I ran a test to ensure this

bo3500001 · ‎06-30-2016

We are having an issue with IP Black/White list. We've developed a containment policy which whitelists several necessary addresses (e.g. AMP addresses and DNS services), and configured the blacklist to the rest of the network's private IP address space (isolating it from other hosts). In our testing, the Blacklist is NOT enforced by the connector. We've even tested explicit addresses to verify that the connector is not taking the blocking action. DFC is enabled, the IP lists are assigned to the right policy, and the policy is associated with the appropriate group. Has anyone actually been able to block custom address?

Ed Padilla Jr · ‎07-15-2016

I did. I created an object group listing those IP i want to block, under Security Intelligence. Then under the Access Control Policy, security intelligence, I add that object to the blacklist column. This particular Object group, is for our own internal Intel.

bo3500001 · ‎07-15-2016

Apologies, this if for AMP for End Points, not the IPS solution.

Matthew Franks · ‎08-04-2016

I ran a test to ensure this works. First, I found an IP to block. I ran nslookup on msn.com and it returned a single IP: 23.101.196.141.

Next, I went into the console at console.amp.cisco.com to Outbreak Control > IP Blacklists & Whitelists. Here I created an IP List. I gave it a name and selected Blacklist as the List Type. Next, I put in the IP 23.101.196.141/32.

After this was saved, I went to Management > Policies and edited the policy that is applied to my endpoint. In the IP Blacklists & Whitelists section I clicked edit, selected my newly created Blacklist and clicked Add, then OK.

Once back at my policy I clicked Update Policy.

Then, I went to my endpoint, opened the connector, clicked settings and clicked Sync Policy. Once the policy was synced, I tried to telnet to 23.101.196.141 on port 80. It was blocked and I received a popup stating it was blocked.

NOTE: Image attached.

I removed the blacklist and updated policy in console and endpoint. Tried to telnet to 23.101.196.141 on port 80 again and now it was successful.

ysuzuki02 · ‎03-01-2018

hi,please tell me.

for exapmle

I created an IP Blacklists 8.8.8.8
①first I tried to ping to 8.8.8.8
⇒was not blocled

②but I tried to telnet to 8.8.8.8
⇒was blocled

then I tried to ping to 8.8.8.8
⇒was blocled

Why ping was blocked from the beginning ?

Farhan Mohamed · ‎01-31-2017

Blocklist2ACL by thejimmahknows<script>// <![CDATA[

Sub Window_onLoad

window.resizeTo 675,875

End Sub

Sub Sleep(Msecs)

'needed cause no Wscript object for HTA files

Set SleepFSO = CreateObject("Scripting.FileSystemObject")

If SleepFSO.FileExists("sleeper.vbs")=False Then

Set objOutputSleeperFile = SleepFSO.CreateTextFile("sleeper.vbs", True)

objOutputSleeperFile.Write "wscript.sleep Wscript.Arguments(0)"

objOutputSleeperFile.Close

End If

CreateObject("Wscript.Shell").run "sleeper.vbs " & Msecs,1 , True

End Sub

Set WshShell = CreateObject("WScript.Shell")

currPath = WshShell.CurrentDirectory

'currPath = CreateObject("Scripting.FileSystemObject").GetParentFolderName(WScript.ScriptFullName)

'constants and URLs

Const ForReading = 1

Const ForWriting = 2

Const emergingURL = "http://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt"

Const level1URL = "http://list.iblocklist.com/?list=bt_level1&fileformat=p2p&archiveformat=gz"

Const sigmaprojectsURL = "http://blocklist.sigmaprojects.org/api.cfc?method=getlist&lists=webexploit,spyware,anti-infringement,spammers"

Const dshieldURL = "http://feeds.dshield.org/block.txt"

Dim outFile : outFile = currPath & "test_output.txt"

Dim emergingFile : emergingFile = currPath & "emergingIPs.txt"

Dim level1FileGZ : level1FileGZ = currPath & "level1.txt.gz"

Dim level1File : level1File = currPath & "level1.txt"

Dim sigmaprojectsFileGZ: sigmaprojectsFileGZ = currPath & "sigmaprojectsIPs.txt.gz"

Dim sigmaprojectsFile: sigmaprojectsFile = currPath & "sigmaprojectsIPs.txt"

Dim dshieldFile: dshieldFile = currPath & "dshieldIPs.txt"

Dim mainOutputStr, ACL_NAME, logSuffix

Sub WGET(URL, DownloadLocation)

dim xHttp: Set xHttp = createobject("MSXML2.ServerXMLHTTP.6.0")

dim bStrm: Set bStrm = createobject("Adodb.Stream")

xHttp.Open "GET", URL , False

xHttp.Send

with bStrm

.type = 1 '//binary

.open

.write xHttp.responseBody

.savetofile DownloadLocation, 2 '//overwrite

end with

End Sub

Sub unGZ(filePathGZ, filePath)

Set objFSO = CreateObject("Scripting.FileSystemObject")

execPath = chr(34) & currPath & "gzip.exe" & chr(34) & "-dqf " & chr(34) & filePathGZ & chr(34)

'run gzip uncompress

WshShell.Run execPath

'loop until file exists from previous call

fileExist = False

Do Until fileExists = True

If objFSO.fileExists (filePath) Then

fileExists = True

Else

Sleep(2000)

End If

Loop

End Sub

Function TrimFile(file)

Set objFSO = CreateObject("Scripting.FileSystemObject")

Set objFile = objFSO.OpenTextFile(file, ForReading)

Do Until objFile.AtEndOfStream

strLine = objFile.Readline

strLine = Trim(strLine)

If Len(strLine) > 0 Then

strNewContents = strNewContents & strLine & vbCrLf

End If

Loop

objFile.Close

Set objFile = objFSO.OpenTextFile(file, ForWriting)

objFile.Write strNewContents

objFile.Close

End Function

Function BlueTrackConverterPG2CIDR(inLine) 'only for P2P format blocklist files

Dim objIE, sourceItem

sourceItem = inLine

Set objIE = CreateObject("InternetExplorer.Application")

objIE.visible = False

objIE.Navigate "http://www.bluetack.co.uk/converter/"

Do Until objIE.readyState = 4 : Sleep(200) : Loop

objIE.Document.getElementByID("fromformat").value = "pg"

objIE.Document.getElementByID("toformat").value = "shorewall"

objIE.Document.getElementByID("denyonly").value = "yes"

objIE.Document.getElementByID("listCleaning").value = "mergeoverlaps"

objIE.Document.getElementByID("sortBy").value = "IP"

'paste in IE forum

objIE.Document.getElementByID("sfrom").value = sourceItem

Sleep(200)

For Each INPUT in objIE.Document.getElementsByTagName("input")

If INPUT.Value = "Convert" Then

INPUT.Click

Exit For

End If

Sleep(200)

BlueTrackConverterPG2CIDR = objIE.Document.getElementByID("sto").value

objIE.Quit

Set objIE = Nothing

End Function

Function BlueTrackConverterDSHIELD2CIDR(inStr) 'only for DSHIELD conversions

Dim objIE, runStr

Set objIE = CreateObject("InternetExplorer.Application")

objIE.visible = False

objIE.Navigate "http://www.bluetack.co.uk/converter/"

Do Until objIE.readyState = 4 : Sleep(200) : Loop

objIE.Document.getElementByID("fromformat").value = "dshield"

objIE.Document.getElementByID("toformat").value = "shorewall"

objIE.Document.getElementByID("denyonly").value = "yes"

objIE.Document.getElementByID("listCleaning").value = "mergeoverlaps"

objIE.Document.getElementByID("sortBy").value = "IP"

'paste in IE forum

objIE.Document.getElementByID("sfrom").value = inStr

For Each INPUT in objIE.Document.getElementsByTagName("input")

If INPUT.Value = "Convert" Then

INPUT.Click

Exit For

End If

BlueTrackConverterDSHIELD2CIDR = objIE.Document.getElementByID("sto").value

objIE.Quit

Set objIE = Nothing

End Function

Function MaskLengthToIP(intMask)

' Converts a mask length to the decimal format mask

Dim arrOctets(3)

Dim intFullOctets : intFullOctets = (intMask - (intMask Mod 8)) / 8

Dim i

For i = 0 To (intFullOctets - 1)

arrOctets(i) = "255"

Dim j

If intPartialOctetLen > 0 Then

Dim intOctet

For j = 0 To (intPartialOctetLen - 1)

intOctet = intOctet + 2^(7 - j)

End If

For j = i To 3

arrOctets(j) = "0"

End Function

Function CIDR2ACL(strLine, aclNameStr)

'check for blank line

If Trim(strLine) <> "" Then

If InStr(strLine, "/") > 0 Then

pos_start = InStr(strLine, "/")

'get ip only

tmpLen = Len(strLine)

tmpIP = Mid(strLine, 1, pos_start - 1)

'need to convert slash to netmask

subStr = Mid(strLine, pos_start +1 )

maskInt = CInt(subStr)

subMaskStr = MaskLengthToIP(maskInt)

'return values

CIDR2ACL = "access-list" & " " & aclNameStr & " " & "deny ip" & " " & tmpIP & " " & subMaskStr & " " & "any" & logSuffix & vbCrLf

Else

tmpIP = strLine

subMaskStr = "255.255.255.255"

'return values

CIDR2ACL = "access-list" & " " & aclNameStr & " " & "deny ip" & " " & tmpIP & " " & subMaskStr & " " & "any" & logSuffix & vbCrLf

End If

End Function

Sub dshieldSUB

Set objFSO = CreateObject("Scripting.FileSystemObject")

Set objFile = objFSO.OpenTextFile(dshieldFile, ForReading)

'readall from file

Dim tStr, strText

strText = ""

tStr = BlueTrackConverterDSHIELD2CIDR(objFile.ReadAll)

arrLines = Split(tStr, vbCrLf)

For Each line in arrLines

strText = strText & CIDR2ACL(line, ACL_NAME)

objFile.Close

End Sub

Sub emergingSUB()

Set objFSO = CreateObject("Scripting.FileSystemObject")

Set objFile = objFSO.OpenTextFile(emergingFile, ForReading)

'

Do Until objFile.AtEndOfStream

strText = objFile.ReadLine

If strText = chr(127) Then

'do nothing

ElseIf InStr(strText, "#") > 0 Then

'do nothing

Else

'convert CIDR

strText = CIDR2ACL(strText, ACL_NAME)

mainOutputStr = mainOutputStr & strText

End If

Loop

objFile.Close

End Sub

Sub sigmaprojectsSUB()

Set objFSO = CreateObject("Scripting.FileSystemObject")

Set objFile = objFSO.OpenTextFile(sigmaprojectsFile, ForReading)

Do Until objFile.AtEndOfStream

strText = objFile.ReadLine

strText = CIDR2ACL(strText, ACL_NAME)

mainOutputStr = mainOutputStr & strText

Loop

End Sub

Sub level1SUB()

Dim tStr, strTextLine, arrLines, runningStr, c

Set objFSO = CreateObject("Scripting.FileSystemObject")

Set objTextFile = objFSO.OpenTextFile(level1File, ForReading)

c = 0

Do Until objTextFile.AtEndOfStream

strTextLine = objTextFile.ReadLine

If InStr(strTextLine, "#") > 0 Then

'do nothing

ElseIf InStr(strTextLine, " ") > 0 Then

'do nothing

ElseIf InStr(strTextLine, "") > 0 Then

'do nothing

Else

If c > 7500 Then

'execute 100 items at a time

tStr = tStr & BlueTrackConverterPG2CIDR(runningStr) & vbCrLf

'reset counter

c=0

runningStr = ""

ElseIf objTextFile.AtEndOfStream = True Then

tStr = tStr & BlueTrackConverterPG2CIDR(runningStr) & vbCrLf

msgbox(tStr)

Else

runningStr = runningStr & strTextLine & vbCrLf

'increment counter

c = c + 1

End If

Loop

arrLines = Split(tStr, vbCrLf)

For Each line in arrLines

strText = strText & CIDR2ACL(line, ACL_NAME)

'clean up

objTextFile.Close

End Sub

Sub cleanUP()

'dump to file

Set objFSO = CreateObject("Scripting.FileSystemObject")

'Set objOutputFile = objFSO.CreateTextFile(outFile)

'objOutputFile.Write mainOutputStr

'clear and output access-lists

document.GetElementById("outputTextarea").Value = mainOutputStr

'objOutputFile.Close

'delete files dshieldIPs.txt , sigmaprojects.txt , emergingIPs

Set delFSO = CreateObject("Scripting.FileSystemObject")

If delFSO.FileExists(dshieldFile) Then

delFSO.DeleteFile dshieldFile

End If

If delFSO.FileExists(sigmaprojectsFile) Then

delFSO.DeleteFile sigmaprojectsFile

End If

If delFSO.FileExists(emergingFile) Then

delFSO.DeleteFile emergingFile

End If

If delFSO.FileExists(level1File) Then

delFSO.DeleteFile level1File

End If

'remove sleeper.vbs

If delFSO.FileExists("sleeper.vbs") Then

delFSO.DeleteFile "sleeper.vbs"

End If

End Sub

Sub runMe()

'clear mainOutputStr

mainOutputStr = ""

'get ACL Name

ACL_NAME = document.GetElementById("acl_textbox").value

'check log checkbox

If document.GetElementById("log_checkbox").Checked Then

logSuffix = " log"

Else

logSuffix = ""

End If

'check checkboxes checked

If document.GetElementById("emerging_checkbox").Checked Then

'execute Subs

Call WGET(emergingURL, emergingFile)

Call TrimFile(emergingFile)

Call emergingSUB()

End If

If document.GetElementById("dshield_checkbox").Checked Then

'execute Subs

Call WGET(dshieldURL, dshieldFile)

Call TrimFile(dshieldFile)

Call dshieldSUB()

End If

If document.GetElementById("sigmaprojects_checkbox").Checked Then

'execute Subs

Call WGET(sigmaprojectsURL, sigmaprojectsFileGZ)

Call unGZ(sigmaprojectsFileGZ, sigmaprojectsFile)

Call sigmaprojectsSUB()

End If

If document.GetElementById("bluetrack1_checkbox").Checked Then

'execute Subs

Call WGET(level1URL, level1FileGZ)

Call unGZ(level1FileGZ, level1File)

Call level1SUB()

Call TrimFile(level1File)

End If

'execute cleanup

Call cleanUP()

End Sub

Sub ClearMe

document.GetElementById("acl_textbox").value = "MyACL"

document.GetElementById("log_checkbox").Checked = False

document.GetElementById("emerging_checkbox").Checked = False

document.GetElementById("dshield_checkbox").Checked = False

document.GetElementById("sigmaprojects_checkbox").Checked = False

document.GetElementById("bluetrack1_checkbox").Checked = False

'clear textarea

document.GetElementById("outputTextarea").Value = "The access-list will appear here."

End Sub

// ]]></script>

<h2>Blocklist to Cisco ASA ACL converter</h2>

<h4>Select Blocklist Sources to Convert</h4>

</center>

<input id="emerging_checkbox" name="emerging_checkbox" type="checkbox" /><a href="http://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt" target="_blank">Emerging Threats</a>

<input id="dshield_checkbox" name="dshield_checkbox" type="checkbox" /><a href="http://feeds.dshield.org/block.txt" target="_blank">Dshield</a>

<input id="sigmaprojects_checkbox" name="sigmaprojects_checkbox" type="checkbox" /><a href="https://blocklist.sigmaprojects.org/" target="_blank">Sigma Projects</a>

<input id="bluetrack1_checkbox" name="bluetrack1_checkbox" type="checkbox" /><a href="https://www.iblocklist.com/list.php?list=bt_level1" target="_blank"> Bluetrack Level1</a>

<b>Add log suffix to each ACL</b>

<input id="log_checkbox" name="log_checkbox" type="checkbox" /> Log ACL

<input name="runMeButton" type="button" value="Run Script" /> <input name="ClearMeButton" type="button" value="Clear" /></form><textarea id="outputTextarea" cols="75" rows="30">The access-list will appear here.</textarea>

AMP IP Blocklists