#!/usr/bin/perl
#
# PoC of gateway between a FireEye appliance and a PaloAlto firewall
#
# Xavier Mertens <xavier at rootshell dot be>
#
use HTTP::Daemon;
use HTTP::Status;
use XML::XPath;
use XML::XPath::XMLParser;
use LWP;

my $PA_apiKey	= 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'; # Generate your own key
my $PA_IP	= '10.0.0.1';
my $PA_hostName = 'localhost.localdomain';
my $PA_vSys	= 'vsys1';
my @blacklist;

# Create the HTTP daemon
my $d = new HTTP::Daemon(LocalPort => 80);
print "Waiting for FireEye notifications on <" . $d->url . "> ...\n";

# Main loop
while (my $c = $d->accept) {
      while (my $r = $c->get_request) {
	  if ($r->method eq 'POST') {
		print "Got POST request, processing...\n";
		my $xp = XML::XPath->new(xml => $r->content);
		my $nodeset = $xp->find('//attacker/address');
		foreach my $node ($nodeset->get_nodelist) {
			$address = XML::XPath::XMLParser::as_string($node);
			$address =~ /<address>(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})<\/address>/;
			$address = $1;
			print 'Received attacker address: ' . $address . "\n";
			if (grep {$_ eq $address} @blacklist) {
				print "Skipped, already blacklisted\n";
			}
			else {
				print 'New IP detected, sending to '. $PA_IP . "\n";
				submit2PaloAlto($address);
				push(@blacklist, $address);
			}
		}
          } else {
              $c->send_error(RC_FORBIDDEN)
          }
      }
      $c->close;
      undef($c);
}

sub submit2PaloAlto() {
	$attackerIP = shift;
	(!$attackerIP) && return;

	# Create the new address object
	my $createAddressUrl = 'https://'.$PA_IP.'/api/?type=config&key='.$PA_apiKey.'&action=set&xpath=/config/devices/entry[@name=\''.$PA_hostName.'\']/vsys/entry[@name=\''.$PA_vSys.'\']/address/entry[@name=\'FireEye_'.$attackerIP.'\']&element=<ip-netmask>'.$attackerIP.'</ip-netmask><description>Added by FireEye</description>';
	my $browser = LWP::UserAgent->new;
        $browser->agent('Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1');
	my $response = $browser->get($createAddressUrl);
	die 'submit2PaloAlto: Cannot created new object (' . $response->status_line . ')' unless $response->is_success;

	# Populate the existing group
	my $addGroupUrl = 'https://'.$PA_IP.'/api/?type=config&key='.$PA_apiKey.'&action=set&xpath=/config/devices/entry[@name=\''.$PA_hostName.'\']/vsys/entry[@name=\''.$PA_vSys.'\']/address-group/entry[@name=\'FireEye_Attackers\']&element=<member>FireEye_'.$attackerIP.'</member>';
	my $browser = LWP::UserAgent->new;
	$browser->agent('Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1');
	my $response = $browser->get($addGroupUrl);
	die 'submit2PaloAlto: Cannot populate group (' . $response->status_line . ')' unless $response->is_success;
	
#	my $commitUrl = 'https://'.$PA_IP.'/api/?type=commit&key='.$PA_apiKey.'&cmd=<commit></commit>';
#	my $browser = LWP::UserAgent->new;
#	$browser->agent('Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1');
#	my $response = $browser->get($commitUrl);
#	die 'submit2PaloAlto: Cannot commit configuration (' . $response->status_line . '\n' unless $response->is_success;

	return;
}