Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2035
Views
0
Helpful
4
Replies

Dynamic Access List using iblocklist.com

cdukeslogzilla
Level 1
Level 1

‎10-25-2014 06:53 AM

Is it possible to dynamically block IP's using blocklists from something like iblocklist.com?

Seems like there should be a way to monitor a given list like the known spyware list:

http://list.iblocklist.com/?list=llvtlsjyoyiczbkjsxpf&fileformat=p2p&archiveformat=gz

And, given that, pull the list and modify the local router/fw access list to block access.

The list has entries similar to:

trojans:222.189.238.210-222.189.238.210

Anyone know if this is possible or has a script for it?

Labels:
0 Helpful
4 Replies 4

Joe Clarke
Cisco Employee
Cisco Employee

‎10-26-2014 10:19 AM

Assuming you can get the file in text format uncompressed via an HTTP stream, you could create an EEM Tcl script that periodically fetches the file (using the built-in HTTP 1.0 client library), parses it, then creates an ACL for it.  I recommend you recreate the ACL as a temporary one first, then juggle the names to limit the size of the "open" window.

 

I thought someone created a similar script a while ago using a different blocking service, but I can't seem to find it.  Perhaps your searches will yield better results.

0 Helpful

cdukeslogzilla
Level 1
Level 1
In response to Joe Clarke

‎10-27-2014 02:46 PM

Hi Joe!

I should have thought to just email you directly :-)

I ended up writing a Perl script that does the trick, but that method isn't as seamless/elegant as I was aiming for.

My hope was to just set a series of URLs in the router and have them check for new entries every day or week or whatever and create the acl's based on that.

What I wrote in Perl works great as far as going and getting everything and building it properly, but now I have to run a tftp server and schedule the router to periodically grab the result - plus have the perl script run via cron every X days.

So instead of just letting the router be the "smart guy", I now have multiple components to manage (router, linux box, perl script, etc.).

What year is this?

One would think we'd have better toys by now darnit! hehe

Anyhoo, I was going to put up a blog post so someone else can benefit from my work later on. I'll put the link here once I finish the post.

For future visitors: If you do manage to do this solely using EEM, I think it would be very useful!

 

 

0 Helpful

Joe Clarke
Cisco Employee
Cisco Employee
In response to cdukeslogzilla

‎10-28-2014 07:45 AM

Like I said, this is very doable with EEM provided there is a text-only download link (i.e., one that doesn't require an unzip).  I don't know the service to know if such a link exists.  At the very least, you could automate the download and decompression on your Linux box, then have EEM periodically download the uncompressed file and do the application of the ACLs.

0 Helpful

cdukeslogzilla
Level 1
Level 1
In response to Joe Clarke

‎10-28-2014 05:12 PM

Thanks!

Here's the blog post - I'd love to see this done in EEM, seems like it'd be pretty handy for folks. Alas, I don't know how to do it :)

http://www.logzilla.net/blog/using-perl-to-convert-ip-blocklists-blacklists-to-cisco-access-lists

 

0 Helpful
Customers Also Viewed These Support Documents