Hi, I wanted to make this remediation tool much more automatize, script add the IP address into the black_list automatically but if you want to clear list or remove the IP addresses you have to delete manually

In this cron job script you can remove all the IP addresses automatically in every 4 hours.

vim /tmp/clear_custom_list.sh

rm /var/sf/htdocs/custom_blacklist.html
echo "Dosya silindi $(date)"
sleep 2
cat > /var/sf/htdocs/custom_blacklist.html
echo "Dosya olusturuldu $(date)"
sleep 2
sudo md5sum /var/sf/htdocs/custom_blacklist.html > /var/sf/htdocs/custom_blacklist_md5.html
echo "Hash hesaplandi $(date)"

crontab -e
0 */4 * * * /tmp/clear_custom_list.sh >> /tmp/custom_list_log.log 2>&1

! Make it executable
chmod +x /tmp/clear_custom_list.sh

You can see the logs with timestamp

root@fmc623:/tmp# cat custom_list_log.log
Dosya silindi Sat May 25 12:53:01 UTC 2019
Dosya olusturuldu Sat May 25 12:53:03 UTC 2019
Hash hesaplandi Sat May 25 12:53:05 UTC 2019

Cheers !

Hello,

I use FMC 6.2.3.15, and i have installed and configured remediation module blacklist v1.1.

Source IPs detected from correlation events, are written on the file auto_blacklist.html and also the md5 file value changes.

The problem that i have is that the Network Feed that i have created does not receive updates from this list. I get the error message "Unable to download File"

Please find below a screenshot of the configuration of the Network Feed.

Any idea?

Thanks

If you SSH into your FMC and go to expert mode, then change into the proper html directory, do you see your file with the exact name "auto_blacklist.html"?
In my case, as it stands right now:
admin@fmc:/$ cd /var/sf/htdocs
admin@fmc:/var/sf/htdocs$ ls -l scanners.html
-rw-r--r-- 1 root root 15696 Mar 6 13:46 scanners.html
admin@fmc:/var/sf/htdocs$

Also, as a test, you should be able to open a browser tab and hit the URL that you are trying to parse and see the IPs in the file.

Thanks for your response marcairn.

When i ssh into fmc i can see the file with the exact name, also dhe md5.html file in the /var/sf/htdocs. 

Right now i don't have access to the device, but on Monday I'll check if i can access this file from a browser.

Do i have to run/enable any web service on FMC?

Hello,

I've used the https://FMC_Hostname/auto_blacklist.html and now the list is OK with the update :)

Now i have another question: Is there any way to set Update Frequency of this list 5 minutes, or less?

Thanks

Glad to hear things are working.

30 minutes is the minimum update time for a custom feed.

Mark

Thanks a lot :)

is it working for FMC 6.4. version ?

siddharthjaiswal@live.com 

Yes. I have been using the blacklist remediation up through the current 6.6 release.

I have a new install of FMC 6.5 and am having trouble similar to ermal. However i can't reach it via the web address and the files don't exist in '/var/sf/htdocs' either. Any suggestions?

Hi pioneer01,

You have to trigger a correlation event, and this will create and also fill the list.

After that you will see it on "/var/sf/htdocs", and also access through web interface.

Br.

Confirmed this is working for 6.6 and 7.1. Unfortunately, the URL does not have the correct encoding to be re-ingested into TID instead of an old fashioned SI feed.

thank you for posting. i receive an alert in the FMC stating "source_IP_block - Failed to download from https://127.0.0.1/custom_blacklist_md5.html: Not Found (404)"  is this file created after the first correlation event occurs, or is there a need to manually create the file? - thank you

I had the same alert until the first IP was put in the file. 

There is another outstanding issue. If your FMC is in HA, the secondary will have health warnings for the remediation daemon crashing. If you look at the db on the 2ndary, the module isn't installing across the high availability.

Just some notes. This remediation module was an existing module in the Sourcefire days, before acquisition. There were some errors in the code that caused issues and there are probably still notes in the script of future functions that were planned. I worked through the errors in the existing code and added a few features to get the module logging and working properly as a feed in my lab at the time. Unfortunately, the original module (in its non-functional state) was removed from the manager at some point and my edits were never added back in as a Cisco supported module, thus it is treated as 3rd party. I don't run a lab HA pair and never tested it in that topology.

If there are functions missing to support HA, that is probably because the original source was written many years ago before I started altering it to work with 6.x in 2017.