cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
5390
Views
5
Helpful
5
Replies
bo3500001
Beginner

AMP IP Blocklists

We are having an issue with IP Black/White list.  We've developed a containment policy which whitelists several necessary addresses (e.g. AMP addresses and DNS services), and configured the blacklist to the rest of the network's private IP address space (isolating it from other hosts).  In our testing, the Blacklist is NOT enforced by the connector.  We've even tested explicit addresses to verify that the connector is not taking the blocking action.  DFC is enabled, the IP lists are assigned to the right policy, and the policy is associated with the appropriate group.  Has anyone actually been able to block custom address?

5 REPLIES 5
Ed Padilla Jr
Beginner

I did.  I created an object group listing those IP i want to block, under Security Intelligence.  Then under the Access Control Policy, security intelligence, I add that object to the blacklist column. This particular Object group, is for our own internal Intel.

Apologies, this if for AMP for End Points, not the IPS solution. 

I ran a test to ensure this works. First, I found an IP to block.  I ran nslookup on msn.com and it returned a single IP: 23.101.196.141.

 

Next, I went into the console at console.amp.cisco.com to Outbreak Control > IP Blacklists & Whitelists.  Here I created an IP List.  I gave it a name and selected Blacklist as the List Type.  Next, I put in the IP 23.101.196.141/32. 

 

After this was saved, I went to Management > Policies and edited the policy that is applied to my endpoint.  In the IP Blacklists & Whitelists section I clicked edit, selected my newly created Blacklist and clicked Add, then OK.

 

Once back at my policy I clicked Update Policy.

 

Then, I went to my endpoint, opened the connector, clicked settings and clicked Sync Policy.  Once the policy was synced, I tried to telnet to 23.101.196.141 on port 80.  It was blocked and I received a popup stating it was blocked.

 

NOTE: Image attached.

I removed the blacklist and updated policy in console and endpoint.  Tried to telnet to 23.101.196.141 on port 80 again and now it was successful. 

hi,please tell me.

for exapmle

I created an IP Blacklists 8.8.8.8
①first I tried to ping to 8.8.8.8
⇒was not blocled


②but I tried to telnet to 8.8.8.8
⇒was blocled

then I tried to ping to 8.8.8.8
⇒was blocled

Why ping was blocked from the beginning ?

Farhan Mohamed
Cisco Employee

Blocklist2ACL by thejimmahknows<script>// <![CDATA[
Sub Window_onLoad
window.resizeTo 675,875
End Sub
Sub Sleep(Msecs)
'needed cause no Wscript object for HTA files
Set SleepFSO = CreateObject("Scripting.FileSystemObject")
If SleepFSO.FileExists("sleeper.vbs")=False Then
Set objOutputSleeperFile = SleepFSO.CreateTextFile("sleeper.vbs", True)
objOutputSleeperFile.Write "wscript.sleep Wscript.Arguments(0)"
objOutputSleeperFile.Close
End If
CreateObject("Wscript.Shell").run "sleeper.vbs " & Msecs,1 , True
End Sub
Set WshShell = CreateObject("WScript.Shell")
currPath = WshShell.CurrentDirectory
'currPath =  CreateObject("Scripting.FileSystemObject").GetParentFolderName(WScript.ScriptFullName)
 
'constants and URLs
Const ForReading = 1
Const ForWriting = 2
Const emergingURL = "http://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt"
Const level1URL = "http://list.iblocklist.com/?list=bt_level1&fileformat=p2p&archiveformat=gz"
Const sigmaprojectsURL = "http://blocklist.sigmaprojects.org/api.cfc?method=getlist&lists=webexploit,spyware,anti-infringement,spammers"
Const dshieldURL  = "http://feeds.dshield.org/block.txt"
 
Dim outFile : outFile = currPath & "test_output.txt"
Dim emergingFile : emergingFile = currPath & "emergingIPs.txt"
Dim level1FileGZ : level1FileGZ = currPath & "level1.txt.gz"
Dim level1File : level1File = currPath & "level1.txt"
Dim sigmaprojectsFileGZ: sigmaprojectsFileGZ = currPath & "sigmaprojectsIPs.txt.gz"
Dim sigmaprojectsFile: sigmaprojectsFile = currPath & "sigmaprojectsIPs.txt"
Dim dshieldFile: dshieldFile = currPath & "dshieldIPs.txt"
Dim mainOutputStr, ACL_NAME, logSuffix
 
Sub WGET(URL, DownloadLocation)
dim xHttp: Set xHttp = createobject("MSXML2.ServerXMLHTTP.6.0")
dim bStrm: Set bStrm = createobject("Adodb.Stream")
xHttp.Open "GET", URL , False
xHttp.Send
 
with bStrm
.type = 1 '//binary
.open
.write xHttp.responseBody
.savetofile DownloadLocation, 2 '//overwrite
end with
 
End Sub
 
Sub unGZ(filePathGZ, filePath)
Set objFSO = CreateObject("Scripting.FileSystemObject")
execPath = chr(34) & currPath & "gzip.exe" & chr(34) & "-dqf " & chr(34) & filePathGZ &  chr(34)
'run gzip uncompress
WshShell.Run execPath
'loop until file exists from previous call
fileExist = False
Do Until fileExists = True
If objFSO.fileExists (filePath) Then
fileExists = True
Else
Sleep(2000)
End If
Loop
End Sub
 
Function TrimFile(file)
Set objFSO = CreateObject("Scripting.FileSystemObject")
Set objFile = objFSO.OpenTextFile(file, ForReading)
 
Do Until objFile.AtEndOfStream
strLine = objFile.Readline
strLine = Trim(strLine)
If Len(strLine) > 0 Then
strNewContents = strNewContents & strLine & vbCrLf
End If
Loop
 
objFile.Close
 
Set objFile = objFSO.OpenTextFile(file, ForWriting)
objFile.Write strNewContents
objFile.Close
End Function
 
Function BlueTrackConverterPG2CIDR(inLine) 'only for P2P format blocklist files
Dim  objIE, sourceItem
sourceItem = inLine
Set objIE = CreateObject("InternetExplorer.Application")
objIE.visible = False
objIE.Navigate "http://www.bluetack.co.uk/converter/"
 
Do Until objIE.readyState = 4 : Sleep(200) : Loop
 
objIE.Document.getElementByID("fromformat").value = "pg"
objIE.Document.getElementByID("toformat").value = "shorewall"
objIE.Document.getElementByID("denyonly").value = "yes"
objIE.Document.getElementByID("listCleaning").value = "mergeoverlaps"
objIE.Document.getElementByID("sortBy").value = "IP"
'paste in IE forum
objIE.Document.getElementByID("sfrom").value = sourceItem
Sleep(200)
 
For Each INPUT in objIE.Document.getElementsByTagName("input")
If INPUT.Value = "Convert" Then
INPUT.Click
Exit For
End If
Next
'return value
Sleep(200)
BlueTrackConverterPG2CIDR = objIE.Document.getElementByID("sto").value
objIE.Quit
Set objIE = Nothing
End Function
 
 
Function BlueTrackConverterDSHIELD2CIDR(inStr) 'only for DSHIELD conversions
Dim  objIE, runStr
Set objIE = CreateObject("InternetExplorer.Application")
objIE.visible = False
objIE.Navigate "http://www.bluetack.co.uk/converter/"
 
Do Until objIE.readyState = 4 : Sleep(200) : Loop
 
objIE.Document.getElementByID("fromformat").value = "dshield"
objIE.Document.getElementByID("toformat").value = "shorewall"
objIE.Document.getElementByID("denyonly").value = "yes"
objIE.Document.getElementByID("listCleaning").value = "mergeoverlaps"
objIE.Document.getElementByID("sortBy").value = "IP"
'paste in IE forum
objIE.Document.getElementByID("sfrom").value = inStr
 
For Each INPUT in objIE.Document.getElementsByTagName("input")
If INPUT.Value = "Convert" Then
INPUT.Click
Exit For
End If
Next
'return outputStr
BlueTrackConverterDSHIELD2CIDR =  objIE.Document.getElementByID("sto").value
objIE.Quit
Set objIE = Nothing
End Function
 
Function MaskLengthToIP(intMask)
  ' Converts a mask length to the decimal format mask
  Dim arrOctets(3)
  Dim intFullOctets : intFullOctets = (intMask - (intMask Mod 8)) / 8
  Dim i
  For i = 0 To (intFullOctets - 1)
arrOctets(i) = "255"
  Next
  Dim intPartialOctetLen : intPartialOctetLen = intMask Mod 8
  Dim j
  If intPartialOctetLen > 0 Then
Dim intOctet
For j = 0 To (intPartialOctetLen - 1)
  intOctet = intOctet + 2^(7 - j)
Next
arrOctets(i) = intOctet : i = i + 1
  End If
  For j = i To 3
arrOctets(j) = "0"
  Next
  MaskLengthToIP = Join(arrOctets, ".")
End Function
 
Function CIDR2ACL(strLine, aclNameStr)
'check for blank line
If  Trim(strLine) <> "" Then
If InStr(strLine, "/")  > 0  Then
pos_start = InStr(strLine, "/")
'get ip only
tmpLen = Len(strLine)
tmpIP = Mid(strLine, 1, pos_start - 1)
'need to convert slash to netmask
subStr = Mid(strLine, pos_start +1 )
maskInt = CInt(subStr)
subMaskStr = MaskLengthToIP(maskInt)
'return values
CIDR2ACL = "access-list" & " " & aclNameStr & " " & "deny ip" & " " & tmpIP & " " & subMaskStr & " " & "any" & logSuffix & vbCrLf
Else
tmpIP = strLine
subMaskStr = "255.255.255.255"
'return values
CIDR2ACL = "access-list" & " " & aclNameStr & " " & "deny ip" & " " & tmpIP & " " & subMaskStr & " " & "any" & logSuffix & vbCrLf
End If
End If
 
End Function
 
Sub dshieldSUB
Set objFSO = CreateObject("Scripting.FileSystemObject")
Set objFile = objFSO.OpenTextFile(dshieldFile, ForReading)
 
'readall from file
Dim tStr, strText
strText = ""
tStr = BlueTrackConverterDSHIELD2CIDR(objFile.ReadAll)
 
arrLines = Split(tStr, vbCrLf)
For Each line in arrLines
strText = strText & CIDR2ACL(line, ACL_NAME)
Next
 
mainOutputStr = mainOutputStr & strText
objFile.Close
End Sub
 
Sub emergingSUB()
Set objFSO = CreateObject("Scripting.FileSystemObject")
Set objFile = objFSO.OpenTextFile(emergingFile, ForReading)
'
Do Until objFile.AtEndOfStream
strText = objFile.ReadLine
If strText = chr(127) Then
'do nothing
ElseIf InStr(strText, "#") > 0 Then
'do nothing
Else
'convert CIDR
strText = CIDR2ACL(strText, ACL_NAME)
mainOutputStr = mainOutputStr & strText
End If
 
Loop
objFile.Close
End Sub
 
Sub sigmaprojectsSUB()
Set objFSO = CreateObject("Scripting.FileSystemObject")
Set objFile = objFSO.OpenTextFile(sigmaprojectsFile, ForReading)
Do Until objFile.AtEndOfStream
strText = objFile.ReadLine
strText = CIDR2ACL(strText, ACL_NAME)
mainOutputStr = mainOutputStr & strText
Loop
 
End Sub
 
Sub level1SUB()
Dim tStr, strTextLine, arrLines, runningStr, c
Set objFSO = CreateObject("Scripting.FileSystemObject")
Set objTextFile = objFSO.OpenTextFile(level1File, ForReading)
c = 0
Do Until objTextFile.AtEndOfStream
strTextLine = objTextFile.ReadLine
If InStr(strTextLine, "#") > 0 Then
'do nothing
ElseIf  InStr(strTextLine, " ")  > 0  Then
'do nothing
ElseIf  InStr(strTextLine, "")  > 0  Then
'do nothing
Else
If c > 7500 Then
'execute 100 items at a time
tStr = tStr & BlueTrackConverterPG2CIDR(runningStr) & vbCrLf
'reset counter
c=0
runningStr = ""
ElseIf  objTextFile.AtEndOfStream = True Then
tStr = tStr & BlueTrackConverterPG2CIDR(runningStr) & vbCrLf
msgbox(tStr)
Else
runningStr = runningStr & strTextLine & vbCrLf
'increment counter
c = c + 1
End If
End If
Loop
 
arrLines = Split(tStr, vbCrLf)
For Each line in arrLines
strText = strText & CIDR2ACL(line, ACL_NAME)
Next
mainOutputStr = mainOutputStr & strText
'clean up
objTextFile.Close
End Sub
 
Sub cleanUP()
'dump to file
Set objFSO = CreateObject("Scripting.FileSystemObject")
'Set objOutputFile = objFSO.CreateTextFile(outFile)
'objOutputFile.Write mainOutputStr
'clear and output access-lists
document.GetElementById("outputTextarea").Value = mainOutputStr
 
'objOutputFile.Close
 
'delete files dshieldIPs.txt , sigmaprojects.txt , emergingIPs
Set delFSO = CreateObject("Scripting.FileSystemObject")
 
If delFSO.FileExists(dshieldFile) Then
delFSO.DeleteFile dshieldFile
End If
If delFSO.FileExists(sigmaprojectsFile) Then
delFSO.DeleteFile sigmaprojectsFile
End If
If delFSO.FileExists(emergingFile) Then
delFSO.DeleteFile emergingFile
End If
If delFSO.FileExists(level1File) Then
delFSO.DeleteFile level1File
End If
'remove sleeper.vbs
If delFSO.FileExists("sleeper.vbs") Then
delFSO.DeleteFile "sleeper.vbs"
End If
End Sub
 
 
 
 
Sub runMe()
'clear mainOutputStr
mainOutputStr = ""
'get ACL Name
ACL_NAME = document.GetElementById("acl_textbox").value
'check log checkbox
If document.GetElementById("log_checkbox").Checked Then
logSuffix = " log"
Else
logSuffix = ""
End If
'check checkboxes checked
If document.GetElementById("emerging_checkbox").Checked Then
'execute Subs
Call WGET(emergingURL, emergingFile)
Call TrimFile(emergingFile)
Call emergingSUB()
End If
If document.GetElementById("dshield_checkbox").Checked Then
'execute Subs
Call WGET(dshieldURL, dshieldFile)
Call TrimFile(dshieldFile)
Call dshieldSUB()
End If
If document.GetElementById("sigmaprojects_checkbox").Checked Then
'execute Subs
Call WGET(sigmaprojectsURL, sigmaprojectsFileGZ)
Call unGZ(sigmaprojectsFileGZ, sigmaprojectsFile)
Call sigmaprojectsSUB()
 
End If
If document.GetElementById("bluetrack1_checkbox").Checked Then
'execute Subs
Call WGET(level1URL, level1FileGZ)
Call unGZ(level1FileGZ, level1File)
Call level1SUB()
Call TrimFile(level1File)
End If
'execute cleanup
Call cleanUP()
End Sub
Sub ClearMe
document.GetElementById("acl_textbox").value = "MyACL"
document.GetElementById("log_checkbox").Checked = False
document.GetElementById("emerging_checkbox").Checked = False
document.GetElementById("dshield_checkbox").Checked = False
document.GetElementById("sigmaprojects_checkbox").Checked = False
document.GetElementById("bluetrack1_checkbox").Checked = False
'clear textarea
document.GetElementById("outputTextarea").Value = "The access-list will appear here."
End Sub
// ]]></script>
<center>
<h2>Blocklist to Cisco ASA ACL converter</h2>
 
<h4>Select Blocklist Sources to Convert</h4>
</center>
<form action=""><b>ACL Name:</b> <input id="acl_textbox" name="acl_textbox" type="textbox" value="MyACL" />
<input id="emerging_checkbox" name="emerging_checkbox" type="checkbox" /><a href="http://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt" target="_blank">Emerging Threats</a>
<input id="dshield_checkbox" name="dshield_checkbox" type="checkbox" /><a href="http://feeds.dshield.org/block.txt" target="_blank">Dshield</a>
<input id="sigmaprojects_checkbox" name="sigmaprojects_checkbox" type="checkbox" /><a href="https://blocklist.sigmaprojects.org/" target="_blank">Sigma Projects</a>
<input id="bluetrack1_checkbox" name="bluetrack1_checkbox" type="checkbox" /><a href="https://www.iblocklist.com/list.php?list=bt_level1" target="_blank"> Bluetrack Level1</a>
 
<b>Add log suffix to each ACL</b>
<input id="log_checkbox" name="log_checkbox" type="checkbox" /> Log ACL
 
<input name="runMeButton" type="button" value="Run Script" /> <input name="ClearMeButton" type="button" value="Clear" /></form><textarea id="outputTextarea" cols="75" rows="30">The access-list will appear here.</textarea>
 
Create
Recognize Your Peers
Content for Community-Ad