Educause Security Discussion mailing list archives
Re: EmergingThreats.net
From: "Di Fabio, Andrea" <adifabio () NSU EDU>
Date: Fri, 5 Oct 2012 13:50:29 -0400
I have had multiple requests for the script we have been using, so here it is for eveyone. If you improve on it, or see any issues with it (hopefully there are no issues since we have been using it for a few years J ) please let me know . and yes, that long while-do line was a personal challenge that started small, l and grew to something I had to defeat J wget --quiet --timeout=20 --no-cache --output-document=/var/log/security/EmergingThreats/FWrev <http://rules.emergingthreats.net/fwrules/FWrev> http://rules.emergingthreats.net/fwrules/FWrev # Compare new and old rev if ! `cmp -s /var/log/security/EmergingThreats/FWrev /var/log/security/EmergingThreats/FWrev.old`; then echo "CHANGE"; else exit; fi # get new list wget --quiet --timeout=20 --no-cache --output-document=/var/log/security/EmergingThreats/emerging-Block-IPs.txt <http://rules.emergingthreats.n> http://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt # Filter the new list and remove our Nets and IPs for College use but hosted and possibly on the list NSUNEWS=`nslookup nsunewsroom.com | grep Address | tail -1 | cut -d " " -f 2` FAIRDATA=`nslookup <http://www.fairdata2000.com> www.fairdata2000.com | grep Address | tail -1 | cut -d " " -f 2` cat /var/log/security/EmergingThreats/emerging-Block-IPs.txt | sed -e '/^[0-9]/!d' | sed -e 's/#.*//g' | sed -e '/^192\.168\./d' -e '/^172\.1[ 6-9]\./d' -e '/^172\.2[0-9]\./d' -e '/^172\.3[0-1]\./d' -e '/^10\./d' -e '/^192\.68\.217\./d' -e '/^199\.112\.11[2-9]\./d' -e '/^199\.111\.12[ 0-7]\./d' -e '/^204\.155\.17[6-9]\./d' -e '/^204\.155\.18[0-9]\./d' -e '/^204\.155\.19[0-1]\./d' -e "/$NSUNEWS/d" -e "/$FAIRDATA/d" | sort | u niq > /var/log/security/EmergingThreats/emerging-Block-IPs.txt.processed # Print the Difference diff /var/log/security/EmergingThreats/emerging-Block-IPs.txt.processed.old /var/log/security/EmergingThreats/emerging-Block-IPs.txt.processed # Write some nice ACL echo;echo; echo CISCO Command to execute; echo echo object-group network Net_EmergingThreats diff /var/log/security/EmergingThreats/emerging-Block-IPs.txt.processed.old /var/log/security/EmergingThreats/emerging-Block-IPs.txt.processed | while read line; do if echo $line | grep "<" ; then if echo $line | grep "/"; then echo "no network-object" `echo $line | cut -d " " -f 2 | cut -d "/" -f 1` `whatmask \`echo $line | cut -d " " -f 2 | cut -d "/" -f 2\`|grep "Netmask ="| cut -d " " -f4`; else echo "no networ k-object host" `echo $line | cut -d " " -f 2`; fi; fi; if echo $line | grep ">" ; then if echo $line | grep "/"; then echo "network-obj ect" `echo $line | cut -d " " -f 2 | cut -d "/" -f 1` `whatmask \`echo $line | cut -d " " -f 2 | cut -d "/" -f 2\`|grep "Netmask ="| cut -d " " -f4`; else echo "network-object host" `echo $line | cut -d " " -f 2`; fi; fi; done | grep network-object # Back up the old list cp /var/log/security/EmergingThreats/FWrev /var/log/security/EmergingThreats/FWrev.old cp /var/log/security/EmergingThreats/emerging-Block-IPs.txt.processed /var/log/security/EmergingThreats/emerging-Block-IPs.txt.processed.old From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Di Fabio, Andrea Sent: Thursday, October 04, 2012 10:53 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] EmergingThreats.net Experts, We have been using the following for many years now http://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt on our border CISCO ASA firewalls with great success and little to no issues. A script pulls the new list, compares it with the old one and applies the delta. We are currently switching to PaloAlto FWs and it appears that scripting/importing this large list may not be as easy as it was with the ASA. Can those of you who use the ET list with PaloAlto give us some feedback/scripts/API on how you implemented it? We are also considering moving it to our border CISCO router either as an ACL or as a Null route, any feedback with the latter and/or scripts you may be using? My primary concern with using Null route is the fact that as far as I understand it, it can only block outbound traffic. The router ACL can accomplish blocking in/out, but my concern is with performance. What say you?
Attachment:
smime.p7s
Description:
Current thread:
- EmergingThreats.net Di Fabio, Andrea (Oct 04)
- Re: EmergingThreats.net Di Fabio, Andrea (Oct 05)
- Re: EmergingThreats.net Charlie Reitsma (Oct 12)
- Re: EmergingThreats.net Will Froning (Nov 06)
- Re: EmergingThreats.net King, Ronald A. (Nov 06)
- Re: EmergingThreats.net Di Fabio, Andrea (Nov 06)
- Re: EmergingThreats.net Charlie Reitsma (Oct 12)
- Re: EmergingThreats.net Di Fabio, Andrea (Oct 05)
- Re: EmergingThreats.net Jamie A. Stapleton (Oct 11)