cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
10537
Views
10
Helpful
30
Comments
dohurd
Cisco Employee
Cisco Employee

Remediation module for automatically adding an IP address to a Security Intelligence blacklist. The file contains a readme with more information.

Comments
alesalda
Level 1
Level 1

Hello,

I'm not able to upload the module, there is an error. Could you help me please?

mitchell.mark
Community Member

Hello Adam,

 

I have implemented the module that you have created. It appears to be working well, populates a blacklist. Once an IP address is blacklisted I shouldn’t see a corresponding Intrusion Event any longer, should I?

 

Thank you in advance,

erush6861
Community Member

Thanks, needed something like this. Very cool local use (no need to spin up external web host).

I doubt this is getting any updates, but it would be nice to see a whitelist similar to pix shun module and an optional way to either set a expiration/timeout on a listed ip or like a scheduled file deletion. Would also be nice if there was an option that adds a comment after an IP to say which correlation rule added it and a timestamp of when.

Couple of tiny things I noticed:

script

 - In both BlacklistLocal and BlacklistRemote you are returning 1 instead of 0 which causes an benign error msg in syslog and remediation status.

 - typo "rememdiation" in a warning msg on line 243

template

- for local_dst_blacklist your default files names are using .txt and .md5 instead of html per other defaults and note about local web server in readme. (could denote .html required for local files fields in template)

babiojd01
Level 1
Level 1

Got it working by uploading the gz part. Can't seem to get any data on it in analysis. I see the file gets populated but its almost worthless if we can't make changes to remove devices from the blacklist.

babiojd01
Level 1
Level 1

Is there an easy way to remove ip addresses from the local blacklist?

erush6861
Community Member

Not with the GUI.

You can use the CLI by ssh'ing and editing the file it puts in /var/sf/htdocs/, just need to mindful to do it swiftly incase it gets written to while you are trying to make changes.

(Note: making changes would also make the md5 file no longer match, you could probably generate a new one with the command used in the script "md5sum /var/sf/htdocs/blockfilename > /var/sf/htdocs/md5filename". That is if you are actually using it.)

babiojd01
Level 1
Level 1

Thanks for the info. I could probably script something. Once it is working it works quite well. :) I was looking for something similar to the cisco IPS host blocking. I wish they created the shun module for ASA so we could do something similar.

erush6861
Community Member

We've found the PIX module can work with for ASA (in firesight 5.x). Just need to use SSH2 and edit the script to prefer SSH2. The PIX Shun module might not be exactly what you are looking for though, as again there is no gui "no shun" option. Warning: since PIX module is a default module, changes are reverted if you update the Defense Center and so must be re-applied after an update.

Edit the read-only SSH.pm file in /var/sf/remediations/cisco_pix_1.1/

change line 64 from:
$ssh = Net::SSH::Perl->new($host);
to:
$ssh = Net::SSH::Perl->new($host, protocol => '2,1');

This change will make it prefer SSH2 but it can still try SSH1 (though SSH1 and Telnet didn't seem to work with our ASA in testing, did not dig deeper as to why since SSH2 is preferred anyway.)

marcairn
Cisco Employee
Cisco Employee

I'm not actively maintaining this, but some may benefit from the changes I made. The code comments have been updated.

1. Remediation Status shows proper Result Messages with custom values. (XML modifications)

2. I added the ability to limit the length (nothing with date or time) of a custom list. The list will be pruned FIFO if it exceeds the limit set in the instance configuration. Turning the restriction off allows infinite file size, as IPs are never removed from the list. You can also alter the size within the instance after creation. If you increase, more IPs will be added to the list until the new limit is met. If you decrease, the next remediation run will reduce the size. As an example, if you were set to 1000 entries and were maxed out, and then change the limit to 800, the next run will take the oldest 200 entries and prune them from the file and start maintaining the 800 IP limit. (XML and code changes)

I use this module with two rules, one that looks for a scan and puts the IP in a limited list that will get pruned and a second rule with tracking that looks for multiple scans in a time window that places the IP in a list that does not get pruned (repeat offender).

Extract the file back to a blacklistIP_1.1.tar.gz that can be uploaded to the FMC.

Enjoy

Dennis Perto
Level 5
Level 5

Hi marcairn  

Can you please describe how you set up your two rules?

Thank you for "not" maintaining this module :D 

babiojd01
Level 1
Level 1

Can someone make this module available for FSM6 or 6.2 Please? Its gone after upgrading.

marcairn
Cisco Employee
Cisco Employee

Dennis,

Actively maintaining, just means I don't have plans to alter it beyond what I uploaded. Anyone can write code and change how it works.

Please have a look at the attachment from my Cisco Live presentation. It has screen shots of most of my set up. The only difference being that I have a second rule/remediation with tracking (not shown) that uses a different html file and thus a different custom security intelligence feed. I have a subnet that I'm protecting and blocking on all traffic from outside the US. You could have a similar block rule for a country of your choice or anything else for that matter.

Hope that helps,

Mark

cvcucooper
Level 1
Level 1

Everything worked except I am unable to modify the html file that is created.  I need to change the permissions but it looks like I would have to do this via cli.  Did anyone else run into this?

marcairn
Cisco Employee
Cisco Employee

@cvcucooper Are you trying to modify the file manually or do you have a correlation setup that fails to modify the file? I don't recall having to change any RW permissions on the HTML files. That file is created during the setup in the GUI. My HTML files are owned by root and have-rw-r--r-- or 644 permissions.

 

Just to clarify, you should not be manually editing the html file in the case of correlation and remediation.

marcairn
Cisco Employee
Cisco Employee

Deleted

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: