WildFire Cloud File Analysis

Transcription

1 WildFire Cloud File Analysis The following topics describe the different methods for sending files to the WildFire Cloud for analysis. Forward Files to the WildFire Cloud Verify Firewall File Forwarding to the WildFire Cloud Upload Files to the WildFire Cloud Portal Upload Files and Query WildFire Using the WildFire API WildFire Administrator s Guide 39

2 Forward Files to the WildFire Cloud WildFire Cloud File Analysis Forward Files to the WildFire Cloud To configure a firewall to automatically submit files to the WildFire Cloud, you must configure a file blocking profile with the forward or continue-and-forward action and then attach it to the security rule(s) that you want to trigger inspection for zero-day malware. For example, you could configure a policy with a file blocking profile that triggers the firewall to forward a specific file type, or all supported file types that users attempt to download during a web-browsing session. Forwarding of encrypted files is also supported provided that SSL decryption is configured on the firewall and the option to forward encrypted files is enabled. If your firewalls are managed by Panorama, simplify WildFire administration by using Panorama Templates to push the WildFire server information, allowed file size, and the session information settings to the firewalls. Use Panorama device groups to configure and push file blocking profiles and security policy rules. Starting with PAN-OS 6.0, the WildFire logs show which WildFire system each firewall used for file analysis (WildFire cloud, WF-500 appliance, and/or the WildFire Japan cloud). If there is a firewall between the firewall that is forwarding files to WildFire and the WildFire cloud or WildFire appliance, make sure that the firewall in the middle has the necessary ports allowed. WildFire cloud: Uses port 443 for registration and file submissions. WildFire appliance: Uses port 443 for registration and for file submissions. Perform the following steps on each firewall that will forward files to WildFire: Configure a File Blocking Profile and Add it to a Security Profile Step 1 Verify that the firewall has valid Threat Prevention and WildFire subscriptions and that dynamic updates are scheduled and up-to-date. Having a WildFire subscription provides many benefits, such as forwarding of advanced file types, receiving WildFire signatures within 15 minutes, and more. For details, see WildFire Subscription Requirements. 1. Select Device > Licenses and confirm that the firewall has valid WildFire and Threat Prevention subscriptions. 2. Select Device > Dynamic Updates and click Check Now to ensure that the firewall has the most recent Antivirus, Applications and Threats, and WildFire updates. 3. If the updates are not scheduled, schedule them now. Be sure to stagger the update schedules because only one update can be performed at a time. See Best Practices for Keeping Signatures up to Date for recommended settings. When configuring a WildFire signature update schedule, you must enter a value other than zero in the Minutes Past Hour field. 40 WildFire Administrator s Guide

3 WildFire Cloud File Analysis Forward Files to the WildFire Cloud Configure a File Blocking Profile and Add it to a Security Profile (Continued) Step 2 Step 3 Configure the file blocking profile to define which applications and file types will trigger forwarding to WildFire. If you choose PE in the objects profile File Types column to select a category of file types, do not also add an individual file type that is part of that category because this will result in redundant entries in the Data Filtering logs. For example, if you select PE, there is no need to select exe because it is part of the PE category. This also applies to the zip file type, because supported file types that are zipped are automatically sent to WildFire. If you would like to ensure that all supported Microsoft Office file types are forwarded, it is recommended that you choose the category msoffice. Choosing a category rather than an individual file type also ensures that as new file type support is added to a given category, they are automatically made part of the file blocking profile. If you select Any, all supported file types will be forwarded to WildFire. (Optional) Enable response pages to allow users to decide whether to forward a file. If the continue-and-forward action is configured for any file type, you must enable the response page option on the ingress interface (the interface that first receives traffic for your users). 1. Select Objects > Security Profiles > File Blocking. 2. Click Add to add a new profile and enter a Name and Description. 3. Click Add in the File Blocking Profile window and then click Add again. Click in the Names field and enter a rule name. 4. Select the Applications that will match this profile. For example, selecting web-browsing as the application will cause the profile to match any application traffic identified as web-browsing. 5. In the File Type field, select the file types that will trigger the forwarding action. Choose Any to forward all file types supported by WildFire or select PE to only forward Portable Executable files. 6. In the Direction field select upload, download, or both. The both option will trigger forwarding whenever a user attempts to upload or download a file. 7. Define an Action as follows: Forward The firewall will automatically forward any files matching this profile to WildFire for analysis in addition to delivering the file to the user. Continue-and-forward The user is prompted and must click continue before the download occurs and the file is forwarded to WildFire. Because this action requires user interaction with a web browser, it is only supported for web-browsing applications. 8. Click OK to save. 1. Select Network > Network Profiles > Interface Mgmt and either add a new profile or edit an existing profile. 2. Click the Response Pages check box to enable. 3. Click OK to save the profile. 4. Select Network > Interfaces and then edit the Layer 3 interface or VLAN interface that is the ingress interface. 5. On the Advanced tab, select the Interface Mgmt profile that has the response page option enabled. 6. Click OK to save. WildFire Administrator s Guide 41

4 Forward Files to the WildFire Cloud WildFire Cloud File Analysis Configure a File Blocking Profile and Add it to a Security Profile (Continued) Step 4 Step 5 Step 6 Step 7 Enable forwarding of decrypted content. To forward SSL encrypted files to WildFire, the firewall must have a decryption policy and have forwarding of decrypted content enabled. Only a superuser can enable this option. Attach the file blocking profile to a security policy. (Optional) Modify the maximum file size allowed for upload to WildFire. (Optional) Modify session options that define what session information to record in WildFire analysis reports. 1. Select Device > Setup > Content-ID. 2. Click the edit icon for the URL Filtering options and enable Allow Forwarding of Decrypted Content. 3. Click OK to save the changes. If the firewall has multiple virtual systems, you must enable this option per VSYS. In this situation, select Device > Virtual Systems, click the virtual system to be modified and select the Allow Forwarding of Decrypted Content check box. 1. Select Policies > Security. 2. Click Add to create a new policy for the zones to which to apply WildFire forwarding, or select an existing security policy. 3. On the Actions tab, select the File Blocking profile from the drop-down. If this security rule does not have any profiles attached to it, select Profiles from the Profile Type drop-down to enable selection of a file blocking profile. 1. Select Device > Setup > WildFire. 2. Click the General Settings edit icon. 3. Set the maximum size that will be sent for each file type. 1. Click the Session Information Settings edit icon. 2. By default, all session information items will display in the reports. Clear the check boxes that correspond to any fields to remove from the WildFire analysis reports. 3. Click OK to save the changes. 42 WildFire Administrator s Guide

5 WildFire Cloud File Analysis Forward Files to the WildFire Cloud Configure a File Blocking Profile and Add it to a Security Profile (Continued) Step 8 (PA-7050 only) Enable logging to the PA-7050 firewall. If you are configuring a PA-7050 firewall, a data port on one of the NPCs must be configured as a log card interface. This is due to the traffic/logging capabilities of the PA-7050 to avoid overwhelming the MGT port. When a data port is configured as type Log Card, log forwarding and WildFire file forwarding will be sent through the Log Card port instead of using the default service route. This port will be used by the log card directly and will act as a log forwarding port for Syslog, , SNMP, and WildFire file forwarding. After the port is configured, WildFire file forwarding will use this port, as well as the following log types: traffic, HIP match, threat, and WildFire logs. If the port is not configured, a commit error will be displayed and only one port can be configured with the Log Card type. The MGT port cannot be used for forwarding samples to WildFire, even if you configure a service route. The PA-7050 does not forward logs to Panorama. Panorama will query the PA-7050 log card for log information. 1. Select Network > Interfaces and locate an available port on an NPC. 2. Select the port and change the Interface Type to Log Card. 3. In the Log Card Forwarding tab, enter IP information (IPv4 and/or IPv6) for the network that is used to communicate with the systems that you will use to receive logs. For example: Syslog servers and servers. For WildFire file forwarding ensure connectivity to the WildFire cloud or a WildFire appliance. 4. Connect the newly configured port to a switch or router. There is no other configuration needed. The PA-7050 will use this port as soon as it is activated. Step 9 Commit the configuration. Click Commit to apply the settings. During security policy evaluation, all files that meet the criteria defined in the file blocking policy will be forwarded to WildFire for analysis. For information on viewing reports for files that have been analyzed, see WildFire Reporting. For information on verifying the configuration, see Verify Firewall File Forwarding to the WildFire Cloud. WildFire Administrator s Guide 43

6 Verify Firewall File Forwarding to the WildFire Cloud WildFire Cloud File Analysis Verify Firewall File Forwarding to the WildFire Cloud This section describes the steps required to verify the WildFire configuration on the firewall. For information on a test file that can be used during the verification process, see Malware Test Samples. Verify the WildFire Configuration on the Firewall Step 1 Step 2 Check the WildFire and Threat Prevention subscriptions and WildFire registration. Confirm that the firewall is sending files to the correct WildFire system. 1. Select Device > Licenses and confirm that a valid WildFire and Threat Prevention subscription is installed. If valid licenses are not installed, go to the License Management section and click Retrieve license keys from the license server. 2. To check that the firewall can communicate with a WildFire system, so files can be forwarded to it for analysis, run the following CLI command: admin@pa-200> test wildfire registration In the following output, the firewall is pointing to the WildFire cloud. If the firewall is pointing to a WildFire appliance, it will show the FQDN or IP address of the appliance. Test wildfire wildfire registration: successful download server list: successful select the best server: s1.wildfire.paloaltonetworks.com 3. If problems persist with the licenses, contact your reseller or Palo Alto Networks System Engineer to confirm each license and to get a new authorization code if required. 1. To determine where the firewall is forwarding files (to the Palo Alto Networks WildFire cloud or to a WildFire appliance), select Device > Setup > WildFire. 2. Click the General Settings edit button. 3. If the firewall is forwarding files to the WildFire cloud, this field should show wildfire-public-cloud for the U.S. based WildFire cloud, or wildfire.paloaltonetworks.jp for the Japan based WildFire cloud. If the firewall forwards files to a WildFire appliance, the IP address or FQDN of the WildFire appliance will be displayed. In Panorama, the default cloud name is wildfire-public-cloud. The best way to set the WildFire Server field back to the default cloud is to clear the field and click OK. The wildfire-default-cloud setting will then be applied. 44 WildFire Administrator s Guide

7 WildFire Cloud File Analysis Verify Firewall File Forwarding to the WildFire Cloud Verify the WildFire Configuration on the Firewall (Continued) Step 3 Check the logs. 1. Select Monitor > Logs > Data Filtering. 2. Confirm that files are being forwarded to WildFire by viewing the Action column: Forward Indicates that the file was successfully forwarded by the file blocking profile and security policy. Wildfire-upload-success Indicates that the file was sent to WildFire. This means the file is not signed by a trusted file signer and it has not been previously analyzed by WildFire. Wildfire-upload-skip Indicates that the file was identified as eligible to be sent to WildFire by a file blocking profile/security policy, but did not need to be analyzed by WildFire because it has already been analyzed previously. In this case, the forward action will appear in the Data Filtering log because it was a valid forward action, but it was not sent to WildFire and analyzed because the file has already been sent to the WildFire cloud from another session, possibly from another firewall. 3. View the WildFire logs by selecting Monitor > Logs > WildFire Submissions. If WildFire logs are listed, the firewall is successfully forwarding files to WildFire and WildFire is returning file analysis results. For more information on WildFire-related logs, see WildFire Logs. Step 4 Check the file blocking policy. 1. Select Objects > Security Profiles > File Blocking and click the file blocking profile to modify it. 2. Confirm that the action is set to forward or continue-and-forward. If set to continue-and-forward, only http/https traffic will be forwarded because this is the only type of traffic that allows for prompting the user to click continue. Step 5 Check the security policy. 1. Select Policies > Security and click the security policy rule that triggers file forwarding to WildFire. 2. Click the Actions tab and ensure that the file blocking policy is selected in the File Blocking drop-down. WildFire Administrator s Guide 45

8 Verify Firewall File Forwarding to the WildFire Cloud WildFire Cloud File Analysis Verify the WildFire Configuration on the Firewall (Continued) Step 6 Check the WildFire status. admin@pa-200> show wildfire status When forwarding files to the WildFire cloud, the output should look similar to the following: Connection info: Wildfire cloud: public cloud Status: Idle Best server: s1.wildfire.paloaltonetworks.com Device registered: yes Valid wildfire license: yes Service route IP address: Signature verification: enable Server selection: enable Through a proxy: no Forwarding info: file size limit for pe (MB): 10 file size limit for jar (MB): 1 file size limit for apk (MB): 2 file size limit for pdf (KB): 500 file size limit for ms-office (KB): file idle time out (second): 90 total file forwarded: 1 file forwarded in last minute: 0 concurrent files: 0 If the firewall is forwarding files to a WildFire appliance, the Wildfire cloud: field will display the IP address or FQDN of the appliance and Best server: will not display a value. Step 7 Check the WildFire statistics. Use the following command to check statistics to determine if the values have incremented: admin@pa-200> show wildfire statistics The following displays the output of a working firewall. If no values display, the firewall is not forwarding files. Packet based counters: Total msg rcvd: 599 Total bytes rcvd: Total msg read: 599 Total bytes read: Total files received from DP: 2 Counters for file cancellation: Counters for file forwarding: file type: apk file type: pdf FWD_CNT_LOCAL_FILE 1 FWD_CNT_REMOTE_FILE 1 file type: ms-office file type: pe FWD_CNT_LOCAL_FILE 1 FWD_CNT_REMOTE_DUP_CLEAN 1 file type: jar file type: unknown file type: pdns Error counters: FWD_ERR_UNKNOWN_QUERY_RESPONSE 4 FWD_ERR_CONN_FAIL 8 Reset counters: DP receiver reset cnt: 2 File cache reset cnt: 3 Service connection reset cnt: 1 Log cache reset cnt: 3 Report cache reset cnt: 3 Resource meters: data_buf_meter 0% msg_buf_meter 0% ctrl_msg_buf_meter 0% File forwarding queues: priority: 1, size: 0 priority: 2, size: 0 46 WildFire Administrator s Guide

9 WildFire Cloud File Analysis Verify Firewall File Forwarding to the WildFire Cloud Verify the WildFire Configuration on the Firewall (Continued) Step 8 Check dynamic updates status and schedules to ensure that the firewall is automatically receiving signatures generated by WildFire. When configuring a WildFire signature update schedule, you must enter a value other than zero in the Minutes Past Hour field. See Best Practices for Keeping Signatures up to Date 1. Select Device > Dynamic Updates. 2. Ensure that Antivirus, Applications and Threats, and WildFire have the most recent updates and that a schedule is set for each item. Stagger the update schedules because only one update can be performed at a time. 3. Click Check Now at the bottom of the windows to see if any new updates are available, which also confirms that the firewall can communicate with updates.paloaltonetworks.com. If the firewall does not have connectivity to the update server, download the updates directly from Palo Alto Networks. Log in to the Palo Alto Networks Support and in the Manage Devices section, click Dynamic Updates to see available updates. WildFire Administrator s Guide 47

10 Upload Files to the WildFire Cloud Portal WildFire Cloud File Analysis Upload Files to the WildFire Cloud Portal All Palo Alto Networks customers with a support account can manually upload files to the Palo Alto Networks WildFire portal for analysis. The WildFire portal supports manual upload of all supported file types. The following procedure describes the steps to upload files manually: Manual Upload to WildFire Step 1 Upload a file to be analyzed by WildFire. 1. Log in to the WildFire Portal at one of the following URLs: or 2. Click the Upload File button near the upper right side of the page and click Choose File. 3. Navigate to the file, highlight it, and then click Open. The file name will appear next to Choose File. 4. Click the Upload button to upload the file to WildFire. If the file uploads successfully, an Uploaded File Information pop-up similar to the following will display: 5. Close the Uploaded File Information pop-up. Step 2 View the analysis results. It will take approximately five minutes for WildFire to complete a file analysis. Because a manual upload is not associated with a specific firewall, manual uploads will appear separately from your registered firewalls and will not show session information in the reports. 1. Refresh the portal page from your browser. 2. A Manual line item will be displayed in the Device list of your portal page and the analysis result Malware or Benign will also be displayed. Click the word Manual. 3. The report page will show a list of all files that have been uploaded to your account. Find the uploaded file and click the detail icon to the left of the date field. The portal displays a full report of the file analysis detailing the observed file behavior, including the user that was targeted, the application that delivered the malware, and all URLs involved in the delivery or phone-home activity of the sample. If WildFire identifies the file as malware, it generates a signature, which will be distributed to all Palo Alto Networks firewalls configured for Threat Prevention. Firewalls with a WildFire subscription can download these signatures on a sub-hourly basis. 48 WildFire Administrator s Guide

11 WildFire Cloud File Analysis Upload Files and Query WildFire Using the WildFire API Upload Files and Query WildFire Using the WildFire API The WildFire API enables you to programmatically send file analysis jobs to the WildFire cloud and query the system for report data through a simple XML API interface. This section contains the following topics: About WildFire Subscriptions and API Keys How to Use the WildFire API? WildFire API File Submission Methods Query WildFire for a PDF or XML Report Use the API to Retrieve a Sample Malware Test File Use the API to Retrieve a Sample File or PCAP About WildFire Subscriptions and API Keys Access to the WildFire API key is provided if at least one Palo Alto Networks firewall has an active WildFire subscription registered to an account holder in your organization. You can share the same API key within your organization. The API key is displayed in the My Account section of the WildFire web portal, along with statistics, such as how many uploads and queries have been performed using the key. The key should be considered secret and should not be shared outside of authorized channels. How to Use the WildFire API? The WildFire API uses standard HTTP requests to send and receive data. API calls can be made directly from command line utilities such as curl or using any scripting or application framework that supports REST services. The API methods are hosted at and the HTTPS protocol (not HTTP) is required in order to protect your API key and any other data exchanged with the service. A WildFire API key allows up to 100 sample uploads per day and up to 1000 report queries per day. WildFire API File Submission Methods Use the following methods to submit files to WildFire: Submit a File to the WildFire Cloud Using the Submit File Method Submit a File to WildFire Using the Submit URL Method WildFire Administrator s Guide 49

12 Upload Files and Query WildFire Using the WildFire API WildFire Cloud File Analysis Submit a File to the WildFire Cloud Using the Submit File Method The WildFire API can be used to submit all supported file types (APK, PE, PDF, Microsoft Office, Java Applet). The file along with your API key is required when submitting to have WildFire open the file in a sandbox environment and analyze the file for potentially malicious behaviors. The return code of the submit-file method indicates a success or error condition. If a 200 OK code was returned, the submission was successful and a result is normally available for query within five minutes. The following table describes the API attributes needed to submit files to the WildFire cloud using the submit file method: URL Method POST Parameters apikey Your WildFire API key file The sample file to be analyzed Return 200 OK Indicates success and report will be returned 401 Unauthorized API key invalid 405 Method Not Allowed Method other than POST used 413 Request Entity Too Large Sample file size over max limit 418 Unsupported File Type Sample file type is not supported 419 Max Request Reached Max number of uploads per day exceeded 500 Internal error 513 File upload failed Submit a File to WildFire Using the Submit URL Method Use the submit-url method to submit a file for analysis via a URL. This method is identical in interface and functionality to the submit-file method, except that the file parameter is replaced with a url parameter. The url parameter must point to an accessible supported file type. If a 200 OK code is returned, the submission is successful and a result is usually available for query within five minutes. The following table describes the API attributes needed to submit files to the WildFire cloud using a URL: URL Method POST Parameters apikey Your WildFire API key url The URL for the file to be analyzed Return 200 OK Indicates success and report will be returned 50 WildFire Administrator s Guide

13 WildFire Cloud File Analysis Upload Files and Query WildFire Using the WildFire API 401 Unauthorized API key invalid 405 Method Not Allowed Method other than POST used 413 Request Entity Too Large Sample file size over max limit Code Examples for File Submit The following curl command demonstrates how to submit a file to WildFire using the submit file method: curl k -F apikey=yourapikey -F file=@local-file-path The following shell code example demonstrates a simple script to submit a file to the WildFire API for analysis. The API key is provided as the first parameter and the path to the file is the second parameter: #manual upload sample to WildFire with APIKEY #Parameter 1: APIKEY #Parameter 2: location of the file key=$1 file=$2 418 Unsupported File Type Sample file type is not supported 419 Max Request Reached Max number of uploads per day exceeded 422 URL download error 500 Internal error /usr/bin/curl -i -k -F apikey=$key -F file=@$file The following curl command demonstrates how to submit a file to WildFire using the submit URL method: curl k -F apikey=yourapikey -F url=url Query WildFire for a PDF or XML Report Use the get report method to query for an XML or PDF report of analysis results for a particular sample. Use either the MD5 or SHA-256 hash of the sample file as a search query. The following table describes the API attributes needed to query for reports: URL Method POST WildFire Administrator s Guide 51

14 Upload Files and Query WildFire Using the WildFire API WildFire Cloud File Analysis Parameters hash The MD5 or SHA-256 hash value of the sample apikey format Your WildFire API key Report format: PDF or XML Return 200 OK Indicates success and report will be returned 401 Unauthorized API key invalid 404 Not Found The report was not found 405 Method Not Allowed Method other than POST used 419 Request report quota exceeded 420 Insufficient arguments 421 Invalid arguments 500 Internal error Example API Query for PDF or XML Report The following curl command demonstrates a query for a PDF report using the MD5 hash of a sample file: curl k -F hash= F format=pdf -F apikey=yourapikey Note: To retrieve the XML version of the report, just replace format=pdf with format=xml. For example: curl k -F hash= F format=xml -F apikey=yourapikey Use the API to Retrieve a Sample Malware Test File The following describes the API syntax to retrieve a sample malware file, which can be used to test end-to-end WildFire sample processing. For details on the sample file, see Malware Test Samples. To retreive the file using the API: API : GET This will return a test file and every API call will return a similar file, but with a different SHA256 value. If there is problem retrieving the file, a 500-Internal Server error will be returned. To retrieve the test file using curl: curl k 52 WildFire Administrator s Guide

15 WildFire Cloud File Analysis Upload Files and Query WildFire Using the WildFire API Use the API to Retrieve a Sample File or PCAP Use the API to Retrieve a Sample File Use the API to Retrieve a Packet Capture (PCAP) Use the API to Retrieve a Sample File Use the get-sample method to retrieve a particular sample. You can use either the MD5 or SHA-256 hash of the sample file as a search query. URL Method POST Parameters hash The MD5 or SHA-256 hash value of the sample apikey Your WildFire API key Return 200 OK Indicates success and sample will be returned 401 Unauthorized API key invalid 403 Forbidden Permission Denied 404 Not Found The sample was note found 405 Method Not Allowed Method other than POST used 419 Request sample quota exceeded 420 Insufficient arguments 421 Invalid arguments 500 Internal error Example API Query for Get-Sample The following curl command demonstrates a query for a sample using the sample's MD5 hash: curl -k -F hash=md5hash -F apikey=yourapikey Use the API to Retrieve a Packet Capture (PCAP) Use the get-pcap method to query for a PCAP recorded during analysis of a particular sample. Use either the MD5 or SHA-256 hash of the sample file as a search query. You can optionally define the platform of the desired PCAP to specify which PCAP should be returned. If no platform is specified, the method returns a PCAP from a session that yielded a verdict of Malware. Samples uploaded prior to August 2014 are not guaranteed to return a PCAP if no platform parameter is supplied. WildFire Administrator s Guide 53

16 Upload Files and Query WildFire Using the WildFire API WildFire Cloud File Analysis The following table describes the available platform parameters: Platform ID Description 1 Windows XP, Adobe Reader 9.3.3, Office Windows XP, Adobe Reader 9.4.0, Flash 10, Office Windows XP, Adobe Reader 11, Flash 11, Office Windows 7, Adobe Reader 11, Flash 11, Office Android 2.3, API 10, avd2.3.1 The following table describes the API attributes needed to query for pcaps: URL Method POST Parameters hash The MD5 or SHA-256 hash value of the sample apikey platform* Your WildFire API key Target analysis environment Return 200 OK Indicates success and PCAP will be returned * Optional parameter 401 Unauthorized API key invalid 403 Forbidden Permission Denied 404 Not Found The PCAP was note found 405 Method Not Allowed Method other than POST used 419 Request sample quota exceeded 420 Insufficient arguments 421 Invalid arguments 500 Internal error Example API Query for Get-PCAP The following curl command demonstrates a query for a pcap using the sample's MD5 hash: curl -k -F hash=md5hash -F apikey=yourapikey -F platform=targetplatform 54 WildFire Administrator s Guide