cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Remediation Module for Security Intelligence Blacklist

7501
Views
5
Helpful
26
Comments

Remediation module for automatically adding an IP address to a Security Intelligence blacklist. The file contains a readme with more information.

Comments
esersekizinci
Beginner

Hi, I wanted to make this remediation tool much more automatize, script add the IP address into the black_list automatically but if you want to clear list or remove the IP addresses you have to delete manually

 

In this cron job script you can remove all the IP addresses automatically in every 4 hours.

 

vim /tmp/clear_custom_list.sh

rm /var/sf/htdocs/custom_blacklist.html
echo "Dosya silindi $(date)"
sleep 2
cat > /var/sf/htdocs/custom_blacklist.html
echo "Dosya olusturuldu $(date)"
sleep 2
sudo md5sum /var/sf/htdocs/custom_blacklist.html > /var/sf/htdocs/custom_blacklist_md5.html
echo "Hash hesaplandi $(date)"
crontab -e
0 */4 * * * /tmp/clear_custom_list.sh >> /tmp/custom_list_log.log 2>&1

! Make it executable
chmod +x /tmp/clear_custom_list.sh

You can see the logs with timestamp

root@fmc623:/tmp# cat custom_list_log.log
Dosya silindi Sat May 25 12:53:01 UTC 2019
Dosya olusturuldu Sat May 25 12:53:03 UTC 2019
Hash hesaplandi Sat May 25 12:53:05 UTC 2019

Cheers !

ermal
Beginner

Hello,

I use FMC 6.2.3.15, and i have installed and configured remediation module blacklist v1.1.

Source IPs detected from correlation events, are written on the file auto_blacklist.html and also the md5 file value changes.

The problem that i have is that the Network Feed that i have created does not receive updates from this list. I get the error message "Unable to download File"

Please find below a screenshot of the configuration of the Network Feed.

Any idea?

Thanks

 

auto_blacklist.JPG

marcairn
Cisco Employee

If you SSH into your FMC and go to expert mode, then change into the proper html directory, do you see your file with the exact name "auto_blacklist.html"?
In my case, as it stands right now:
admin@fmc:/$ cd /var/sf/htdocs
admin@fmc:/var/sf/htdocs$ ls -l scanners.html
-rw-r--r-- 1 root root 15696 Mar 6 13:46 scanners.html
admin@fmc:/var/sf/htdocs$

 

Also, as a test, you should be able to open a browser tab and hit the URL that you are trying to parse and see the IPs in the file.

ermal
Beginner

Thanks for your response marcairn.

When i ssh into fmc i can see the file with the exact name, also dhe md5.html file in the /var/sf/htdocs. 

Right now i don't have access to the device, but on Monday I'll check if i can access this file from a browser.

Do i have to run/enable any web service on FMC?

 

ermal
Beginner

Hello,

I've used the https://FMC_Hostname/auto_blacklist.html and now the list is OK with the update :)

Now i have another question: Is there any way to set Update Frequency of this list 5 minutes, or less?

 

Thanks

 

 

marcairn
Cisco Employee

Glad to hear things are working.

 

30 minutes is the minimum update time for a custom feed.

 

Mark

ermal
Beginner

Thanks a lot :)

is it working for FMC 6.4. version ?

marcairn
Cisco Employee

siddharthjaiswal@live.com 

 

Yes. I have been using the blacklist remediation up through the current 6.6 release.

pioneer01
Beginner

I have a new install of FMC 6.5 and am having trouble similar to ermal. However i can't reach it via the web address and the files don't exist in '/var/sf/htdocs' either. Any suggestions?

ermal
Beginner

Hi pioneer01,

You have to trigger a correlation event, and this will create and also fill the list.

After that you will see it on "/var/sf/htdocs", and also access through web interface.

Br.

Create
Recognize Your Peers
Polls
Which of these topics should we host an event in the Community?

Top Choice: pxGrid (36%)

Content for Community-Ad