Snort3 on Ubuntu 20 - Feeding and testing the pig - rules and PulledPork

Now that we have installed and configured Snort3, as well as learned a little about it, let's now looking at feeding the pig ... giving it rules ... and then testing those rules before we perform our housekeeping.

Let's create the directories for us to store our rules and block lists.

securitynik@snort3:~$ sudo mkdir /usr/local/etc/rules
securitynik@snort3:~$ sudo mkdir /usr/local/etc/so_rules/
securitynik@snort3:~$ sudo mkdir /usr/local/etc/lists/

Next let's created some required files.

securitynik@snort3:~$ sudo touch /usr/local/etc/rules/snort.rules
securitynik@snort3:~$ sudo touch /usr/local/etc/rules/local.rules
securitynik@snort3:~$ sudo touch /usr/local/etc/lists/default.blocklist

securitynik@snort3:~$ sudo mkdir /usr/local/etc/pulledpork

... and our directory to store our logs

securitynik@snort3:~$ sudo mkdir /var/log/snort

With those in place, let's create three sample rule to test the traffic in our PCAP file, using the Snort 2.x method of creating rules.

securitynik@snort3:~$ sudo gedit /usr/local/etc/rules/local.rules &

securitynik@snort3:~$ sudo cat /usr/local/etc/rules/local.rules 
alert tcp any any -> any any (msg:"SecurityNik Testing TCP"; sid:40000001;)
alert icmp any any -> any any (msg:"SecurityNik ICMP"; sid:40000002;)
alert udp any any -> any any (msg:"SecurityNik Testing UDP"; sid:40000003;) 

When this rule file is passed as input to Snort3, we see the first three alerts and notice we are once again leveraging the "--talos" tweaks.

securitynik@snort3:~$ sudo snort -c /usr/local/etc/snort/snort.lua \

-R /usr/local/etc/rules/local.rules -r securitynik-sample.pcap -k none\

 -A "alert_full" -q -n 3 --talos

[**] [1:40000003:0]  <securitynik-sample.pcap> "SecurityNik Testing UDP" [**]
[Priority: 0] 
02/01-14:23:06.999138 10.0.2.15:40793 -> 64.71.255.198:53
UDP TTL:64 TOS:0x0 ID:55133 IpLen:20 DgmLen:86 DF
Len: 58

[**] [1:40000003:0]  <securitynik-sample.pcap> "SecurityNik Testing UDP" [**]
[Priority: 0] 
02/01-14:23:07.017818 64.71.255.198:53 -> 10.0.2.15:40793
UDP TTL:64 TOS:0x0 ID:47115 IpLen:20 DgmLen:198
Len: 170

[**] [1:40000001:0]  <securitynik-sample.pcap> "SecurityNik Testing TCP" [**]
[Priority: 0] 
02/01-14:23:07.020863 10.0.2.15:33244 -> 35.232.111.17:80
TCP TTL:64 TOS:0x0 ID:53105 IpLen:20 DgmLen:60 DF
******S* Seq: 0x31F1E987  Ack: 0x0  Win: 0xFAF0  TcpLen: 40
TCP Options (5) => MSS: 1460 SackOK  TS: 3340894439 0 NOP WS: 7

[**] [1:1:0]  <securitynik-sample.pcap> "Nik Testing" [**]
[Priority: 0] 
02/01-14:23:07.020863 10.0.2.15:33244 -> 35.232.111.17:80
TCP TTL:64 TOS:0x0 ID:53105 IpLen:20 DgmLen:60 DF
******S* Seq: 0x31F1E987  Ack: 0x0  Win: 0xFAF0  TcpLen: 40
TCP Options (5) => MSS: 1460 SackOK  TS: 3340894439 0 NOP WS: 7

--------------------------------------------------
rule profile (all, sorted by total_time)
#       gid   sid    rev    checks matches alerts time (us) avg/check avg/match avg/non-match timeouts suspends
=       ===   ===    ===    ====== ======= ====== ========= ========= ========= ============= ======== ========
1         140000003   0         2       2      2        10         5         5             0        0        0
2         140000001   0         1       1      1         4         4         4             0        0        0
3         1       1   0         1       1      1         0         0         0             0        0        0

Let's rewrite the above rules, using the Snort3 format adding some additional components and then run this against two different PCAPs.

alert http
(
	msg:"Looking for SecurityNik HTTP - wget and ragel traffic!"; 	# Message I would like the user to see
	flow:established, to_server;					# Monitor traffic for which 3-way handshake is completed and direction is from client to server
	http_method;							# Focus on the buffer containing the HTTP Method
	content:"|47 45 54|", offset 0, depth 3;			# Look for the hex bytes representing GET starting at offset 0 and span 3 bytes
	http_uri:path;	                                                # Look at the buffer containing the URI path
	content:"/files/ragel/ragel-6.10.tar.gz", distance 0, within 30; # Look for this content
	pcre:"/ragel\-\d{1,3}\.\d{1,3}\.tar\.gz/i"; # Use a regular expression pattern to look for the file above
 	http_header:field User-Agent;					# Look into the User Agent field in the HTTP Header
	content:"wget/1.20.3", nocase;					# Check to see if the user agent contains wget
	regex:"/wget\/\d{1,2}\.\d{2}\.{1,2}/i";				# My understanding is regex allows us to take advantage of Hyperscan. Notice above I used pcre instead.
	http_header:field Host;						# Look at the host field in the HTTP Header
	content:"www|2e|colm|2e|net", nocase; 				# Look for the hostname www.colm.net
	reference:URL, "www.securitynik.com";
	classtype:suspicious-filename-detect;				
	priority:1; 							# Give the rule a priority of 1. Max value 31
	rev: 5;								# Everytime the rule is updated the revision number should change
	sid:4;								# Every rule should have an ID
)




alert dns
(
	msg:"Looking for SecurityNik DNS traffic!";			# Message
	id:11471;							# Value in the IP ID Field
	content:"www|0B|securitynik|03|com", nocase;			# Content to search for. A mix of string and hex
	classtype:misc-attack;
	priority:4;
	rev: 3;
	sid:5;
)


 alert icmp
(
	msg:"Looking for SecurityNik ICMP traffic!";
	id:38446;			
	itype:8;							# ICMP Type
	icode:0;							# ICMP Code
	content:"|30 31 32 33 34 35 36 37|";				# Search for hex pattern
	classtype:malware-cnc;
	priority:20;
	rev: 2;	
	sid:6;
)

First run against securitynik-sample.pcap.

securitynik@snort3:~$ sudo snort -c /usr/local/etc/snort/snort.lua -R /usr/local/etc/rules/local.rules -r securitynik-sample.pcap -k none -A cmg  -q --talos | more
02/01-14:56:37.512330 [**] [1:4:5]  <securitynik-sample.pcap> "Looking for SecurityNik HTTP - wget and rage
l traffic!" [**] [Classification: A suspicious filename was detected] [Priority: 1] {TCP} 10.0.2.15:33478 -
> 192.155.89.46:80

http_inspect.http_method[3]:
- - - - - - - - - - - -  - - - - - - - - - - - -  - - - - - - - - -
47 45 54                                          GET
- - - - - - - - - - - -  - - - - - - - - - - - -  - - - - - - - - -

http_inspect.http_version[8]:
- - - - - - - - - - - -  - - - - - - - - - - - -  - - - - - - - - -
48 54 54 50 2F 31 2E 31                           HTTP/1.1 
- - - - - - - - - - - -  - - - - - - - - - - - -  - - - - - - - - -

http_inspect.http_uri[30]:
- - - - - - - - - - - -  - - - - - - - - - - - -  - - - - - - - - -
2F 66 69 6C 65 73 2F 72  61 67 65 6C 2F 72 61 67  /files/r agel/rag
65 6C 2D 36 2E 31 30 2E  74 61 72 2E 67 7A        el-6.10. tar.gz
- - - - - - - - - - - -  - - - - - - - - - - - -  - - - - - - - - -

http_inspect.http_header[119]:
- - - - - - - - - - - -  - - - - - - - - - - - -  - - - - - - - - -
55 73 65 72 2D 41 67 65  6E 74 3A 20 57 67 65 74  User-Age nt: Wget
2F 31 2E 32 30 2E 33 20  28 6C 69 6E 75 78 2D 67  /1.20.3  (linux-g
6E 75 29 0D 0A 41 63 63  65 70 74 3A 20 2A 2F 2A  nu)..Acc ept: */*
0D 0A 41 63 63 65 70 74  2D 45 6E 63 6F 64 69 6E  ..Accept -Encodin
67 3A 20 69 64 65 6E 74  69 74 79 0D 0A 48 6F 73  g: ident ity..Hos
74 3A 20 77 77 77 2E 63  6F 6C 6D 2E 6E 65 74 0D  t: www.c olm.net.
0A 43 6F 6E 6E 65 63 74  69 6F 6E 3A 20 4B 65 65  .Connect ion: Kee
70 2D 41 6C 69 76 65                             p-Alive
- - - - - - - - - - - -  - - - - - - - - - - - -  - - - - - - - - -

--------------------------------------------------
rule profile (all, sorted by total_time)
#       gid   sid rev    checks matches alerts time (us) avg/check avg/match avg/non-match timeouts suspend
s
=       ===   === ===    ====== ======= ====== ========= ========= ========= ============= ======== =======
=
1         1     4   5         1       1      1       905       905       905             0        0        
0

Running it against the securitynik-other-sample.pcap.

securitynik@snort3:~$ sudo snort -c /usr/local/etc/snort/snort.lua \

 -R /usr/local/etc/rules/local.rules -r securitynik-other-sample.pcap \

 -k none -A cmg  -q --talos | more

02/02-13:39:01.871758 [**] [1:5:3]  <securitynik-other-sample.pcap> "Looking for SecurityNik DNS traffic!" 
[**] [Classification: Misc Attack] [Priority: 4] {UDP} 10.0.2.15:59456 -> 64.71.255.198:53
08:00:27:2A:BA:15 -> 52:54:00:12:35:02 type:0x800 len:0x5A
10.0.2.15:59456 -> 64.71.255.198:53 UDP TTL:64 TOS:0x0 ID:11471 IpLen:20 DgmLen:76 DF
Len: 48

dns.raw[48]:
- - - - - - - - - - - -  - - - - - - - - - - - -  - - - - - - - - -
28 B8 01 00 00 01 00 00  00 00 00 01 03 77 77 77  (....... .....www
0B 73 65 63 75 72 69 74  79 6E 69 6B 03 63 6F 6D  .securit ynik.com
00 00 01 00 01 00 00 29  02 00 00 00 00 00 00 00  .......) ........
- - - - - - - - - - - -  - - - - - - - - - - - -  - - - - - - - - -

02/02-13:39:57.839673 [**] [1:6:2]  <securitynik-other-sample.pcap> "Looking for SecurityNik ICMP traffic!"
 [**] [Classification: Known malware command and control traffic] [Priority: 20] {ICMP} 10.0.2.15 -> 172.21
7.164.211
08:00:27:2A:BA:15 -> 52:54:00:12:35:02 type:0x800 len:0x62
10.0.2.15 -> 172.217.164.211 ICMP TTL:64 TOS:0x0 ID:38446 IpLen:20 DgmLen:84 DF
Type:8  Code:0  ID:1   Seq:1  ECHO

snort.raw[56]:
- - - - - - - - - - - -  - - - - - - - - - - - -  - - - - - - - - -
7D 9C 19 60 00 00 00 00  C6 CF 0C 00 00 00 00 00  }..`.... ........
10 11 12 13 14 15 16 17  18 19 1A 1B 1C 1D 1E 1F  ........ ........
20 21 22 23 24 25 26 27  28 29 2A 2B 2C 2D 2E 2F   !"#$%&' ()*+,-./
30 31 32 33 34 35 36 37                           01234567 
- - - - - - - - - - - -  - - - - - - - - - - - -  - - - - - - - - -

--------------------------------------------------
rule profile (all, sorted by total_time)
#       gid   sid rev    checks matches alerts time (us) avg/check avg/match avg/non-match timeouts suspend
s
=       ===   === ===    ====== ======= ====== ========= ========= ========= ============= ======== =======
=
1         1     6   2         2       1      1        59        29        58             1        0        
0
2         1     5   3         4       1      1        15         3        12             1        0        
0

Before configuring PulledPork, maybe you wish to see output from snort in CSV format.

securitynik@snort3:~$ sudo snort -c /usr/local/etc/snort/snort.lua \

-R /usr/local/etc/rules/local.rules -r securitynik-sample.pcap -k none -A csv -q | more
[sudo] password for securitynik: 

02/01-14:56:37.512330, 1206, TCP, stream_tcp, 119, C2S, 10.0.2.15:33478, 192.155.89.46:80, 1:4:5, allow

securitynik@snort3:~$ sudo snort -c /usr/local/etc/snort/snort.lua -R /usr/local/etc/rules/local.rules -r securitynik-other-sample.pcap -k none -A csv -q | more
02/02-13:39:01.871758, 214, UDP, raw, 76, C2S, 10.0.2.15:59456, 64.71.255.198:53, 1:5:3, allow
02/02-13:39:57.839673, 255, ICMP, raw, 84, C2S, 10.0.2.15:0, 172.217.164.211:0, 1:6:2, allow

At this point, we know our Snort3 installation is working with our local rules. Now let's feed the pig via Pulledpork.

First up, preprequisites

If you wish, you can register at snort.org to get an OINK code. Once you have that, you can gain access to the registered rules. If not, you can use the community rules.

Next install the software preprequieistes. 

securitynik@snort3:~$ cd ~/snort-files/
securitynik@snort3:~$ sudo apt-get install -y libcrypt-ssleay-perl liblwp-useragent-determined-perl

Next up, clone Pulledpork, copy the pulledpork.pl file to /usr/local/bin and make it executable. Then copy the config file (pulledpork.conf) to /usr/local/etc/pulledpork.

securitynik@snort3:~/snort-files$ git clone https://github.com/shirkdog/pulledpork.git

securitynik@snort3:~/snort-files$ cd pulledpork/
securitynik@snort3:~/snort-files/pulledpork$ sudo cp pulledpork.pl /usr/local/bin/ -v
'pulledpork.pl' -> '/usr/local/bin/pulledpork.pl'
securitynik@snort3:~/snort-files/pulledpork$ sudo chmod +x /usr/local/bin/pulledpork.pl 
securitynik@snort3:~/snort-files/pulledpork$ sudo cp etc/*.conf /usr/local/etc/pulledpork/

Verifying that pulledpork is configured and working properly.

securitynik@snort3:~/snort-files/pulledpork$ pulledpork.pl -V
PulledPork v0.8.0 - The only positive thing to come out of 2020...well this and take-out liquor!

Let's now modify the pulledpork.conf file. As always, before modifying a config file, I like to make a copy of it.

securitynik@snort3:~/snort-files/pulledpork$ sudo cp /usr/local/etc/pulledpork/pulledpork.conf /usr/local/etc/pulledpork/pulledpork.conf.ORIG

Change line 19 from ...

19. rule_url=https://www.snort.org/reg-rules/|snortrules-snapshot.tar.gz|<oinkcode>

... to

19. rule_url=https://www.snort.org/reg-rules/|snortrules-snapshot.tar.gz|4aabb98....bd138aFF

If you have an OINK code, change line 21 from ...

 21. rule_url=https://snort.org/downloads/community/|community-rules.tar.gz|Community

... to below by commenting (#) out this line. Note if you do not have an OINK code for line 19, you should leave this to get the community rules while commenting out line 19. If you do have an OINK code, comment this as the community rules are part of the registered rules.

21. #rule_url=https://snort.org/downloads/community/|community-rules.tar.gz|Community

Change line 72 from ...

72. rule_path=/usr/local/etc/snort/rules/snort.rules

... to reflect the path of the files we created above.

72. rule_path=/usr/local/etc/rules/snort.rules

Change line 87 from ...

87. local_rules=/usr/local/etc/snort/rules/local.rules

... to

87. local_rules=/usr/local/etc/rules/local.rules

Change line 94 from ...

94. sid_msg_version=1

... to

94. sid_msg_version=2

Change line 110 from ...

110. sorule_path=/usr/local/lib/snort_dynamicrules/

... to

110. sorule_path=/usr/local/etc/so_rules/

Change line 117 from ...

117. config_path=/usr/local/etc/snort/snort.conf

... to

117. config_path=/usr/local/etc/snort/snort.lua

Change line 134 from ...

134. distro=FreeBSD-12

... to

134. distro=Ubuntu-18-4

Change line 142 from ...

142. block_list=/usr/local/etc/snort/rules/iplists/default.blocklist

... to

142. block_list=/usr/local/etc/lists/default.blocklist

Change line 151 from ...

151. IPRVersion=/usr/local/etc/snort/rules/iplists

... to

151. IPRVersion=/usr/local/etc/lists

Change line 186 from ...

186. pid_path=/var/run/snort_eth0.pid

... to

186. pid_path=/var/log/snort/snort.pid

Changed the snort version on line 196 from ...

# snort_version=2.9.0.0

... to

snort_version=3.0.0.0

Finally, lets uncomment line 209, changing it from ...

# ips_policy=security

... to

ips_policy=security

With those steps completed, let's run PulledPork

securitynik@snort3:~$ sudo pulledpork.pl -c /usr/local/etc/pulledpork/pulledpork.conf -PEl

    https://github.com/shirkdog/pulledpork
      _____ ____
     `----,\    )
      `--==\\  /    PulledPork v0.8.0 - The only positive thing to come out of 2020...well this and take-out liquor!
       `--==\\/
     .-~~~~-.Y|\\_  Copyright (C) 2009-2021 JJ Cummings, Michael Shirk
  @_/        /  66\_  and the PulledPork Team!
    |    \   \   _(")
     \   /-| ||'--'  Rules give me wings!
      \_\  \_\\
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Checking latest MD5 for snortrules-snapshot-3000.tar.gz....
Rules tarball download of snortrules-snapshot-3000.tar.gz....
        They Match
        Done!
IP Blocklist download of https://snort.org/downloads/ip-block-list....
Reading IP List...
Prepping rules from snortrules-snapshot-3000.tar.gz for work....
        Done!
....

Rule Stats...
        New:-------15151
        Deleted:---0
        Enabled Rules:----15151
        Dropped Rules:----0
        Disabled Rules:---0
        Total Rules:------15151
IP Blocklist Stats...
        Total IPs:-----816

Done
Please review /var/log/sid_changes.log for additional details
Fly Piggy Fly!

Run snort again against one of our PCAPs using the new rules information. 

securitynik@snort3:~$ snort -c /usr/local/etc/snort/snort.lua --tweaks talos --pcap-list securitynik-sample.pcap -R /usr/local/etc/rules/snort.rules
--------------------------------------------------
o")~   Snort++ 3.1.0.0
--------------------------------------------------
Loading /usr/local/etc/snort/snort.lua:
Loading snort_defaults.lua:
Finished snort_defaults.lua:
Loading file_magic.lua:
Finished file_magic.lua:
Loading talos.lua:
Finished talos.lua:
        ssh
        hosts
        ....
Loading rule args:
Loading /usr/local/etc/rules/snort.rules:
Finished /usr/local/etc/rules/snort.rules:
Finished rule args:
--------------------------------------------------
rule counts
       total rules loaded: 15151
               text rules: 15151
            option chains: 15151
            chain headers: 332
--------------------------------------------------
port rule counts
             tcp     udp    icmp      ip
     any     222       9       7       3
     src    5852      24       0       0
     dst    8852     191       0       0
    both       2       3       0       0
   total   14928     227       7       3
--------------------------------------------------
ips policies rule stats
              id  loaded  shared enabled    file
               0   15151       0   15151    /usr/local/etc/snort/snort.lua
--------------------------------------------------


....

Appid Statistics
--------------------------------------------------
detected apps and services
              Application: Flows      Clients    Users      Payloads   Misc       Incompat.  Failed
                  unknown: 323        0          0          0          0          0          0
--------------------------------------------------
Summary Statistics
--------------------------------------------------
timing
                  runtime: 00:00:00
                  seconds: 0.667893
                 pkts/sec: 21044
                Mbits/sec: 124
--------------------------------------------------
rule profile (all, sorted by total_time)
#       gid   sid rev    checks matches alerts time (us) avg/check avg/match avg/non-match timeouts suspends
=       ===   === ===    ====== ======= ====== ========= ========= ========= ============= ======== ========
1         1 34937   2       235       0      0       716         3         0             3        0        0
2         1 53975   2       321       0      0       290         0         0             0        0        0
3         1 37730   5       321       0      0       262         0         0             0        0        0
4         1 37731   5       353       0      0        94         0         0             0        0        0
5         1 55704   2        34       0      0        78         2         0             2        0        0
6         1 53264   1        26       0      0        61         2         0             2        0        0
7         1 47030   1         5       0      0         7         1         0             1        0        0
8         1 32005   8         1       0      0         4         4         0             4        0        0
9         1 32406   3         1       0      0         3         3         0             3        0        0
10        1 32405   3         1       0      0         2         2         0             2        0        0
o")~   Snort exiting

Ok, now we have fed the pig and it gave it enough wings to fly. Let's wrap up this 4 part series with some important house keeping activities. See you in the next post.

References:

https://snort-org-site.s3.amazonaws.com/production/document_files/files/000/003/979/original/Snort3_3.1.0.0_on_Ubuntu_18___20.pdf

https://www.youtube.com/watch?v=PYP0YH2PVuo&list=PLpPXZRVU-dX33VNUeqWrMmBNf5FeKVmi-&index=2

https://github.com/shirkdog/pulledpork

https://snort-org-site.s3.amazonaws.com/production/document_files/files/000/004/026/original/Snort_3_GA_on_OracleLinux_8.pdf

https://snort-org-site.s3.amazonaws.com/production/document_files/files/000/000/131/original/Snort_3_on_openSUSE_Leap_42.3.pdf

https://snort-org-site.s3.amazonaws.com/production/document_files/files/000/000/176/original/Snort_3_on_FreeBSD_11.pdf

Snort3 on Ubuntu 20 - The Initial Setup

Now that Cisco has released Snort3 via general availability, I decided to do a quick 4 part series on its installation, learning a little about Snort3, feeding the pig and Snort3 housekeeping.

Back in 2014, I did a post on "Building snort 3.0 (snort++)". With 6 years elapsing, I wanted to see what has changed with the installation and thus this new series.

Additionally and more importantly, I'm sure we will eventually transition the SANS SEC503 Intrusion Detection in Depth class to Snort3. When we do, I doubt whether we will show you how to install and configure Snort3. Thus this 4 part series and the associated reference materials below, are also being made available, so our SEC503 students are in a position to have the resources readily available, if and or when they choose to perform an install and or configuration of Snort3.

For this post, we will leverage my previous post in conjunction with Snort 3.1.0.0 on Ubuntu 18 & 20 - Configuring a Full NIDS & SIEM by Noah Dietrich from the snort.org website as well as additional information from other sources.

This is all based on a clean installation of Ubuntu 20 minimal install on VirtualBox.

1 2 3 4 5 6

securitynik@snort3:~$ lsb_release --all No LSB modules are available. Distributor ID: Ubuntu Description: Ubuntu 20.04.1 LTS Release: 20.04 Codename: focal

Note: If you choose to install VirtualBox tools from the "CD", you may get an error about  "**This system is currently not set up to build kernel modules.". To resolve, this execute:

1	securitynik@snort3:~$ sudo apt install virtualbox-guest-utils virtualbox-guest-dkms

As always, we expect your system to be fully updated and hardened. There are various hardening guides online, such as those from the Center For Internet Security. However, to ensure your system is at least updated, run the following:

1	securitynik@snort3:~$ sudo apt-get update && sudo apt-get upgrade && sudo apt-get dist-upgrade -y

Depending on your install you may also need to install gcc and make

1	securitynik@snort3:~$ sudo apt-get install gcc make

Time if of great importance. To ensure your system time reflects your time zone, use the following commands. Note, also that you should consider taking advantage of NTP as I've done below, rather than manually configuring your time.

First list the available time zones

securitynik@snort3:~$ sudo timedatectl list-timezones
Africa/Abidjan
Africa/Accra
Africa/Algiers

....
America/Tijuana
America/Toronto
America/Vancouver
America/Whitehorse
America/Winnipeg
....

I will set mine as America/Toronto, while I set my time to UTC time and use a NTP server. Local time can be problematic when using NTP, as the time may not be properly updated during shifts to and from daylight saving time.

securitynik@snort3:~$ sudo timedatectl set-timezone America/Toronto
securitynik@snort3:~$ sudo timedatectl set-local-rtc False
securitynik@snort3:~$ sudo timedatectl set-ntp True

Verifying the time configuration.

securitynik@snort3:~$ sudo timedatectl 
               Local time: Wed 2021-01-27 11:14:29 EST 
           Universal time: Wed 2021-01-27 16:14:29 UTC 
                 RTC time: Wed 2021-01-27 16:14:29     
                Time zone: America/Toronto (EST, -0500)
System clock synchronized: yes                         
              NTP service: active                      
          RTC in local TZ: no

Do note, if you are monitoring intrusion events (via Snort, SIEM or any other tool) across different time zones, you are better off having your systems in UTC time. This makes it easy to correlate activities across these various time zones. 

With time properly configured, let's now install Snort3 by starting with its dependencies.

In my previous install, I did a lot of compiling of code. It looks like that is still the case at this time and will probably be that way for a while. I hope sooner rather than later, it is incorporated within a package manager.

Let's first create a directory to store our downloaded files

securitynik@snort3:~$ pwd
/home/securitynik
securitynik@snort3:~$ mkdir snort-files
securitynik@snort3:~$ cd snort-files/

Now that we are inside the snort-files folder, let's grab the pre-requisites.

securitynik@snort3:~/snort-files$ sudo apt-get install -y build-essential \ 

autotools-dev libdumbnet-dev libluajit-5.1-dev libpcap-dev zlib1g-dev \

pkg-config libhwloc-dev cmake liblzma-dev openssl libssl-dev cpputest \ 

libsqlite3-dev libtool uuid-dev git autoconf bison flex libcmocka-dev \

libnetfilter-queue-dev libunwind-dev libmnl-dev ethtool

Next install Safe C Library (safeclib) from GitHub.

securitynik@snort3:~/snort-files$ git clone https://github.com/rurban/safeclib.git
securitynik@snort3:~/snort-files$ cd safeclib/
securitynik@snort3:~/snort-files/safeclib$ build-aux/autogen.sh
securitynik@snort3:~/snort-files/safeclib$ ./configure && make && sudo make install

Next we install pcre-8.44 as specified so that we can leverage Hyperscan for fast pattern matching.

securitynik@snort3:~/snort-files$ wget https://ftp.pcre.org/pub/pcre/pcre-8.44.tar.gz
securitynik@snort3:~/snort-files$ tar --extract --verbose --gzip --file pcre-8.44.tar.gz
securitynik@snort3:~/snort-files$ cd pcre-8.44/
securitynik@snort3:~/snort-files/pcre-8.44$ ./configure && make && sudo make install

After pcre-8.44 we next install gperftools (originally Google Performance Tools)

securitynik@snort3:~/snort-files$ git clone https://github.com/gperftools/gperftools.git
securitynik@snort3:~/snort-files/gperftools$ cd gperftools
securitynik@snort3:~/snort-files/gperftools$ ./autogen.sh 
securitynik@snort3:~/snort-files/gperftools$ ./configure && make && sudo make install

Next up install Ragel State Machine Compiler. If you wish to install the latest version as of this writing which is 7.0.3, you will need to install Colm Programming Language. I stuck with version 6 as described in the Snort document as Colm produced some errors which I did not wish to spend much time troubleshooting .

securitynik@snort3:~/snort-files$ wget http://www.colm.net/files/ragel/ragel-6.10.tar.gz
securitynik@snort3:~/snort-files$ tar --extract --gzip --verbose --file ragel-6.10.tar.gz 
securitynik@snort3:~/snort-files$ cd ragel-6.10/
securitynik@snort3:~/snort-files/ragel-6.10$ ./configure && make && sudo make install

Next up, we download but DO NOT install boost c++ libraries. We also verify the file hash based on the SHA256 Hash from the website.

securitynik@snort3:~/snort-files$ wget https://boostorg.jfrog.io/artifactory/main/release/1.75.0/source/boost_1_75_0.tar.gz

securitynik@snort3:~/snort-files$ sha256sum boost_1_75_0.tar.gz 
aeb26f80e80945e82ee93e5939baebdca47b9dee80a07d3144be1e1a6a66dd6a  boost_1_75_0.tar.gz

securitynik@snort3:~/snort-files$ tar --extract --verbose --file boost_1_75_0.tar.gz 

Let's grab Hyperscan.

securitynik@snort3:~/snort-files$ git clone https://github.com/intel/hyperscan
securitynik@snort3:~/snort-files$ cd hyperscan
securitynik@snort3:~/snort-files/hyperscan$ cmake -DCMAKE_INSTALL_PREFIX=/usr/local -DBOOST_ROOT=~/snort-files/boost_1_75_0/ ../hyperscan/
securitynik@snort3:~/snort-files/hyperscan$ make && sudo make install

Install flatbuffers

securitynik@snort3:~/snort-files$ git clone https://github.com/google/flatbuffers.git
securitynik@snort3:~/snort-files$ mkdir flatbuffers-build
securitynik@snort3:~/snort-files$ cd flatbuffers-build/
securitynik@snort3:~/snort-files/flatbuffers-build$ cmake ../flatbuffers
securitynik@snort3:~/snort-files/flatbuffers-build$ make && sudo make install

Next up, install the Data Acquisition Library (DAQ)

securitynik@snort3:~/snort-files$ git clone https://github.com/snort3/libdaq.git
securitynik@snort3:~/snort-files$ cd libdaq/
securitynik@snort3:~/snort-files/libdaq$ ./bootstrap 
securitynik@snort3:~/snort-files/libdaq$ ./configure && make && sudo make install

Wheewwww! That is a lot of pre-prequisites. Hopefully, they can package all of these up via package manager to make the install process easier. Note, if you don't install them in the order provided, you can expect to find one or more products complaining about dependency related to other products.

Finally, lets update the shared libraries.

securitynik@snort3:~$ sudo ldconfig

Now for the main course. Let's install Snort3. Because sometime after this install I would like to see what the command shell looks like, I'm also enabling that via the configure script along with the ability to process PCAPs over two Gigabytes.

securitynik@snort3:~/snort-files$ wget https://www.snort.org/downloads/snortplus/snort3-3.1.0.0.tar.gz
securitynik@snort3:~/snort-files$ tar --extract --verbose --gzip --file snort3-3.1.0.0.tar.gz 
securitynik@snort3:~/snort-files$ cd snort3-3.1.0.0/
securitynik@snort3:~/snort-files/snort3-3.1.0.0$ ./configure_cmake.sh --prefix=/usr/local --enable-tcmalloc  --enable-shell --enable-large-pcap  
securitynik@snort3:~/snort-files/snort3-3.1.0.0$ cd build/
securitynik@snort3:~/snort-files/snort3-3.1.0.0/build$ make && sudo make install

Once I run snort --version, we see wat seems to suggest we are good to go.

scuritynik@snort3:~$ snort --version

   ,,_     -*> Snort++ <*-
  o"  )~   Version 3.1.0.0
   ''''    By Martin Roesch & The Snort Team
           http://snort.org/contact#team
           Copyright (C) 2014-2020 Cisco and/or its affiliates. All rights reserved.
           Copyright (C) 1998-2013 Sourcefire, Inc., et al.
           Using DAQ version 3.0.0
           Using LuaJIT version 2.1.0-beta3
           Using OpenSSL 1.1.1f  31 Mar 2020
           Using libpcap version 1.9.1 (with TPACKET_V3)
           Using PCRE version 8.44 2020-02-12
           Using ZLIB version 1.2.11
           Using FlatBuffers 1.12.0
           Using Hyperscan version 5.4.0 2021-01-28
           Using LZMA version 5.2.4

Running a test using the default configuration, we see below Snort successfully validated the configuration (with 0 warnings).

securitynik@snort3:~$ snort -c /usr/local/etc/snort/snort.lua 
--------------------------------------------------
o")~   Snort++ 3.1.0.0
--------------------------------------------------
Loading /usr/local/etc/snort/snort.lua:
Loading snort_defaults.lua:
Finished snort_defaults.lua:
Loading file_magic.lua:
Finished file_magic.lua:
	ssh
	hosts
	host_cache
	pop
	...
	stream_file
Finished /usr/local/etc/snort/snort.lua:
--------------------------------------------------
pcap DAQ configured to passive.

Snort successfully validated the configuration (with 0 warnings).
o")~   Snort exiting

Oink! Onik! Our piggy is preparing to fly. See you in the next post where we learn a little bit more about Snort3 before feeding it via rules and performing house keeping.

References:

https://www.snort.org/snort3

https://snort.org/documents

https://www.snort.org/downloads

https://www.securitynik.com/2014/12/building-snort-30-snort.html

https://snort-org-site.s3.amazonaws.com/production/document_files/files/000/003/979/original/Snort3_3.1.0.0_on_Ubuntu_18___20.pdf

https://snort-org-site.s3.amazonaws.com/production/document_files/files/000/000/175/original/Snort_3_Multiple_Packet_Threads_Processing.pdf

https://snort-org-site.s3.amazonaws.com/production/document_files/files/000/000/013/original/Snort_IPS_using_DAQ_AFPacket.pdf

https://www.youtube.com/watch?v=W1pb9DFCXLw&list=PLpPXZRVU-dX33VNUeqWrMmBNf5FeKVmi-&index=1

https://askubuntu.com/questions/1140770/this-system-is-currently-not-set-up-to-build-kernel-modules-please-install-the

https://github.com/rurban/safeclib

https://www.hyperscan.io/

https://github.com/intel/hyperscan

https://github.com/gperftools/gperftools

https://www.colm.net/open-source/ragel/

https://www.boost.org/

http://google.github.io/flatbuffers/

https://www.snort.org/faq/readme-daq

http://manual-snort-org.s3-website-us-east-1.amazonaws.com/node7.html

https://snort-org-site.s3.amazonaws.com/production/document_files/files/000/000/023/original/ids2ips.txt

https://github.com/snort3/libdaq

https://snort-org-site.s3.amazonaws.com/production/release_files/files/000/016/344/original/snort_reference.html

https://snort-org-site.s3.amazonaws.com/production/release_files/files/000/016/343/original/snort_user.html

https://snort-org-site.s3.amazonaws.com/production/release_files/files/000/016/342/original/snort_devel.html

https://blog.snort.org/2015/03/basic-snort-usage.html

https://geekflare.com/nginx-error-while-loading-shared-libraries-libpcre-so-1/

https://usermanual.wiki/Document/snortmanual.1752822391.pdf

https://www.youtube.com/watch?v=PYP0YH2PVuo&list=PLpPXZRVU-dX33VNUeqWrMmBNf5FeKVmi-&index=2

https://www.usenix.org/sites/default/files/conference/protected-files/nsdi19_slides_wang_xiang.pdf

Snort3 on Ubuntu 20 - Learning a little about our installation - Getting Help, Running Snort3, etc

In the previous post, we performed the install of Snort3. In this post, we learn a little about Snort3 before we start feeding it via rules and then perform some housekeeping.

Getting help!

securitynik@snort3:~$ snort --help

Snort has several options to get more help:

-? list command line options (same as --help)
--help this overview of help
--help-commands [<module prefix>] output matching commands
--help-config [<module prefix>] output matching config options
--help-counts [<module prefix>] output matching peg counts
--help-limits print the int upper bounds denoted by max*
--help-module <module> output description of given module
--help-modules list all available modules with brief help
....

To get help for a particular component, we can then say.

securitynik@snort3:~$ snort --help-commands
appid.enable_debug(proto, src_ip, src_port, dst_ip, dst_port): enable appid debugging
appid.disable_debug(): disable appid debugging
appid.reload_third_party(): reload appid third-party module
appid.reload_detectors(): reload appid detectors
host_cache.dump(file_name): dump host cache
...

To learn about the plugins

securitynik@snort3:~$ snort --list-plugins | more
codec::arp v0 static
codec::auth v0 static
codec::bad_proto v0 static
codec::ciscometadata v0 static
codec::erspan2 v0 static
codec::erspan3 v0 static
codec::esp v0 static
codec::eth v0 static
codec::fabricpath v0 static
codec::gre v0 static
....

To see some of the command line options available, you can look at the --help-options.

securitynik@snort3:~$ snort --help-options
-? <option prefix> output matching command line option quick help (same as --help-options) (optional)
-A <mode> set alert mode: none, cmg, or alert_*
-B <mask> obfuscated IP addresses in alerts and packet dumps using CIDR mask
-C print out payloads with character data only (no hex)
-c <conf> use this configuration
-D run Snort in background (daemon) mode
-d dump the Application Layer
-e display the second layer header info
-f turn off fflush() calls after binary log writes
-G <0xid> (same as --logid) (0:65535)
-g <gname> run snort gid as <gname> group (or gid) after initialization
-H make hash tables deterministic
-i <iface>... list of interfaces
...

While this system has tcpdump installed by default, let's also install TShark.

securitynik@snort3:~$ sudo apt-get install tshark

Using tcpdump I captured over 21,044 packets, using the following.

securitynik@snort3:~$ securitynik@snort3:~$ sudo tcpdump -n --interface enp0s3 -v -w securitynik-sample.pcap
tcpdump: listening on enp0s3, link-type EN10MB (Ethernet), capture size 262144 bytes
Got 1448

Got 1448
^C21044 packets captured
21044 packets received by filter
0 packets dropped by kernel

Using TShark, let's now see what is in this file.

securitynik@snort3:~$ tshark -n -r securitynik-sample.pcap -q -z io,phs
===================================================================
Protocol Hierarchy Statistics
Filter: 

eth                                      frames:21044 bytes:178288931
  ip                                     frames:20780 bytes:178275019
    udp                                  frames:851 bytes:118457
      dns                                frames:819 bytes:115601
      ntp                                frames:24 bytes:2160
      mdns                               frames:8 bytes:696
    tcp                                  frames:19929 bytes:178156562
      http                               frames:156 bytes:28081
        media                            frames:1 bytes:1448
          tcp.segments                   frames:1 bytes:1448
      tls                                frames:7855 bytes:164523943
        tcp.segments                     frames:7572 bytes:164188303
          tls                            frames:7555 bytes:163997610
  arp                                    frames:256 bytes:13056
  ipv6                                   frames:8 bytes:856
    udp                                  frames:8 bytes:856
      mdns                               frames:8 bytes:856
===================================================================

Doing some basic processing on the file with Snort3, we see 1 PCAP with 21,044 records received and analyzed, just as we captured. We also got information on the timing for the processing of these packets. Looks like Snort3 processed all 21,044 packets in under 1 second.

securitynik@snort3:~$  snort --pcap-list securitynik-sample.pcap 
--------------------------------------------------
o")~   Snort++ 3.1.0.0
--------------------------------------------------
--------------------------------------------------
pcap DAQ configured to read-file.
Commencing packet processing
++ [0] securitynik-sample.pcap
-- [0] securitynik-sample.pcap
--------------------------------------------------
Packet Statistics
--------------------------------------------------
daq
                    pcaps: 1
                 received: 21044
                 analyzed: 21044
                    allow: 21044
                 rx_bytes: 16259569
--------------------------------------------------
codec
                    total: 21044       	(100.000%)
                 discards: 17392       	( 82.646%)
                      arp: 256         	(  1.216%)
                      eth: 21044       	(100.000%)
                     ipv4: 20780       	( 98.745%)
                     ipv6: 8           	(  0.038%)
                      tcp: 11046       	( 52.490%)
                      udp: 859         	(  4.082%)
--------------------------------------------------
Module Statistics
--------------------------------------------------
detection
                 analyzed: 21044
--------------------------------------------------
tcp
        bad_tcp4_checksum: 8071
--------------------------------------------------
udp
        bad_udp4_checksum: 430
        bad_udp6_checksum: 8
--------------------------------------------------
Summary Statistics
--------------------------------------------------
timing
                  runtime: 00:00:00
                  seconds: 0.486754
                 pkts/sec: 21044
                Mbits/sec: 124
o")~   Snort exiting

If you wish to dump contents of the PCAP file add the "-L dump" option or go even further by adding the "-d" to dump the application data. In this case I will add "-n" to only show 1 packet.

securitynik@snort3:~$ snort --pcap-list securitynik-sample.pcap -L dump -d -n 1 
--------------------------------------------------
o")~   Snort++ 3.1.0.0
--------------------------------------------------
--------------------------------------------------
pcap DAQ configured to read-file.
Commencing packet processing
++ [0] securitynik-sample.pcap
pkt:1	
eth(DLT):  08:00:27:2A:BA:15 -> 52:54:00:12:35:02  type:0x0800
ipv4(0x0800):  10.0.2.15 -> 64.71.255.198
	Next:0x11 TTL:64 TOS:0x0 ID:55133 IpLen:20 DgmLen:86 DF

snort.raw[66]:
- - - - - - - - - - - -  - - - - - - - - - - - -  - - - - - - - - -
9F 59 00 35 00 42 4C 70  9C 9D 01 00 00 01 00 00  .Y.5.BLp ........
00 00 00 01 12 63 6F 6E  6E 65 63 74 69 76 69 74  .....con nectivit
79 2D 63 68 65 63 6B 06  75 62 75 6E 74 75 03 63  y-check. ubuntu.c
6F 6D 00 00 01 00 01 00  00 29 02 00 00 00 00 00  om...... .)......
00 00                                             ..
- - - - - - - - - - - -  - - - - - - - - - - - -  - - - - - - - - -

While reading back data from a PCAP file is cool, Snort3 is more than likely going to be running in live mode most of the time. Here is what it looks like once you decide to run snort from the command line.

First off, decide on the interface or interfaces you wish to capture traffic on. Here are my list of interfaces on my VM.

securitynik@snort3:~$  ip address show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: enp0s3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether 08:00:27:2a:ba:15 brd ff:ff:ff:ff:ff:ff
    inet 10.0.2.15/24 brd 10.0.2.255 scope global dynamic noprefixroute enp0s3
       valid_lft 59259sec preferred_lft 59259sec
    inet6 fe80::8adb:ccd9:2479:82c3/64 scope link noprefixroute 
       valid_lft forever preferred_lft forever
3: enp0s8: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether 08:00:27:eb:40:cd brd ff:ff:ff:ff:ff:ff
    inet 10.0.0.116/24 brd 10.0.0.255 scope global dynamic noprefixroute enp0s8
       valid_lft 459sec preferred_lft 459sec
    inet6 fe80::2cf1:a00b:bcce:f58c/64 scope link noprefixroute 
       valid_lft forever preferred_lft forever

Let's tell Snort3 to capture traffic on the two non-loopback interfaces. Note, while I'm using two interfaces separated by colon, you can instead use 1 interface as would be the case on most installs of an IDS.

securitynik@snort3:~$ sudo snort -i enp0s3:enp0s8
[sudo] password for securitynik: 
--------------------------------------------------
o")~   Snort++ 3.1.0.0
--------------------------------------------------
--------------------------------------------------
pcap DAQ configured to passive.
Commencing packet processing
++ [0] enp0s3:enp0s8
...

You might notice above that "DAQ configured for passive". To enable inline mode operations, leverage the -Q option within your configuration.

securitynik@snort3:~$ sudo snort -i enp0s3:enp0s8 -v -Q
--------------------------------------------------
o")~   Snort++ 3.1.0.0
--------------------------------------------------
--------------------------------------------------
Inspection Policy : policy id 0 : 
--------------------------------------------------
pcap DAQ configured to inline.
--------------------------------------------------
host_cache
    memcap: 8388608 bytes
Commencing packet processing
++ [0] enp0s3:enp0s8
Instance 0 daq pool size: 256
Instance 0 daq batch size: 64
...

You more than likely want to run snort in IDS or IPS mode. Thus you would take advantage of a configuration file. Let's use the default one which comes with Snort3 and which we used in the previous post.

securitynik@snort3:~$ sudo snort -i enp0s3:enp0s8 -v -Q -c /usr/local/etc/snort/snort.lua 
--------------------------------------------------
o")~   Snort++ 3.1.0.0
--------------------------------------------------
Loading /usr/local/etc/snort/snort.lua:
....

Finished /usr/local/etc/snort/snort.lua:
--------------------------------------------------
Inspection Policy : policy id 0 : /usr/local/etc/snort/snort.lua
--------------------------------------------------
.....
stream_tcp:
             flush_factor: 0
                  max_pdu: 16384
               max_window: 0
                   no_ack: disabled
            overlap_limit: 0
                   policy: bsd
              queue_limit: { max_bytes = 1048576, max_segments = 2621 }
         reassemble_async: enabled
             require_3whs: -1 (disabled)
          session_timeout: 30
           small_segments: { count = 0, maximum_size = 0 }
               track_only: disabled
--------------------------------------------------
stream_udp:
          session_timeout: 30
--------------------------------------------------
stream_user:
          session_timeout: 30
--------------------------------------------------
telnet:
        ayt_attack_thresh: -1
          check_encrypted: disabled
        encrypted_traffic: disabled
                normalize: disabled
--------------------------------------------------
wizard:
--------------------------------------------------
pcap DAQ configured to inline.
--------------------------------------------------
host_cache
    memcap: 8388608 bytes
Commencing packet processing
++ [0] enp0s3:enp0s8
Instance 0 daq pool size: 256
Instance 0 daq batch size: 64

Let's see now what the "--talos" option shows us. The Snort reference manual is not very verbose on this. It simply says it "enables Talos tweak", whatever that means. Additionally, instead of using "--talos", you can use "--tweaks talos".

securitynik@snort3:~$ sudo snort -i enp0s3:enp0s8 -Q -c /usr/local/etc/snort/snort.lua \

--tweaks talos --pcap-list securitynik-sample.pcap -R local.rules -q

##### securitynik-sample.pcap #####
	[1:1:0] Nik Testing (alerts: 2825)
#####
--------------------------------------------------
rule profile (all, sorted by total_time)
#       gid   sid rev    checks matches alerts time (us) avg/check avg/match avg/non-match timeouts suspends
=       ===   === ===    ====== ======= ====== ========= ========= ========= ============= ======== ========
1         1     1   0      2908    2908   2825      1863         0         0             0        0        0

We see above information on our test rule. Not to worry, we will look at rules in the  next post where we feed the pig. Remember, rules gives the pig wings :-)

References:

https://snort-org-site.s3.amazonaws.com/production/document_files/files/000/003/979/original/Snort3_3.1.0.0_on_Ubuntu_18___20.pdf

https://snort-org-site.s3.amazonaws.com/production/release_files/files/000/016/344/original/snort_reference.html

https://snort-org-site.s3.amazonaws.com/production/release_files/files/000/016/343/original/snort_user.html

https://www.youtube.com/watch?v=PYP0YH2PVuo&list=PLpPXZRVU-dX33VNUeqWrMmBNf5FeKVmi-&index=2

Get the list of firewalls from Palo Alto's Panorama via Powershell - Store results CSV

This is a guest post from Vinamra Bhatnagar a Palo Alto guru whom I work with. 

A request was made by one of our readers to get this information from Panorama. Vinamra was kind enough to assist with a guest post. Hope you enjoy it.

Sample Code

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40

Add-Type -AssemblyName System.Web [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 #change directory Set-Location "{output directory}" $OutputCsvFile = "PaloAltoDevices.csv" $PanoramaIPAddress = "{panorama fqdn or IP without HTTPS}" #generate api key. https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-panorama-api/get-started-with-the-pan-os-xml-api/get-your-api-key $APIKey= "{Panorama API Key}" $url = "https://{0}/api/?type=op&cmd=<show><devices><all><%2Fall><%2Fdevices><%2Fshow>&key={1}" -f $PanoramaIPAddress , $APIKey Write-Host "Fetching Data From Panorama API..." $WebClient = New-Object system.Net.WebClient; [System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true} try { $result= [Xml]$WebClient.downloadString($url) If ($result.response.status -eq 'success'){ #Save Device Properties To CSV File $result.response.result.devices.entry | Export-Csv -Path $OutputCsvFile -NoTypeInformation $msg = "{0} Firewalls Found. Details Are Saved to CSV File: {1}" -f $result.response.result.devices.entry.count, $OutputCsvFile; Write-Host $msg } } Catch [System.Net.WebException]{ Write-Host 'Invalid credentials.'; } finally { #empty result variable at end. Important. $result = "" }

Usage Info:

First you should generate your API keys, using this guidance as provided by Vinamra.

Follow this document to generate API key. https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-panorama-api/get-started-with-the-pan-os-xml-api/get-your-api-key

Once you have your keys, perform.

Easiest way to run this ps1 script is to copy paste it in notepad and update the variables and paste it in Powershell. Sometime due to enterprise policies ps1 files are not allowed to execute. 

1	C:\Users\testuser\Documents> .\PanoramaConnectedDevicesToCSV.ps1 Fetching Data From Panorama API... 2 Firewalls Found. Details Are Saved to CSV File: PaloAltoDevices.csv

Sample Results:

1 2 3

name,serial,connected,unsupported-version,deactivated,hostname,ip-address,ipv6-address,uptime,family,model,sw-version,app-version,av-version,wildfire-version,threat-version,url-db,url-filtering-version,logdb-version,global-protect-client-package-version,prev-app-version, prev-av-version,prev-threat-version,prev-wildfire-version,domain,is-dhcp,vpn-disable-mode,operational-mode,certificate-status,certificate-subject-name,certificate-expiry,connected-at,custom-certificate-usage,multi-vsys,vsys,device-cert-present,device-cert-expiry-date 12345678,12345678,yes,no,no,LabPaloAlto1,172.16.1.1,unknown,"31 days, 1:34:40",vm,PA-VM,8.1.16,8364-6497,0,524895-527899,8364-6497,paloaltonetworks,20210115.2,8.1.8,0.0.0,8362-6491,0,8362-6491,524892-527896,,yes,no,normal,,12345,8/1/2020 20:05,12/27/2020 15:15,no,no,Syst em.Xml.XmlElement,None,N/A 124335678,124335678,yes,no,,LabPaloAlto2,172.16.2.1,unknown,"785 days, 18:59:47",vm,PA-VM,8.1.16,8365-6501,3591-4102,0,8365-6501,paloaltonetworks,20210115.2,8.1.8,0.0.0,,,,,,,no,normal,,1234345,4/1/2029 11:24,12/17/2020 2:59,no,no,System.Xml.XmlElement,,N/A

Feel free to check out Vinamra's GitHub to learn more.