10-25-2014 06:53 AM
Is it possible to dynamically block IP's using blocklists from something like iblocklist.com?
Seems like there should be a way to monitor a given list like the known spyware list:
http://list.iblocklist.com/?list=llvtlsjyoyiczbkjsxpf&fileformat=p2p&archiveformat=gz
And, given that, pull the list and modify the local router/fw access list to block access.
The list has entries similar to:
trojans:222.189.238.210-222.189.238.210
Anyone know if this is possible or has a script for it?
10-26-2014 10:19 AM
Assuming you can get the file in text format uncompressed via an HTTP stream, you could create an EEM Tcl script that periodically fetches the file (using the built-in HTTP 1.0 client library), parses it, then creates an ACL for it. I recommend you recreate the ACL as a temporary one first, then juggle the names to limit the size of the "open" window.
I thought someone created a similar script a while ago using a different blocking service, but I can't seem to find it. Perhaps your searches will yield better results.
10-27-2014 02:46 PM
Hi Joe!
I should have thought to just email you directly :-)
I ended up writing a Perl script that does the trick, but that method isn't as seamless/elegant as I was aiming for.
My hope was to just set a series of URLs in the router and have them check for new entries every day or week or whatever and create the acl's based on that.
What I wrote in Perl works great as far as going and getting everything and building it properly, but now I have to run a tftp server and schedule the router to periodically grab the result - plus have the perl script run via cron every X days.
So instead of just letting the router be the "smart guy", I now have multiple components to manage (router, linux box, perl script, etc.).
What year is this?
One would think we'd have better toys by now darnit! hehe
Anyhoo, I was going to put up a blog post so someone else can benefit from my work later on. I'll put the link here once I finish the post.
For future visitors: If you do manage to do this solely using EEM, I think it would be very useful!
10-28-2014 07:45 AM
Like I said, this is very doable with EEM provided there is a text-only download link (i.e., one that doesn't require an unzip). I don't know the service to know if such a link exists. At the very least, you could automate the download and decompression on your Linux box, then have EEM periodically download the uncompressed file and do the application of the ACLs.
10-28-2014 05:12 PM
Thanks!
Here's the blog post - I'd love to see this done in EEM, seems like it'd be pretty handy for folks. Alas, I don't know how to do it :)
http://www.logzilla.net/blog/using-perl-to-convert-ip-blocklists-blacklists-to-cisco-access-lists
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide