2018-06-28 12:37 PM
Hello
Its possible to creat an IP blocklist like this blocklist-ipsets/ciarmy.ipset at master · firehol/blocklist-ipsets · GitHub in Netwitness. The ideia is for her to be feeded by the one in GITHUB and everytime we are analysing and incident we have the ip highlighted has one of the ip blocklist.
2018-06-28 04:44 PM
Eric Partington has written a couple blogs in the past that you can use to accomplish this:
A script to use as the basis to pull down and format the IP list from gitbub into a CSV: https://community.rsa.com/community/products/netwitness/blog/2017/04/17/script-sinkhole-communication-feed
And a process you can use to make the formatted CSV available within NetWitness as a Feed list and/or as a Context Hub list: https://community.rsa.com/community/products/netwitness/blog/2018/03/14/a-list-two-ways-feeds-and-context-hub
I plagiarized these resources about 95% to make a script for ciarmy.ipset list (below). You could take it a step further and include additional ipset lists from that github in the "firehol_urls=" section of the script.
#!/bin/bash
#script to pull the ip addresses from firehol IP lists
#sample crontab
# firehol IPs
# 22 3 * * * /root/firehol/firehol_ipset.sh
#location for tmp file processing
firehol_tmp="/tmp"
#name of the file in the feed file (feed.name)
feed_name="firehol_ip"
#combined firehol indicator filename
firehol_output_file=$feed_name".csv"
#webroot for SA feeds directory
rsa_feed_webroot="/var/netwitness/common/repo"
# firehol root webdirectory github
firehol_git_root="https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/"
# firehol txt files to grab from maltrail site and processing
firehol_urls=(
"ciarmy.ipset")
#firehol indicator download
for firehol_link in "${firehol_urls[@]}"
do
cd $firehol_tmp && curl -O $firehol_git_root$firehol_link 2> /dev/null
echo $firehol_git_root$firehol_link
done
echo "FIREHOL - downloaded firehol raw files from github "
#create the header line that will be added to the indicator file on line 1
csv_header="#ip,#ioc,#feed_name"
#write the initial file and first line
echo $csv_header > $firehol_output_file
#check all the files and extract the filename as a column of data for the files to append to create a feed of IP
for firehol_file in $firehol_tmp/*.ipset
do
echo $firehol_file
#get me the filename for adding to csv
filename=$(basename "$firehol_file")
fname="${filename%.*}"
echo $fname
#create the names to use later
filtered_name=$firehol_tmp/"filtered_"$fname".txt"
#create the columns that will be used in the combined output file
csv_columns=","$fname","$feed_name
# get me just the ip address lines
cat $firehol_file | grep -Eo "^([0-9]{1,3}[\.]){3}[0-9]{1,3}" > $filtered_name
#iterate over the filtered file and concat the fields we need to add to the firehol csv
while IFS= read -r var
do
# write this to the combined firehol file with the added columns
echo $var"$csv_columns" >> $firehol_output_file
done < "$filtered_name"
done
#copy the output file to the RSA web directory for recurring feed to read from
cp $firehol_output_file $rsa_feed_webroot
echo "FIREHOL - copied to web root "$rsa_feed_webroot"/"$firehol_output_file