Re: EmergingThreats.net

["Di Fabio, Andrea" <adifabio () NSU EDU>]

I have had multiple requests for the script we have been using, so here it
is for eveyone. If you improve on it, or see any issues with it (hopefully
there are no issues since we have been using it for a few years J ) please
let me know . and yes, that long while-do line was a personal challenge that
started small, l and grew to something I had to defeat J

 

wget --quiet --timeout=20 --no-cache
--output-document=/var/log/security/EmergingThreats/FWrev
<http://rules.emergingthreats.net/fwrules/FWrev>
http://rules.emergingthreats.net/fwrules/FWrev

# Compare new and old rev

if ! `cmp -s /var/log/security/EmergingThreats/FWrev
/var/log/security/EmergingThreats/FWrev.old`; then echo "CHANGE"; else exit;
fi

# get new list

wget --quiet --timeout=20 --no-cache
--output-document=/var/log/security/EmergingThreats/emerging-Block-IPs.txt
<http://rules.emergingthreats.n>
http://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt

# Filter the new list and remove our Nets and IPs for College use but hosted
and possibly on the list

NSUNEWS=`nslookup nsunewsroom.com | grep Address | tail -1 | cut -d " " -f
2`

FAIRDATA=`nslookup  <http://www.fairdata2000.com> www.fairdata2000.com |
grep Address | tail -1 | cut -d " " -f 2`

cat /var/log/security/EmergingThreats/emerging-Block-IPs.txt | sed -e
'/^[0-9]/!d' | sed -e 's/#.*//g' | sed -e '/^192\.168\./d' -e '/^172\.1[

6-9]\./d' -e '/^172\.2[0-9]\./d' -e '/^172\.3[0-1]\./d' -e '/^10\./d' -e
'/^192\.68\.217\./d' -e '/^199\.112\.11[2-9]\./d' -e '/^199\.111\.12[

0-7]\./d' -e '/^204\.155\.17[6-9]\./d' -e '/^204\.155\.18[0-9]\./d' -e
'/^204\.155\.19[0-1]\./d' -e "/$NSUNEWS/d" -e "/$FAIRDATA/d" | sort | u

niq > /var/log/security/EmergingThreats/emerging-Block-IPs.txt.processed

# Print the Difference

diff /var/log/security/EmergingThreats/emerging-Block-IPs.txt.processed.old
/var/log/security/EmergingThreats/emerging-Block-IPs.txt.processed

# Write some nice ACL

echo;echo; echo CISCO Command to execute; echo

echo object-group network Net_EmergingThreats

diff /var/log/security/EmergingThreats/emerging-Block-IPs.txt.processed.old
/var/log/security/EmergingThreats/emerging-Block-IPs.txt.processed

|  while read line; do   if echo $line | grep "<" ; then   if echo $line |
grep "/"; then  echo "no network-object" `echo $line | cut -d " "

-f 2 | cut -d "/" -f 1` `whatmask \`echo $line | cut -d " " -f 2 |  cut -d
"/" -f 2\`|grep "Netmask ="| cut -d " " -f4`;  else echo "no networ

k-object host" `echo $line | cut -d " " -f 2`;  fi;   fi;  if echo $line |
grep ">" ; then   if echo $line | grep "/"; then  echo "network-obj

ect" `echo $line | cut -d " " -f 2 | cut -d "/" -f 1` `whatmask \`echo $line
| cut -d " " -f 2 |  cut -d "/" -f 2\`|grep "Netmask ="| cut -d "

" -f4`;  else echo "network-object host" `echo $line | cut -d " " -f 2`;
fi;   fi;  done | grep network-object

# Back up the old list

cp /var/log/security/EmergingThreats/FWrev
/var/log/security/EmergingThreats/FWrev.old

cp /var/log/security/EmergingThreats/emerging-Block-IPs.txt.processed
/var/log/security/EmergingThreats/emerging-Block-IPs.txt.processed.old

 

 

From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Di Fabio, Andrea
Sent: Thursday, October 04, 2012 10:53 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] EmergingThreats.net

 

Experts,

 

We have been using the following for many years now
http://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt on our
border CISCO ASA firewalls with great success and little to no issues. A
script pulls the new list, compares it with the old one and applies the
delta.  We are currently switching to PaloAlto FWs and it appears that
scripting/importing this large list may not be as easy as it was with the
ASA. 

 

Can those of you who use the ET list with PaloAlto give us some
feedback/scripts/API on how you implemented it? We are also considering
moving it to our border CISCO router either as an ACL or as a Null route,
any feedback with the latter and/or scripts you may be using? My primary
concern with using Null route is the fact that as far as I understand it, it
can only block outbound traffic. The router ACL can accomplish blocking
in/out, but my concern is with performance. What say you?

Attachment: smime.p7s
Description: