Nothing too crazy, but maybe useful to someone else.
I’ve been getting more alerts regarding IP’s coming from the Emerging Threats list, found here.
https://rules.emergingthreats.net/
There’s some resources there for automating block rules for some platforms like linux hosts, but nothing like an ASA. Choices for automating an ASA are pretty limited and I did one of these a big ago using netmiko. I’m using the same thing here.
To go straight to the code head on over to…
The idea with this is that there’s a rules at the top of outside_inside access that blocked all IP’s / subnets on the emerging threats list. These files could be setup on a linux host that can access the ASA as a cron job. Just like snort rules, the block list can get updated daily.
So it’s pretty much like this, prep the text with bash, then execute a python script to utilize netmiko.
#!/bin/bash
rm emerging-Block-IPs.txt
wget https://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt
#declare -a rawArray
#unset rawArray
mapfile -t rawArray < <(sed '/^#/ d; /^$/ d' emerging-Block-IPs.txt)
cdr2mask ()
{
# Number of args to shift, 255..255, first non-255 byte, zeroes
set -- $(( 5 - ($1 / 8) )) 255 255 255 255 $(( (255 << (8 - ($1 % 8))) & 255 )) 0 0 0
[ $1 -gt 1 ] && shift $1 || shift
echo ${1-0}.${2-0}.${3-0}.${4-0}
}
for ip in ${rawArray[@]};
do
#take care of subnets
if [[ $ip == *"/"* ]];
then
ip=$(echo $ip | sed 's/\// /')
cidr=$(echo $ip | awk '{ print $2 }')
mask=$(cdr2mask $cidr)
ip=$(echo $ip | awk '{ print $1 }')
cmd=$(echo "network-object "$ip $mask",")
iplist+=$(echo $cmd)
#take care of hosts
else
cmd=$(echo "network-object host "$ip",")
iplist+=$(echo $cmd)
fi
done
#remove last comma
iplist=${iplist::-1}
export iplist
python3 emergingthreats.py
I don’t think there’s much to call out on that script. Credit is due for the cdr2mask function, see https://forum.archive.openwrt.org/viewtopic.php?id=47986&p=1#p220781 for what I think is the original and a function to do the reverse should you need it. I think there’s also some examples on how to do this in the O’Reilly Network Programability and Automation book.
#!/usr/bin/python3
from netmiko import ConnectHandler
from getpass import getpass
import os
iplist = os.getenv('iplist').split(',')
#change ip and user as needed
ip = '10.17.17.29'
user = 'admin'
password = '1111'
enablepass = '1111'
#
#Define ASA
#
asa = {
'device_type': 'cisco_asa',
'ip': ip,
'username': user,
#'password': getpass(prompt = "\nEnter User Password: "),
#'secret': getpass(prompt = "Enter Enable Password: "),
'password': password,
'secret': enablepass,
'fast_cli': True,
}
active = ConnectHandler(**asa)
print("Connected")
clearcommands = ['no access-list outside_access_in extended deny ip object-group EmergingThreats any','no object-group network EmergingThreats']
output = active.send_config_set(clearcommands)
print("old-list cleared")
print("Command sent")
for ip in iplist:
sendlist = ['object-group network EmergingThreats', ip]
output = active.send_config_set(sendlist)
blockrule = ['access-list outside_access_in line 1 extended deny ip object-group EmergingThreats any']
output = active.send_config_set(blockrule)
active.disconnect()
The python is pretty simple too. Weird bits are needed though to deal with the ASA. First the old rule has to be removed, then remove the object-group. Only then can I start pushing to updated list. This whole process takes a good bit of time. Again this is kinda of the nature of the beast with trying to automate with an ASA.
I think I’m going to play with this a bit more but with automating to VyOS and Azure NSG’s. I think the result will be much more efficient than this.