AWS Route 53 DNS Resolver Firewall

Configuration Guide

Amazon Route 53 Resolver Firewall Integration Configuration Guide Blog post image. Image contains A grey, orange and blue background with the Amazon AWS, Route 53 and Malware Patrol logos.

There are many security tools available, each serving a unique purpose in safeguarding your digital environment. Among them, the DNS firewall is one of the most effective and well-established. It acts as a critical line of defense against cyber threats by filtering and blocking access to malware and phishing websites, and data exfiltration points among others malicious resources. This prevents users from inadvertently visiting dangerous sites or falling victim to cyber attacks.

Amazon Route 53 is a Domain Name System (DNS) service that connects user requests to Internet applications running on AWS or on-premises. Among the features this service offers is protection via the Route 53 Resolver DNS Firewall. It allows the use of AWS Managed Domain Lists, as well as custom Domain Lists (outside sources or your own). This step-by-step guide shows how to integrate Malware Patrol’s Malicious Domains threat intelligence with the AWS Route 53 Resolver DNS Firewall.

Add Malware Patrol’s Malicious Domains List to Amazon Route 53 Resolver DNS Firewall

You’ll need your Malware Patrol subscription username and password to proceed.

Malware Patrol uses CloudFormation to create all the necessary AWS systems that keep a Route 53 Domain list updated with Malware Patrol data. Basically, it creates an S3 bucket and a Lambda function that downloads and updates the Malicious Domains feed every hour, importing it into the Route 53 Domain List once it’s update.

The process is simple. Start by signing into your AWS Management Console and click the following link:

(URL will be provided by your account manager)

When you click on this link, you will see fields for inputting your Malware Patrol username and password. Click “Create Stack”. (Do NOT modify any other field on the page!) The following resources are generated automatically:

  • CloudFormation stack: DomainListForMalwarePatrolRoute53
  • EventBridge rule: ScheduleForMalwarePatrolRoute53
  • Bucket: domainlistformalwarepatr-s3bucketformalwarepatrol-RANDOMNUMBER
  • Lambda Function: LambdaForMalwarePatrolRoute53
  • DNS Firewall Domain List: malware-patrol-malicious-domains

The following screenshots show the process that begins once you have clicked on the link above.

AWS Route 53 - DNS Firewall Malware Patrol Integration guide image - Step 1

In the parameters section, enter your customer username and password.

AWS Route 53 - DNS Firewall Malware Patrol Integration guide image - Step 2

In the capabilities section, you must acknowledge the IAM resources-related information. Click “Create Stack”.

AWS Route 53 - DNS Firewall Malware Patrol Integration guide image - Step 3

The stack will show as being in progress for a few moments.

AWS Route 53 - DNS Firewall Malware Patrol Integration guide image - Step 4

Once it is complete, you will see the following screen:

AWS Route 53 - DNS Firewall Malware Patrol Integration guide image - Step 5

Navigate to your Route 53 console. You can do this by searching Route 53 in the search bar at the top of the screen.

AWS Route 53 - DNS Firewall Malware Patrol Integration guide image - Step 6

From your Route 53 dashboard, select DNS Firewall from the left side menu.

AWS Route 53 - DNS Firewall Malware Patrol Integration guide image - Step 7

Click on Rule Groups from the DNS Firewall entry on the left side menu and then click Create rule group.

AWS Route 53 - DNS Firewall Malware Patrol Integration guide image - Step 8

Give the rule group a name and click Next.

AWS Route 53 - DNS Firewall Malware Patrol Integration guide image - Step 9

Select Add rule.

AWS Route 53 - DNS Firewall Malware Patrol Integration guide image - Step 10

Name the rule and select “Add my own domain list”. Under “Choose or create a new domain list”, select the Malware Patrol list.

AWS Route 53 - DNS Firewall Malware Patrol Integration guide image - Step 11

For Action, drop down and select BLOCK and then select NXDOMAIN. Click Add rule.

AWS Route 53 - DNS Firewall Malware Patrol Integration guide image - Step 12

AWS Route 53 - DNS Firewall Malware Patrol Integration guide image - Step 13

Congratulations, your Malware Patrol Malicious Domains threat list is active and ready to protect your organization against the latest threats!

The next steps will vary by organization. Generally, you will want to enable firewall protection for your VPC(s). An Amazon resource outlining this process can be found below.

Notice that the newly created Domain List may take more than an hour to populate depending on how long it takes for AWS to execute the Lambda function. After that, updates will be automatically pushed every hour.

Amazon Route 53 Resources

  • Managing Your Own Domain Lists: “You can create your own domain lists to specify domain categories that you either don’t find in the managed domain list offerings or that you prefer to handle on your own.
  • Configuring logging for DNS Firewall: “You can evaluate your DNS Firewall rules by using Amazon CloudWatch metrics and the Resolver query logs. The logs provide the domain list name for all alerts and blocking actions.”
  • DNS Firewall rule groups and rules: “This section describes the settings that you can configure for your DNS Firewall rule groups and rules, to define the DNS Firewall behavior for your VPCs. It also describes how to manage the settings for your rule groups and rules.”
  • Enabling Route 53 Resolver DNS Firewall protections for your VPC: “You enable DNS Firewall protections for your VPC by associating one or more rule groups with the VPC. Whenever a VPC is associated with a DNS Firewall rule group, Route 53 Resolver provides the following DNS Firewall protections […]”

If you encounter any problems with your Route 53 DNS Resolver Firewall integration, please contact your account manager or send an email to support ( @ ) malwarepatrol.net.

Malware Patrol + Palo Alto NGFW

Configuration Guide

??

Palo Alto NGFW Configuration Guide blog post image

Malware Patrol offers the following Enterprise feeds formatted for use with the Palo Alto NGFW. Customers choose the feed(s) that meet their needs:

1) DNS-over-HTTPS (DoH) Servers: This feed gives security teams control over the use of DoH in their environment. DoH wraps DNS queries in an HTTPS request, which can disguise malicious traffic. Several malware families take advantage of this to use DoH for their C2 communications.

2) Malicious Domains: Prevent access to domains hosting malware, ransomware, phishing, cryptominers, and command and control servers (C2s) for over a hundred malware and ransomware families. Blocking C2 communication disrupts the attacker’s ability to execute malicious commands and navigate laterally within the network, essentially breaking the cyber kill chain.

3) Malicious IPs: Provides a first line of defense against threats for which signature-based indicators may not yet be available. The broad coverage of IPs may also extend protection to attacks from adversaries utilizing the same infrastructure. The feed includes IPs actively hosting malicious malware and ransomware files, phishing sites, as well as C2 servers.

4) Malware URLs: This feed contains URLs known to be hosting malware and ransomware binaries. By leveraging malicious URL feeds, security tools can block access to harmful links while still allowing legitimate services hosted on the same domain. This level of precision prevents the unnecessary blocking of popular and legitimate platforms, such as Dropbox or Google Drive, where malicious content is frequently hosted.

Integrating external threat intelligence into your organization’s firewall is a crucial step in fortifying cybersecurity defenses. Organizations gain a more comprehensive and well-rounded view of emerging threats when they diversify their information sources. Different providers may have varying expertise and access to distinct threat data, offering a broader spectrum of insights.

This multi-sourced approach enhances the firewall’s ability to detect and block a wider range of malicious activities, reducing the risk of missing critical threats. It’s a strategic move that ensures a more robust and adaptable security posture, minimizing the chances of falling victim to sophisticated cyberattacks.

Malware Patrol offers free evaluations of our threat intelligence feeds, including those for Palo Alto NGFW. Request your evaluation here.  

 

Palo Alto NGFW External Dynamic Lists

Additional threat intelligence sources are integrated into Palo Alto Networks NGFW’s PAN-OS as “External Dynamic Lists” or EDLs. According to the Palo Alto NGFW PAN-OS Administrator’s Guide: “An External Dynamic List is a text file that is hosted on an external web server so that the firewall can import objects—IP addresses, URLs, domains—included in the list and enforce policy. To enforce policy on the entries included in the external dynamic list, you must reference the list in a supported policy rule or profile. When multiple lists are referenced, you can prioritize the order of evaluation to make sure the most important EDLs are committed before capacity limits are reached. As you modify the list, the firewall dynamically imports the list at the configured interval and enforces policy without the need to make a configuration change or a commit on the firewall.” Users can add up to 30 EDLs. There are per-firewall model restrictions on the number of entries allowed for each of the following object types: 1) IP address and 2) URL & Domain. Check the above referenced administrator’s guide for more details.

Pre-Integration – External Source Certificate Profiles

When EDL sources, such as Malware Patrol, are secured with SSL, you will need a certificate profile in order to authenticate the server hosting your data feed(s). Both the root CA (certificate authority) and intermediate CA certificates are required. Per the Administrator’s Guide (link above), you should “use the same certificate profile to authenticate external dynamic lists from the same source URL. If you assign different certificate profiles to external dynamic lists from the same source URL, the firewall counts each list as a unique external dynamic list.”

To get the certificates for Malware Patrol:

1) Navigate to https://malwarepatrol.net (We used the Firefox browser – instructions will vary for others.)

2) (Left) Click on the site security padlock icon

An image in the Pre-Integration steps for the malware and palo alto networks ngfw configuration guide

3) Select Connection Secure –> More Information.

A Pre-Integration step image in the malware and palo alto networks ngfw configuration guide 

4) Click View Certificate.

A Pre-Integration step 4 image in the malware and palo alto networks ngfw configuration guide   

5) In the certificate information dialog box that appears:

  • Click on the Cloudflare Inc ECC CA-3 tab
  • Right click the PEM (cert) link
  • Select Save Link As and save as ‘root.pem’ to your computer
  • Click on the Baltimore CyberTrust Root tab
  • Right click the PEM (cert) link
  • Select Save Link As and save as ‘intermediate.pem’ to your computer.

A Pre-Integration step 5 image in the malware and palo alto networks ngfw configuration guide

A Pre-Integration step 5.1 image in the malware and palo alto networks ngfw configuration guide

A Pre-Integration step 5.2 image in the malware and palo alto networks ngfw configuration guide

A Pre-Integration step 5.3 image in the malware and palo alto networks ngfw configuration guide

Add Certificate Profiles to PAN-OS

6) Log in to your Palo Alto NGFW interface.

  • Name: Cloudflare
  • Click the +Add button at the bottom left of the CA Certificates (yellow) section of the dialog box
  • Select Import
  • Certificate Name: ‘Cloudflare – Intermediate’
  • Click Browse to find and select the ‘intermediate’ certificate saved on your computer
  • Click OK to save.

Integration step 6 paloalto login screen image in the malware and palo alto networks ngfw configuration guide

Integration step 6.1 image in the malware and palo alto networks ngfw configuration guide

Integration step 6.2 image in the malware and palo alto networks ngfw configuration guide

Integration step 6.3 image in the malware and palo alto networks ngfw configuration guide  

7) Click on the Device tab

8) Expand Certificate Management on the left side menu and then select Certificate Profile

9) Click the +Add button at the bottom left of the screen to add a new certificate profile

10)  In the Certificate Profile dialog box:

11) Repeat this process to add the second (root) certificate previously saved to your computer to the same Certificate Profile:

  • Click the +Add button again at the bottom of the CA Certificates section to add the root certificate
  • Select Import
  • Certificate Name: ‘Cloudflare – Root’
  • Click Browse to find the ‘root’ certificate saved on your computer
  • Click OK to save.

  Integration step 11 image in the malware and palo alto networks ngfw configuration guide  

12) You will see both certificates listed in the Certificate Profile window. Click OK to exit.

Integration step 12 image in the malware and palo alto networks ngfw configuration guide  

13) Click Commit in the upper right hand corner to save your changes.

Integration step 13 image in the malware and palo alto networks ngfw configuration guide  

14) Once completed, a Commit Status dialog box will appear. Make sure the result is successful.

Integration step 14 image in the malware and palo alto networks ngfw configuration guide

Add an IP EDL

15) From the Objects tab, select External Dynamic Lists on the left side menu.

16) Click the +Add button at the bottom left of the screen to add a new EDL. A dialog box will appear.

Integration step 16 image in the malware and palo alto networks ngfw configuration guide  

17) In the External Dynamic Lists dialog box:

  • Name: Malware Patrol – Malicious IPs
  • Type: IP List
  • Source: Paste the link to the IP feed from your Malware Patrol customer or evaluation portal. Insert your username and password as follows for authentication purposes: https://USERNAME:PASSWORD@eval.malwarepatrol.net/feeds/files/FILENAME
  • Certificate Profile: Cloudflare
  • Repeat: Hourly
  • Click OK to save.

Integration step 17 image in the malware and palo alto networks ngfw configuration guide  

18) Click Commit in the upper right hand corner to save your changes. Make sure the result is successful in the Commit Status window that appears after the process has completed.

Integration step 18 image in the malware and palo alto networks ngfw configuration guide

Apply a Security Policy to an IP EDL

19) From the Policies tab, select Security on the left side menu

20) Click the +Add button at the bottom left of the screen to add a new security policy

Integration step 20 image in the malware and palo alto networks ngfw configuration guide  

21) In the Security Policy Rule dialog box:

  • Name: Malware Patrol – Malicious IPs
  • Click Destination tab
  • Destination Zone: Any
  • Destination Address: External Dynamic List –> Malware Patrol – Malicious IPs
  • Click Actions tab
  • Action: Deny
  • Click OK to save.

Integration step 21-1 image in the malware and palo alto networks ngfw configuration guide

Integration step 21-2 image in the malware and palo alto networks ngfw configuration guide

Integration step 21-4 image in the malware and palo alto networks ngfw configuration guide  

22) Once again click Commit in the upper right hand corner to save your changes. Make sure the result is successful in the Commit Status window that appears after the process has completed.

Add a URL EDL

23) From the Objects tab, select External Dynamic Lists on the left side menu.

24) Click the +Add button at the bottom left of the screen to add a new EDL. A dialog box will appear.

Integration step 24 image in the malware and palo alto networks ngfw configuration guide  

25) In the External Dynamic Lists dialog box:

  • Name: Malware Patrol – Malicious URLs
  • Type: URL List
  • Source: Paste the link to the IP feed from your Malware Patrol customer or evaluation portal. Insert your username and password as follows for authentication purposes: https://USERNAME:PASSWORD@eval.malwarepatrol.net/feeds/files/FILENAME
  • Certificate Profile: Cloudflare
  • Repeat: Hourly
  • Click OK to save.

Integration step 25 image in the malware and palo alto networks ngfw configuration guide  

26) Once again click Commit in the upper right hand corner to save your changes. Make sure the result is successful in the Commit Status window that appears after the process has completed.

 

Apply a Security Policy to a URL EDL

27) From the Policies tab, select Security on the left side menu.

28) Click the +Add button at the bottom left of the screen to add a new security policy.

Integration step 28 image in the malware and palo alto networks ngfw configuration guide  

29) In the Security Policy Rule dialog box:

  • Name: Malware Patrol – Malicious URLs
  • Click Service/URL Caetgory tab
  • Service: Application-Default
  • URL Category: External Dynamic List –> Malware Patrol – Malicious URLs
  • Click Actions tab
  • Action: Deny
  • Click OK to save.

Integration step 29.1 image in the malware and palo alto networks ngfw configuration guide

Integration step 29.2 image in the malware and palo alto networks ngfw configuration guide

Integration step 29.3 image in the malware and palo alto networks ngfw configuration guide

Integration step 29.4 image in the malware and palo alto networks ngfw configuration guide

Integration step 29.5 image in the malware and palo alto networks ngfw configuration guide  

30) Once again click Commit in the upper right hand corner to save your changes. Make sure the result is successful in the Commit Status window that appears after the process has completed.

Add a Domain EDL

“An external dynamic list of type domain allows you to import custom domain names into the firewall to enforce policy using an Anti-Spyware profile or SD-WAN policy rule. An EDL in an Anti-Spyware profile is very useful if you subscribe to third-party threat intelligence feeds and want to protect your network from new sources of threat or malware as soon as you learn of a malicious domain.  […] You can also specify the firewall to include the subdomains of a specifed domain. […] When this setting is enabled, each domain in a given list requires an additional entry, effectively doubling the number of entries used by the list.”  Palo Alto NGFW PAN-OS Administrator’s Guide Malware Patrol offers these domain-based feeds for PAN-OS: Malicious Domains and DoH Servers. 

31) From the Objects tab, select External Dynamic Lists on the left side menu.

32) Click the +Add button at the bottom left of the screen to add a new EDL. A dialog box will appear.

Integration step 32 image in the malware and palo alto networks ngfw configuration guide  

33) In the External Dynamic Lists dialog box:

  • Name: Malware Patrol – Malicious Domains
  • Type: Domain List
  • Source: Paste the link to the IP feed from your Malware Patrol customer or evaluation portal. Insert your username and password as follows for authentication purposes: https://USERNAME:PASSWORD@eval.malwarepatrol.net/feeds/files/FILENAME
  • Certificate Profile: Cloudflare
  • Repeat: Hourly
  • Click OK to save.
  • Repeat this process to add Malware Patrol’s DNS-over-HTTPS Servers as an EDL.

Integration step 33 image in the malware and palo alto networks ngfw configuration guide  

34) Once again click Commit in the upper right hand corner to save your changes. Make sure the result is successful in the Commit Status window that appears after the process has completed.

Apply a Security Policy to a Domain EDL

Note: This process is slightly different from adding a security policy to IP and URL EDLs.

Add Anti-Spyware Profile

35) From the Objects tab, select expand Security Profiles on the left side menu. Click Anti-Spyware.

36) Click the +Add button at the bottom left of the screen to add a new profile. A dialog box will appear.

Integration step 36 image in the malware and palo alto networks ngfw configuration guide  

37) In the Anti-Spyware Profile dialog box:

  • Name: MalwarePatrolMaliciousDomains
  • Select the DNS Signatures tab
  • Click the +Add button at the bottom left of the External Dynamic List Domains section
  • Select External Dynamic Lists > Malware Patrol – Malicious Domains from the dropdown list
  • Repeat this process to add Malware Patrol – DOH Servers, if applicable
  • Action on DNS Queries: Apply either Block or Sinkhole to the newly added feed(s), per your organization’s needs
  • Click OK to save.

Integration step 37.1 image in the malware and palo alto networks ngfw configuration guide

Integration step 37.2 image in the malware and palo alto networks ngfw configuration guide

Integration step 37.3 image in the malware and palo alto networks ngfw configuration guide

38) Once again click Commit in the upper right hand corner to save your changes. Make sure the result is successful in the Commit Status window that appears after the process has completed.

Add a Security Policy

39) From the Policies tab, select Security on the left side menu

40) Click the +Add button at the bottom left of the screen to add a new security policy

Integration step image in the malware and palo alto networks ngfw configuration guide

41) In the Security Policy Rule dialog box:

  • Name: Malware Patrol – Malicious Domains (or DoH Servers)
  • Click Destination tab
  • Destination Zone: Any
  • Destination Address: Any
  • Click Actions tab
  • Profile Type: Profiles
  • Anti-Spyware: Select MalwarePatrolMaliciousDomains
  • Click OK to save.

Integration step 41.1 image in the malware and palo alto networks ngfw configuration guide

Integration step 41.2 image in the malware and palo alto networks ngfw configuration guide

Integration step 41.3 image in the malware and palo alto networks ngfw configuration guide

42) Once again click Commit in the upper right hand corner to save your changes. Make sure the result is successful in the Commit Status window that appears after the process has completed.  

PAN-OS Reference Document Links:

If you need any assistance with your Palo Alto NGFW integration with Malware Patrol’s data feeds, please email support ( @ ) malwarepatrol.net or contact your Account Manager.

?

FortiSIEM Configuration Guide

Configuration Guide

?

Fortinet Configuration

FortiSIEM Configuration Guide for Malware Patrol Threat Intel Feeds

Malware Patrol offers the following threat intelligence feeds formatted for integration into FortiSIEM. This allows users to combine the quality of Fortinet’s SIEM security platform with the protection from our threat intelligence. Customers can choose the feed(s) that meet their needs:

We offer free evaluations of our Enterprise feeds, including those for FortiSIEM. To request your evaluation, complete our request form.

About FortiSIEM

FortiSIEM brings together visibility, correlation, automated response, and remediation in a single, scalable solution. It reduces the complexity of managing network and security operations to effectively free resources, improve breach detection, and even prevent breaches. What’s more is that [the] architecture enables unified data collection and analytics from diverse information sources including logs, performance metrics, security alerts, and configuration changes. FortiSIEM combines the analytics traditionally monitored in separate silos of the security operations center (SOC) and network operations center (NOC) for a more holistic view of the security and availability of the business.” FortiGuard Threat Intelligence and Indicators of Compromise (IOC) and Threat Intelligence (TI) feeds from commercial, open source, and custom data sources integrate easily into the security TI framework. This grand unification of diverse sources of data enables organizations to rapidly identify root causes of threats, and take the steps necessary to remediate and prevent them in the future. Steps can often be automated with new Threat Mitigation Libraries for many Fortinet products. External Threat Intelligence Integrations

  • APIs for integrating external threat feed intelligence – Malware domains, IPs, URLs, hashes, Tor nodes
  • Built-in integration for popular threat intelligence sources – ThreatStream, CyberArk, SANS, Zeus, ThreatConnect
  • Technology for handling large threat feeds – incremental download and sharing within cluster, real-time pattern
    matching with network traffic. All STIX and TAXII feeds are     supported”

Adding External TI – A FortiSIEM Configuration Guide

The following are instructions to configure each of our data feeds on FortiSIEM version 6.4.0 (1412) using the web interface.

DNS-over-HTTPS (DoH) Domains

Benefits of the Malware Patrol DoH Data Feed

We developed this feed to help security teams monitor the use of DoH in their environment. Our tools actively search for new DoH servers on a continuous basis to keep this data fresh. DoH allows users to bypass the DNS-level controls and internet usage policies put in place to protect your network against known threats and threat actors are taking advantage of this by using DoH for C2 server connections, for example. As such, both incoming and outgoing DoH traffic should be closely monitored for indications of malicious activity.

Intro Step in the the Malware Patrol Fortisiem configuration guide

1) From the FortiSIEM dashboard, navigate to Resources in the top navigation menu. On the left side menu that appears, you will see the types of IoC feeds that can be integrated.

2) Select Malware Domains from the menu on the left.

3) Click + button at the upper left-hand side of this side menu to add a new Malware Domains group. Step 3 in the DNS-over-HTTPS (DoH) Domains section of the Malware Patrol Fortisiem configuration guide blog post

4) Enter a group name. We will use Malware Patrol – DoH to distinguish this feed from the Malware Patrol Malicious Domains previously entered.

5) Click save. The Malware Patrol – DoH group will now appear under the Malware Domains section. Step 5 in the DNS-over-HTTPS (DoH) Domains section of the Malware Patrol Fortisiem configuration guide blog post

6) Select/highlight the Malware Patrol group and then More from the top menu.

7) Select Update from the drop-down menu. Step 7 in the DNS-over-HTTPS (DoH) Domains section of the Malware Patrol Fortisiem configuration guide blog post

8) On the screen that pops up choose Update via API and click on the edit (pencil) button. Step 8 in the DNS-over-HTTPS (DoH) Domains section of the Malware Patrol Fortisiem configuration guide blog post

9) Enter the following to set up the feed update:

  • URL of your Malware Patrol DoH feed or evaluation feed. This can be obtained by right clicking on the feed’s link in the Malware Patrol customer or evaluation portal.
  • Your Malware Patrol portal username and password
  • Plugin Class: no changes
  • Field separator: ,
  • Data format: CSV
  • Data update: Full

Step 9 in the DNS-over-HTTPS (DoH) Domains section of the Malware Patrol Fortisiem configuration guide blog post 10) In the Data Mapping section, match the following:

  • Domain Name, Position 1
  • Description, Position 2
  • Last Seen, Position 3

11) Click Save Step 11 in the DNS-over-HTTPS (DoH) Domains section of the Malware Patrol Fortisiem configuration guide blog post

12) Click on the Schedule: + button Step 12 in the DNS-over-HTTPS (DoH) Domains section of the Malware Patrol Fortisiem configuration guide blog post

13) On the screen that pops up, enter:

  • Start Time: Set a start time a few minutes from the current time. This will cause the data to be updated after your setup is complete
  • Recurrence Pattern: Hourly, Every 1 Hour (Malware Patrol feeds are updated on an hourly basis)
  • Recurrence:
    • Start From: Today’s Date
    • End Date: No End Date
  • Click Save

Step 13 in the DNS-over-HTTPS (DoH) Domains section of the Malware Patrol Fortisiem configuration guide blog post 14) The data will populate at the start time set above. If it does not, click the Refresh button at the top of the data display area. Another option is to go back to the schedule settings to verify the time you set for the updates to begin. You can set another time a few minutes in the future. Step 14 in the DNS-over-HTTPS (DoH) Domains section of the Malware Patrol Fortisiem configuration guide blog post

15) To change the columns displayed once the data populates, click on the Select Columns button located beside the refresh button. Use the data mapping information from the setup process to know which fields are available in the Malware Patrol feed.

Malicious Domains

Benefits of the Malware Patrol Malicious Domains Data Feed

This Malware Patrol feed contains domains actively involved in malicious activities. The data is derived from five of our Enterprise feeds: 1) Anti-Mining, 2) Command & Control (C2) Addresses, 3) Domain Names Generated via DGAs, 4) Malware & Ransomware URLs, and 5) Phishing URLs. Network traffic associated with these domains is highly likely to be malicious.

Pre-step image in the Malicious Domains section of the Malware Patrol Fortisiem configuration guide

1) From the FortiSIEM dashboard, navigate to Resources in the top navigation menu. On the left side menu that appears, you will see the types of IoC feeds that can be integrated.

2) Select Malware Domains from the menu on the left.

3) Click + button at the upper left-hand side of this side menu to add a new Malware Domains group.

4) Enter a group name. We will use Malware Patrol for this guide.

5) Click save. The Malware Patrol group will now appear under the Malware Domains section.

Step 5 image in the Malicious Domains section of the Malware Patrol Fortisiem configuration guide 6) Select/highlight the Malware Patrol group and then More from the top menu.

7) Select Update from the drop-down menu.

Step 7 image in the Malicious Domains section of the Malware Patrol Fortisiem configuration guide 8) On the screen that pops up choose Update via API.

9) Click on the edit (pencil) button for the URL. Step 9 image in the Malicious Domains section of the Malware Patrol Fortisiem configuration guide

10) Enter the following to set up the feed update:

  • URL of your Malware Patrol Malicious Domains feed or evaluation feed. This can be obtained by right clicking on the feed’s link in the Malware Patrol customer or evaluation portal.
  • Your Malware Patrol portal username and password
  • Plugin Class: no changes
  • Field separator: ,
  • Data format: CSV
  • Data update: Full

Step 10 image in the Malicious Domains section of the Malware Patrol Fortisiem configuration guide 11) In the Data Mapping section, match the following:

  • Domain Name, Position 1
  • Malware Type, Position 2
  • Description, Position 3
  • Date Found, Position 4
  • Last Seen, Position 5

12) Click Save

Step 12 image in the Malicious Domains section of the Malware Patrol Fortisiem configuration guide

13) Click on the Schedule: + button

Step 13 image in the Malicious Domains section of the Malware Patrol Fortisiem configuration guide

14) On the screen that pops up, enter:

  • Start Time: Set a start time a few minutes from the current time. This will cause the data to be updated after your setup is complete
  • Recurrence Pattern: Hourly, Every 1 Hour (Malware Patrol feeds are updated on an hourly basis)
  • Recurrence:
    • Start From: Today’s Date
    • End Date: No End Date
  • Click Save

Step 14 image in the Malicious Domains section of the Malware Patrol Fortisiem configuration guide 15) The data will populate at the start time set above. If it does not, click the Refresh button at the top of the data display area. Another option is to go back to the schedule settings to verify the time you set for the updates to begin. You can set another time a few minutes in the future. Step 15 image in the Malicious Domains section of the Malware Patrol Fortisiem configuration guide

16) To change the columns displayed once the data populates, click on the Select Columns button located beside the refresh button. Use the data mapping information from the setup process for each feed to know which fields are available in the Malware Patrol feed. 

Malicious IPs

Benefits of the Malware Patrol Malicious IPs Data Feed

This feed contains IP addresses known to actively host malicious files and C2 systems for malware and ransomware. Monitoring traffic destined to them is an effective network protection measure and provides valuable information for threat hunting purposes.

Pre-step image in the Malicious IPs section of the Malware Patrol Fortisiem configuration guide

1) From the FortiSIEM dashboard, navigate to Resources in the top navigation menu. On the left side menu that appears, you will see the types of IoC feeds that can be integrated. Step 1 image in the Malicious IPs section of the Malware Patrol Fortisiem configuration guide

2) Select Malware IPs from the menu on the left.

3) Click + button at the upper left-hand side of this side menu to add a new Malware IPs group.

4) Enter a group name. We will use Malware Patrol for this guide.

5) Click save. The Malware Patrol group will now appear under the Malware IPs section. Step 5 image in the Malicious IPs section of the Malware Patrol Fortisiem configuration guide

6) Select/highlight the Malware Patrol group and then More from the top menu.

7) Select Update from the drop-down menu. Step 7 image in the Malicious IPs section of the Malware Patrol Fortisiem configuration guide

8) On the next screen, choose Update via API and click on the edit (pencil) button. Step 8 image in the Malicious IPs section of the Malware Patrol Fortisiem configuration guide

9) Enter the following to set up the feed update:

  • URL of your Malware Patrol Malicious IPs feed or evaluation feed. This can be obtained by right clicking on the feed’s link in the Malware Patrol customer or evaluation portal.
  • Your Malware Patrol portal username and password
  • Plugin Class: no changes
  • Field separator: ,
  • Data format: CSV
  • Data update: Full

Step 9 image in the Malicious IPs section of the Malware Patrol Fortisiem configuration guide

  •  

10) In the Data Mapping section, match the following:

  • Name, Position 1
  • Low IP, Position 2
  • Malware Type, Position 3
  • Description, Position 4
  • Date Found, Position 5
  • Last Seen, Position 6

11) Click Save

12) Click on the Schedule: + button Step 12 image in the Malicious IPs section of the Malware Patrol Fortisiem configuration guide

13) On the next screen, enter:

  • Start Time: Set a start time a few minutes from the current time. This will cause the data to be updated after your setup is complete
  • Recurrence Pattern: Hourly, Every 1 Hour (Malware Patrol feeds are updated on an hourly basis)
  • Recurrence:
    • Start From: Today’s Date
    • End Date: No End Date
  • Click Save

Step 13 image in the Malicious IPs section of the Malware Patrol Fortisiem configuration guide

14) The data will populate at the start time set above. If it does not, click the Refresh button at the top of the data display area. Another option is to go back to the schedule settings to verify the time you set for the updates to begin. You can set another time a few minutes in the future. Step 14 image in the Malicious IPs section of the Malware Patrol Fortisiem configuration guide

15) To change the columns displayed once the data populates, click on the Select Columns button located beside the refresh button. Use the data mapping information from the setup process for each feed to know which fields are available in the Malware Patrol feed.

Malware Hashes

Benefits of the Malware Patrol Malware Hashes Data Feed

This feed contains the SHA-1 hashes of malware and ransomware samples currently available on the internet. Encountering these signatures in your environment is a sign of malicious activity.

Pre-step image in the Malicious Hashes section of the Malware Patrol Fortisiem configuration guide

1) From the FortiSIEM dashboard, navigate to Resources in the top navigation menu. On the left side menu that appears, you will see the types of IoC feeds that can be integrated. Step 1 image in the Malicious Hashes section of the Malware Patrol Fortisiem configuration guide

2) Select Malware Hash from the menu on the left.

3) Click + button at the upper left-hand side of this side menu to add a new Malware Hash group.

Step 3 image in the Malicious Hashes section of the Malware Patrol Fortisiem configuration guide

4) Enter a group name. We will use Malware Patrol for this guide.

5) Click save. The Malware Patrol group will now appear under the Malware Hash section.

Step 5 image in the Malicious Hashes section of the Malware Patrol Fortisiem configuration guide

6) Select/highlight the Malware Patrol group and then More from the top menu.

7) Select Update from the drop-down menu.

Step 7 image in the Malicious Hashes section of the Malware Patrol Fortisiem configuration guide

8) On the next screen, choose Update via API and click on the edit (pencil) button.

Step 8 image in the Malicious Hashes section of the Malware Patrol Fortisiem configuration guide

9) Enter the following to set up the feed update:

  • URL of your Malware Patrol Malware Hashes feed or evaluation feed. This can be obtained by right clicking on the feed’s link in the Malware Patrol customer or evaluation portal.
  • Your Malware Patrol portal username and password
  • Plugin Class: no changes
  • Field separator: ,
  • Data format: CSV
  • Data update: Full

Step 9 image in the Malicious Hashes section of the Malware Patrol Fortisiem configuration guide

10) In the Data Mapping section, match the following:

  • Description, Position 1
  • Algorithm, Position 2
  • HashCode, Position 3
  • Malware Type, Position 4
  • Date Found, Position 5
  • Last Seen, Position 6

11) Click Save

Step 11 image in the Malicious Hashes section of the Malware Patrol Fortisiem configuration guide

12) Click on the Schedule: + button

Step 12 image in the Malicious Hashes section of the Malware Patrol Fortisiem configuration guide

13) On the next screen, enter:

  • Start Time: Set a start time a few minutes from the current time. This will cause the data to be updated after your setup is complete
  • Recurrence Pattern: Hourly, Every 1 Hour (Malware Patrol feeds are updated on an hourly basis)
  • Recurrence:
    • Start From: Today’s Date
    • End Date: No End Date
  • Click Save

Step 13 image in the Malicious Hashes section of the Malware Patrol Fortisiem configuration guide

14) The data will populate at the start time set above. If it does not, click the Refresh button at the top of the data display area. Another option is to go back to the schedule settings to verify the time you set for the updates to begin. You can set another time a few minutes in the future. Step 14 image in the Malicious Hashes section of the Malware Patrol Fortisiem configuration guide

15) To change the columns displayed once the data populates, click on the Select Columns button located beside the refresh button. Use the data mapping information from the setup process for each feed to know which fields are available in the Malware Patrol feed.

Malware URLs

Benefits of the Malware/Ransomware URLs Data Feed

This feed contains URLs known to be hosting malware binaries. It is updated hourly to remove inactive URLs and add newly detected ones. Correlating this feed with network traffic can pinpoint a potential malware infection.

Pre-step image in the Malware URLS section of the Malware Patrol Fortisiem configuration guide

1) From the FortiSIEM dashboard, navigate to Resources in the top navigation menu. On the left side menu that appears, you will see the types of IoC feeds that can be integrated.

Step 1 image in the Malware URLS section of the Malware Patrol Fortisiem configuration guide 2) Select Malware URLs from the menu on the left.

3) Click + button at the upper left-hand side of this menu to add a new Malware URLs group.

Step 3 image in the Malware URLS section of the Malware Patrol Fortisiem configuration guide 4) Enter a group name. We will use Malware Patrol for this guide.

5) Click save. The Malware Patrol group will now appear under the Malware URLs section.

Step 5 image in the Malware URLS section of the Malware Patrol Fortisiem configuration guide

6) Select/highlight the Malware Patrol group and then More from the top menu.

7) Select Update from the drop-down menu. Step 7 image in the Malware URLS section of the Malware Patrol Fortisiem configuration guide

8) On the next screen, choose Update via API and click on the edit (pencil) button.

Step 8 image in the Malware URLS section of the Malware Patrol Fortisiem configuration guide

9) Enter the following to set up the feed update:

  • URL of your Malware Patrol Malware URLs feed or evaluation feed. This can be obtained by right clicking on the feed’s link in the Malware Patrol customer or evaluation portal.
  • Your Malware Patrol portal username and password
  • Plugin Class: no changes
  • Field separator: ,
  • Data format: CSV
  • Data update: Full

Step 9 image in the Malware URLS section of the Malware Patrol Fortisiem configuration guide

10) In the Data Mapping section, match the following:

  • URL, Position 1
  • Malware Type, Position 2
  • Last Seen, Position 3

11) Click Save Step 11 image in the Malware URLS section of the Malware Patrol Fortisiem configuration guide

12) Click on the Schedule: + button Step 12 image in the Malware URLS section of the Malware Patrol Fortisiem configuration guide

13) On the next screen, enter:

  • Start Time: Set a start time a few minutes from the current time. This will cause the data to be updated after your setup is complete
  • Recurrence Pattern: Hourly, Every 1 Hour (Malware Patrol feeds are updated on an hourly basis)
  • Recurrence:
    • Start From: Today’s Date
    • End Date: No End Date
  • Click Save

Step 13 image in the Malware URLS section of the Malware Patrol Fortisiem configuration guide

14) The data will populate at the start time set above. If it does not, click the Refresh button at the top of the data display area. Another option is to go back to the schedule settings to verify the time you set for the updates to begin. You can set another time a few minutes in the future. Step 14 image in the Malware URLS section of the Malware Patrol Fortisiem configuration guide

15) To change the columns displayed once the data populates, click on the Select Columns button located beside the refresh button. Use the data mapping information from the setup process for each feed to know which fields are available in the Malware Patrol feed.

If you need any assistance with this FortiSIEM configuration guide, please email support (@) malwarepatrol.net or contact your Account Manager.

?

pfSense Configuration guide

Configuration Guide

pfSense Configuration guide

pfSense The pfSense project is a free network firewall distribution, based on the FreeBSD operating system with a custom kernel and it also includes third-party free software packages for additional functionality. pfSense software, with the help of the package system, can provide the same functionality or more as common commercial firewalls, without any of the artificial limitations. In addition to being a powerful, flexible firewalling and routing platform, it includes a long list of related features and a package system allowing further expandability without adding bloat and potential security vulnerabilities to the base distribution. pfSense software uses Squid and SquidGuard to filter web traffic.

pfSense software includes a web interface for the configuration of all included components. There is no need for any UNIX knowledge, no need to use the command line for anything, and no need to ever manually edit any rule sets. Consequently, users familiar with commercial firewalls catch on to the web interface quickly, though there can be a learning curve for users not familiar with commercial-grade firewalls.

Malware Patrol provides block lists compatible with pfSense software. Most importantly our pfSense free valuation can be requested here. Now you can simply follow these simple steps to configure your pfSense instance and protect your internal network, computers, and users from getting infected by malware.

Installing Squid3 and SquidGuard on pfSense 2.1.x

1) Open Packages list: click System, next, Packages, Available Packages tab.

2) Install the Squid package, if not already installed.

3) Install the SquidGuard package, if not already installed

4) Configure the Squid package.

5) Configure the SquidGuard package.

6) Log into your account with Malware Patrol, then, look for SquidGuard. Right-click on Download and select Copy link location. You will need this URL in the next step.

7) Open the General Settings tab in SquidGuard package GUI, found at Service, next Proxy Filter.

8) Check Blacklist to enable the use of our blocklists.

9) Enter the URL you have copied on step 6.

10) If pfSense is behind a proxy, enter the proxy information in Blacklist proxy (this step is not necessary for most situations)

11) Click Save after that.

12) Navigate to the Blacklist tab inside of SquidGuard.

13) Click the Download button.

14) Wait while our block list is downloaded and processed (may take a while). Progress will be displayed.

If you experience any difficulties configuring Squid3 to use Malware Patrol blocklists, please make sure it is working properly and contact our tech support or at support@malwarepatrol.net.

MISP Configuration Guide

Configuration Guide

??

MISP configuration guide for Malware Patrol threat intelligence feedsMISP Configuration Guide

MISP is a threat intelligence platform for gathering, sharing, storing, and correlating indicators of compromise of targeted attacks, threat intelligence, financial fraud information, and vulnerability information.

It can be configured to ingest MISP-formatted data feeds. To ingest the data provided by Malware Patrol following these steps:

1) In the customer portal or evaluation portal, search for the feed of interest. Once you find it, look for the MISP compatible data feed link. Right-click on it and choose Copy link location.

2) Open your MISP instance and click on Sync Actions / List Feeds.

3) On the left menu, click Add Feed.

4) Fill the field Name as Malware Patrol “_data_feed_name_ (for example Malware Patrol C2s)”. On Provider put Malware Patrol. Choose Network on Input Source.

5) The field URL should contain the link location you have copied from the customer portal or evaluation portal.

6) On Source Format, choose MISP Feed.

7) Click on Add Basic Auth and complete the fields with your Username and Password for the customer portal or evaluation portal. Then click on Add Basic Auth Header.

8) Adjust Distribution, Default Tag and Filter rules appropriately for your environment.

9) Click Add.

10) Back to the list of feeds, select the Malware Patrol data feed and click Enable selected.

11) Still in the list of feeds, for the Malware Patrol data feed, click in the last icon on the right named Download. Your MISP instance will download the current feed file, parse them and add to your instance.

 

If you encounter any difficulties with this MISP configuration guide, feel free to contact our tech support at support (@) malwarepatrol.net

Configuration guides for other systems can be found on our Tech Support page.

?