StackStorm as source of firewall dynamic list

Irek Romaniuk
Jan 13, 2018 · 2 min read

I was looking for Minemeld alternative to serve static files as source for Palo Alto Networks (PAN) firewall External Dynamic Lists (EDL). The Minemeld is not always enough because it is not necessary event driven. There is a need to update EDL based on events , such like threat detected for public source (criteria can be complex). I found a way to do it in StactStorm.

StackStorm (st2) is using NGINX as web server with root at ‘/opt/stackstorm/static/webui/’. I placed the text file blocklist.txt at the root and changed permission to stanley:stanley which is default st2 system user. That file becomes immediately available at https://st2/blocklist.txt, see below with some sample addresses

Example of blocklist.txt

Now the below st2 rule has to be created in my paloalto pack in order to make update of the blocklist.txt possible from PAN webhook (trigger.body[‘source’])

me@st2:~$ sudo cat /opt/stackstorm/packs/paloalto/rules/test_rule.yaml 
---
name: "test_rule"
pack: "paloalto"
description: "Test rule dumping http webhook payload to a file"
enabled: false
trigger:
type: "core.st2.webhook"
parameters:
url: "paloalto"
action:
ref: "core.local"
parameters:
cmd: "echo \"{{trigger.body['source']}}\" >> /opt/stackstorm/static/webui/blocklist.txt"

To verify that the blocklist.txt can be updated from firewall, I used test webhook from PAN which is using source 0:0:101:101::. As you can see update was successful.

blocklist.txt updated with ‘Send Test log’ from PAN

The https://st2/blocklist.txt can be used in PAN to build EDL, and updated i.e. every 5 minutes.


Originally published at medium.com on January 13, 2018.

Irek Romaniuk

Written by

Here are my NNs ‘nanonotes’, excuse the brevity and typos. I’m based in RI, working as security and automation engineer for a fin-tech company in Boston.

More From Medium

Related reads

Also tagged Stackstorm

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade