Latest Updates: CB ThreatHunter App for Splunk 1.0.0 Released

Palo Alto Networks WildFire Connector 2.3 for Cb Response Released

Posted on April 13, 2016


Changelog

This version of the WildFire connector upgrades the WildFire API to the latest version, fixing compatibility problems with both the cloud and on-premise WildFire appliances. The old API used by previous versions of the WildFire connector is no longer supported or available, so all users of the WildFire connector must upgrade for the connector to function.

Also included in this release:

  • Fixes to high CPU usage. The connector should now use a very small CPU% when running.
  • The connector now pulls down the PDF reports for any binaries that are determined to be “greyware” or “malware”. The reports are served from the same embedded HTTP server that provides the Cb feed. There may be firewall/IP issues - see below.
  • This release is the first one to be built as a Python packaged binary rather than standalone binary; this does not affect most users, however, this solves problems for users whose /tmp directory was set to noexec, preventing previous versions of the connectors from running properly.

File Reporting

The WildFire connector now automatically retrieves the PDF report for any “greyware” or “malware” binaries. Links to these reports are included in the feed provided to your Carbon Black server. In order for users to access these reports, you must have two items properly configured:

  1. The feed_host option in the /etc/cb/integrations/wildfire/connector.conf file must be set to the IP or hostname where the connector is running. This IP/hostname must be accessible from any analyst machines that are used to retrieve the PDF reports.
  2. The host firewall (iptables) must be configured to allow incoming HTTP access to the feed port (default is 3774, set through the listener_port option in the configuration file above) so that analyst machines can retrieve the PDF reports.