2017-02-19 10:04 PM
Hey,
I'm looking to see if anyone has seen or developed any scripts from Netwitness to block IP's on Fortinet firewalls, etc. I am hoping to find some basics of what's needed and how to get started to start automating some of our incident response activities.
Once we get an alert of someone attempting to compromise a web server or even an internal host going to a site hosting Rig Exploit kit, it would be extremely valuable and efficient to be able to right click on an IP and have actions taken on the firewalls to prevent further malicious activity.
Thank you for your help.
2017-02-21 07:58 AM
I have not created a right click plugin for any Fortinet solutions. However, the right click plugins (Administration/System/Context Menu Actions) are good for passing a url to another system. What I found was that not all system administration could be done directly with a URL call to an API. Some required local file system access to command line tools which are not permitted on the Security Analytics server due to the security model.
The solution I came up with as a proof of concept was to develop a support server. This was a virtual machine running Apache and PHP where I would write some PHP that took advantage of shell_exec that would execute the command I needed. This way, I could right click on meta in SA, pass that value in the URL to the support server which would take that value as an argument in the command to execute.
While their are certainly arguments against using shell_exec in PHP, this was for proof of concept only. There may be better, more secure ways of doing this, but using this method, I was able to successfully demonstrate the expanded capabilities of using a support server.
Chris