×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Remediation Module for Security Intelligence Blacklist

Document

Thu, 07/13/2017 - 06:49
Jul 21st, 2014
User Badges:
  • Cisco Employee,

Remediation module for automatically adding an IP address to a Security Intelligence blacklist. The file contains a readme with more information.

Attachment: 
Loading.
babiojd01 Wed, 04/12/2017 - 05:36
User Badges:

Got it working by uploading the gz part. Can't seem to get any data on it in analysis. I see the file gets populated but its almost worthless if we can't make changes to remove devices from the blacklist.

marcairn Wed, 07/12/2017 - 12:55
User Badges:
  • Cisco Employee,

I'm not actively maintaining this, but some may benefit from the changes I made. The code comments have been updated.

1. Remediation Status shows proper Result Messages with custom values. (XML modifications)

2. I added the ability to limit the length (nothing with date or time) of a custom list. The list will be pruned FIFO if it exceeds the limit set in the instance configuration. Turning the restriction off allows infinite file size, as IPs are never removed from the list. You can also alter the size within the instance after creation. If you increase, more IPs will be added to the list until the new limit is met. If you decrease, the next remediation run will reduce the size. As an example, if you were set to 1000 entries and were maxed out, and then change the limit to 800, the next run will take the oldest 200 entries and prune them from the file and start maintaining the 800 IP limit. (XML and code changes)

I use this module with two rules, one that looks for a scan and puts the IP in a limited list that will get pruned and a second rule with tracking that looks for multiple scans in a time window that places the IP in a list that does not get pruned (repeat offender).

Extract the file back to a blacklistIP_1.1.tar.gz that can be uploaded to the FMC.

Enjoy

Dennis Perto Wed, 07/12/2017 - 14:14
User Badges:
  • Bronze, 100 points or more

Hi @marcairn  

Can you please describe how you set up your two rules?

Thank you for "not" maintaining this module :D 

marcairn Thu, 07/13/2017 - 06:49
User Badges:
  • Cisco Employee,

Dennis,

Actively maintaining, just means I don't have plans to alter it beyond what I uploaded. Anyone can write code and change how it works.

Please have a look at the attachment from my Cisco Live presentation. It has screen shots of most of my set up. The only difference being that I have a second rule/remediation with tracking (not shown) that uses a different html file and thus a different custom security intelligence feed. I have a subnet that I'm protecting and blocking on all traffic from outside the US. You could have a similar block rule for a country of your choice or anything else for that matter.

Hope that helps,

Mark

mitchell.mark Thu, 06/23/2016 - 10:11
User Badges:

Hello Adam,

 

I have implemented the module that you have created. It appears to be working well, populates a blacklist. Once an IP address is blacklisted I shouldn’t see a corresponding Intrusion Event any longer, should I?

 

Thank you in advance,

erush6861 Fri, 04/07/2017 - 17:45
User Badges:

Thanks, needed something like this. Very cool local use (no need to spin up external web host).

I doubt this is getting any updates, but it would be nice to see a whitelist similar to pix shun module and an optional way to either set a expiration/timeout on a listed ip or like a scheduled file deletion. Would also be nice if there was an option that adds a comment after an IP to say which correlation rule added it and a timestamp of when.


Couple of tiny things I noticed:

script

 - In both BlacklistLocal and BlacklistRemote you are returning 1 instead of 0 which causes an benign error msg in syslog and remediation status.

 - typo "rememdiation" in a warning msg on line 243

template

- for local_dst_blacklist your default files names are using .txt and .md5 instead of html per other defaults and note about local web server in readme. (could denote .html required for local files fields in template)

babiojd01 Thu, 04/13/2017 - 18:16
User Badges:

Is there an easy way to remove ip addresses from the local blacklist?

erush6861 Fri, 04/14/2017 - 10:38
User Badges:

Not with the GUI.


You can use the CLI by ssh'ing and editing the file it puts in /var/sf/htdocs/, just need to mindful to do it swiftly incase it gets written to while you are trying to make changes.

(Note: making changes would also make the md5 file no longer match, you could probably generate a new one with the command used in the script "md5sum /var/sf/htdocs/blockfilename > /var/sf/htdocs/md5filename". That is if you are actually using it.)

babiojd01 Fri, 04/14/2017 - 12:38
User Badges:

Thanks for the info. I could probably script something. Once it is working it works quite well. :) I was looking for something similar to the cisco IPS host blocking. I wish they created the shun module for ASA so we could do something similar.

erush6861 Fri, 04/14/2017 - 17:38
User Badges:

We've found the PIX module can work with for ASA (in firesight 5.x). Just need to use SSH2 and edit the script to prefer SSH2. The PIX Shun module might not be exactly what you are looking for though, as again there is no gui "no shun" option. Warning: since PIX module is a default module, changes are reverted if you update the Defense Center and so must be re-applied after an update.


Edit the read-only SSH.pm file in /var/sf/remediations/cisco_pix_1.1/

change line 64 from:
$ssh = Net::SSH::Perl->new($host);
to:
$ssh = Net::SSH::Perl->new($host, protocol => '2,1');


This change will make it prefer SSH2 but it can still try SSH1 (though SSH1 and Telnet didn't seem to work with our ASA in testing, did not dig deeper as to why since SSH2 is preferred anyway.)

babiojd01 Thu, 07/13/2017 - 06:30
User Badges:

Can someone make this module available for FSM6 or 6.2 Please? Its gone after upgrading.

Actions

This Document