[prev in list] [next in list] [prev in thread] [next in thread]
List: bleeding-sigs
Subject: Re: [Bleeding-sigs] New Idea
From: Jack Pepper <pepperjack () doctorunix ! com>
Date: 2006-09-14 16:11:28
Message-ID: 20060914111128.ok0311gl7z4g4044 () mail ! doctorunix ! com
[Download RAW message or body]
here is a script I have been using for some time. creates pix shunlist
from lasso and dshield. Couple this with an ssh (I use one in perl)
script in cron to push the output to the pix.
you need to customize line 12 of the script to match the names of the
ACLs on your pix. I have standardized on ACL names for all our pixes
(50+) so I can mechanize tasks like this.
the first time you run it, it will generate harmless errors when it
tries to clear out non existent network-objects.
#!/bin/sh
#
# regenerate objects to be shunned by Cisco pix. Tested on IOS
6.3(1) through 7.0(4)
# by Jack Pepper pepperjack@doctorunix.com
#
# Static Tunables:
DSHIELD="http://feeds.dshield.org/block.txt"
TOP10="http://feeds.dshield.org/top10-2.txt"
SPAMHAUS="http://feeds.dshield.org/block.txt"
# change this to be a list of all the ACLs to which the list should be
applied:
APPLY_ACL_LIST="outside_in dmz_out inside_out"
echo "conf t"
for F in $APPLY_ACL_LIST ; do
echo "no access-list $F deny ip object-group SPAMHAUS any"
echo "no access-list $F deny ip any object-group SPAMHAUS"
echo "no access-list $F deny ip object-group DSHIELD any"
echo "no access-list $F deny ip any object-group DSHIELD"
done
echo "no object-group network DSHIELD"
echo "object-group network DSHIELD"
echo "description generated from $DSHIELD and $TOP10 `date`"
wget -O - $DSHIELD 2>/dev/null | \
awk 'BEGIN {
MASK[8]="255.0.0.0";
MASK[9]="255.128.0.0";
MASK[10]="255.192.0.0";
MASK[11]="255.224.0.0";
MASK[12]="255.240.0.0";
MASK[13]="255.248.0.0";
MASK[14]="255.252.0.0";
MASK[15]="255.254.0.0";
MASK[16]="255.255.0.0";
MASK[17]="255.255.128.0";
MASK[18]="255.255.192.0";
MASK[19]="255.255.224.0";
MASK[20]="255.255.240.0";
MASK[21]="255.255.248.0";
MASK[22]="255.255.252.0";
MASK[23]="255.255.254.0";
MASK[24]="255.255.255.0";
MASK[25]="255.255.255.128";
MASK[26]="255.255.255.192";
MASK[27]="255.255.255.224";
MASK[28]="255.255.255.240";
MASK[29]="255.255.255.248";
MASK[30]="255.255.255.252";
MASK[31]="255.255.255.254";
MASK[32]="255.255.255.255";
}
{if ($1 ~ "^[0-9]+.[0-9]+.[0-9]+.[0-9]+$") {
ADDR=$1;
CIDR=$3;
print " network-object " ADDR " " MASK[CIDR]}
}'
wget -O - $TOP10 2>/dev/null | \
awk '{if ($1 ~ "^[0-9]+.[0-9]+.[0-9]+.[0-9]+$") {
ADDR=$1;
print " network-object host " ADDR }
}'
echo "exit"
echo ""
echo "no object-group network SPAMHAUS"
echo "object-group network SPAMHAUS"
echo "description generated from
http://www.spamhaus.org/drop/drop.lasso `date`"
wget -O - http://www.spamhaus.org/drop/drop.lasso 2>/dev/null | \
awk 'BEGIN {
MASK[8]="255.0.0.0";
MASK[9]="255.128.0.0";
MASK[10]="255.192.0.0";
MASK[11]="255.224.0.0";
MASK[12]="255.240.0.0";
MASK[13]="255.248.0.0";
MASK[14]="255.252.0.0";
MASK[15]="255.254.0.0";
MASK[16]="255.255.0.0";
MASK[17]="255.255.128.0";
MASK[18]="255.255.192.0";
MASK[19]="255.255.224.0";
MASK[20]="255.255.240.0";
MASK[21]="255.255.248.0";
MASK[22]="255.255.252.0";
MASK[23]="255.255.254.0";
MASK[24]="255.255.255.0";
MASK[25]="255.255.255.128";
MASK[26]="255.255.255.192";
MASK[27]="255.255.255.224";
MASK[28]="255.255.255.240";
MASK[29]="255.255.255.248";
MASK[30]="255.255.255.252";
MASK[31]="255.255.255.254";
MASK[32]="255.255.255.255";
}
{if ($1 ~ "^[0-9]+.[0-9]+.[0-9]+.[0-9]+/[0-9]+$") {
F=split($1, FLDS, "/");
ADDR=FLDS[1];
CIDR=FLDS[2];
print " network-object " ADDR " " MASK[CIDR]}
}'
echo "exit"
for F in $APPLY_ACL_LIST ; do
echo "access-list $F line 1 deny ip object-group SPAMHAUS any"
echo "access-list $F line 1 deny ip any object-group SPAMHAUS"
echo "access-list $F line 1 deny ip object-group DSHIELD any"
echo "access-list $F line 1 deny ip any object-group DSHIELD"
done
echo "exit"
-------------------------------------------------
Email solutions, MS Exchange alternatives and extrication,
security services, systems integration.
Contact: services@doctorunix.com
_______________________________________________
Bleeding-sigs mailing list
Bleeding-sigs@bleedingsnort.com
http://lists.bleedingsnort.com/mailman/listinfo/bleeding-sigs
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic