Actively maintaining, just means I don't have plans to alter it beyond what I uploaded. Anyone can write code and change how it works.
Please have a look at the attachment from my Cisco Live presentation. It has screen shots of most of my set up. The only difference being that I have a second rule/remediation with tracking (not shown) that uses a different html file and thus a different custom security intelligence feed. I have a subnet that I'm protecting and blocking on all traffic from outside the US. You could have a similar block rule for a country of your choice or anything else for that matter.
Hope that helps,
... View more
I'm not actively maintaining this, but some may benefit from the changes I made. The code comments have been updated.
1. Remediation Status shows proper Result Messages with custom values. (XML modifications)
2. I added the ability to limit the length (nothing with date or time) of a custom list. The list will be pruned FIFO if it exceeds the limit set in the instance configuration. Turning the restriction off allows infinite file size, as IPs are never removed from the list. You can also alter the size within the instance after creation. If you increase, more IPs will be added to the list until the new limit is met. If you decrease, the next remediation run will reduce the size. As an example, if you were set to 1000 entries and were maxed out, and then change the limit to 800, the next run will take the oldest 200 entries and prune them from the file and start maintaining the 800 IP limit. (XML and code changes)
I use this module with two rules, one that looks for a scan and puts the IP in a limited list that will get pruned and a second rule with tracking that looks for multiple scans in a time window that places the IP in a list that does not get pruned (repeat offender).
Extract the file back to a blacklistIP_1.1.tar.gz that can be uploaded to the FMC.
... View more