.36.143.68) port 443 (#0)
> GET / HTTP/1.1
> Host: panacea.threatgrid.com:443
> User-Agent: curl/7.42.1
> Accept: */*
>
< HTTP/1.1 400 Bad Request
< Server: nginx/1.10.0 (Ubuntu)
< Date: Thu, 19 Jan 2017 06:48:39 GMT
< Content-Type: text/html
< Content-Length: 280
< Connection: close
<
<html>
<head><title>400 The plain HTTP request was sent to HTTPS port</title></head>
<body bgcolor="white">
<center><h1>400 Bad Request</h1></center>
<center>The plain HTTP request was sent to HTTPS port</center>
<hr><center>nginx/1.10.0 (Ubuntu)</center>
</body>
</html>
* Closing connection 0

Is this ok?

yes, it can connect.  You did the test on firepower module or FMC?

Not yet, I will test it next week.

I will update you/

thanks.

I have the same issue.  I have the same result from the curl command.  From the Dynamic Analysis Status I see a "Device Not Activated" when I try to analyze the file.

 

admin@cisco-fmc:~$ sudo curl -v panacea.threatgrid.com:443
Password:
* Rebuilt URL to: panacea.threatgrid.com:443/
*   Trying 4.14.36.148...
* Connected to panacea.threatgrid.com (4.14.36.148) port 443 (#0)
> GET / HTTP/1.1
> Host: panacea.threatgrid.com:443
> User-Agent: curl/7.48.0
> Accept: */*
>
< HTTP/1.1 400 Bad Request
< Server: nginx/1.10.0 (Ubuntu)
< Date: Wed, 21 Feb 2018 16:49:55 GMT
< Content-Type: text/html
< Content-Length: 280
< Connection: close
<
<html>
<head><title>400 The plain HTTP request was sent to HTTPS port</title></head>
<body bgcolor="white">
<center><h1>400 Bad Request</h1></center>
<center>The plain HTTP request was sent to HTTPS port</center>
<hr><center>nginx/1.10.0 (Ubuntu)</center>
</body>
</html>
* Closing connection 0
admin@cisco-fmc:~$

Review Cisco Networking for a $25 gift card