This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

IP BlockList

RenatoGoncalves
Beginner
Beginner

‎2018-06-28 12:37 PM

Hello

Its possible to creat an IP blocklist like this blocklist-ipsets/ciarmy.ipset at master · firehol/blocklist-ipsets · GitHub  in Netwitness. The ideia is for her to be feeded by the one in GITHUB and everytime we are analysing and incident we have the ip highlighted has one of the ip blocklist.

0 Likes
1 REPLY 1

JoshRandall
Valued Contributor Valued Contributor
Valued Contributor

‎2018-06-28 04:44 PM

Eric Partington‌ has written a couple blogs in the past that you can use to accomplish this:

A script to use as the basis to pull down and format the IP list from gitbub into a CSV: https://community.rsa.com/community/products/netwitness/blog/2017/04/17/script-sinkhole-communication-feed 

And a process you can use to make the formatted CSV available within NetWitness as a Feed list and/or as a Context Hub list: https://community.rsa.com/community/products/netwitness/blog/2018/03/14/a-list-two-ways-feeds-and-context-hub 

 

I plagiarized these resources about 95% to make a script for ciarmy.ipset list (below).  You could take it a step further and include additional ipset lists from that github in the "firehol_urls=" section of the script.

 

#!/bin/bash
#script to pull the ip addresses from firehol IP lists

#sample crontab
# firehol IPs
# 22 3 * * * /root/firehol/firehol_ipset.sh

#location for tmp file processing
firehol_tmp="/tmp"


#name of the file in the feed file (feed.name)
feed_name="firehol_ip"


#combined firehol indicator filename
firehol_output_file=$feed_name".csv"

#webroot for SA feeds directory
rsa_feed_webroot="/var/netwitness/common/repo"

# firehol root webdirectory github
firehol_git_root="https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/"

# firehol txt files to grab from maltrail site and processing
firehol_urls=(
"ciarmy.ipset")

#firehol indicator download
for firehol_link in "${firehol_urls[@]}"
do

      cd $firehol_tmp && curl -O $firehol_git_root$firehol_link 2> /dev/null
      echo $firehol_git_root$firehol_link
done

echo "FIREHOL - downloaded firehol raw files from github "

#create the header line that will be added to the indicator file on line 1
csv_header="#ip,#ioc,#feed_name"


#write the initial file and first line
echo $csv_header > $firehol_output_file

#check all the files and extract the filename as a column of data for the files to append to create a feed of IP
for firehol_file in $firehol_tmp/*.ipset
do
      echo $firehol_file

      #get me the filename for adding to csv
      filename=$(basename "$firehol_file")
      fname="${filename%.*}"
      echo $fname

      #create the names to use later
      filtered_name=$firehol_tmp/"filtered_"$fname".txt"

      #create the columns that will be used in the combined output file
      csv_columns=","$fname","$feed_name

      # get me just the ip address lines
      cat $firehol_file | grep -Eo "^([0-9]{1,3}[\.]){3}[0-9]{1,3}" > $filtered_name

      #iterate over the filtered file and concat the fields we need to add to the firehol csv
      while IFS= read -r var
      do


          # write this to the combined firehol file with the added columns
          echo $var"$csv_columns" >> $firehol_output_file

     done < "$filtered_name"


done

#copy the output file to the RSA web directory for recurring feed to read from
cp $firehol_output_file $rsa_feed_webroot
echo "FIREHOL - copied to web root "$rsa_feed_webroot"/"$firehol_output_file


Mr. Mongo
firehol_ipset.7z.zip
© 2022 RSA Security LLC or its affiliates. All rights reserved.