Skip to content

Pushing Emerging Threats to ASA

Nothing too crazy, but maybe useful to someone else.

I’ve been getting more alerts regarding IP’s coming from the Emerging Threats list, found here.

https://rules.emergingthreats.net/

There’s some resources there for automating block rules for some platforms like linux hosts, but nothing like an ASA. Choices for automating an ASA are pretty limited and I did one of these a big ago using netmiko. I’m using the same thing here.

To go straight to the code head on over to…

https://github.com/mtz4718/EmergingThreats-Automation

The idea with this is that there’s a rules at the top of outside_inside access that blocked all IP’s / subnets on the emerging threats list. These files could be setup on a linux host that can access the ASA as a cron job. Just like snort rules, the block list can get updated daily.

So it’s pretty much like this, prep the text with bash, then execute a python script to utilize netmiko.

#!/bin/bash

rm emerging-Block-IPs.txt

wget https://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt

#declare -a rawArray

#unset rawArray

mapfile -t rawArray < <(sed '/^#/ d; /^$/ d' emerging-Block-IPs.txt)

cdr2mask ()

{

   # Number of args to shift, 255..255, first non-255 byte, zeroes

   set -- $(( 5 - ($1 / 8) )) 255 255 255 255 $(( (255 << (8 - ($1 % 8))) & 255 )) 0 0 0

   [ $1 -gt 1 ] && shift $1 || shift

   echo ${1-0}.${2-0}.${3-0}.${4-0}

}

for ip in ${rawArray[@]};

do

#take care of subnets

if [[ $ip == *"/"* ]];

then

ip=$(echo $ip | sed 's/\// /')

cidr=$(echo $ip | awk '{ print $2 }')

mask=$(cdr2mask $cidr)

ip=$(echo $ip | awk '{ print $1 }')

cmd=$(echo "network-object "$ip $mask",")

iplist+=$(echo $cmd)

#take care of hosts

else

cmd=$(echo "network-object host "$ip",")

iplist+=$(echo $cmd)

fi

done

#remove last comma

iplist=${iplist::-1}

export iplist

python3 emergingthreats.py

I don’t think there’s much to call out on that script. Credit is due for the cdr2mask function, see https://forum.archive.openwrt.org/viewtopic.php?id=47986&p=1#p220781 for what I think is the original and a function to do the reverse should you need it. I think there’s also some examples on how to do this in the O’Reilly Network Programability and Automation book.

#!/usr/bin/python3

from netmiko import ConnectHandler

from getpass import getpass

import os

iplist = os.getenv('iplist').split(',')

#change ip and user as needed

ip = '10.17.17.29'

user = 'admin'

password = '1111'

enablepass = '1111'

#

#Define ASA

#

asa = {

'device_type': 'cisco_asa',

'ip': ip,

'username': user,

#'password': getpass(prompt = "\nEnter User Password: "),

#'secret': getpass(prompt = "Enter Enable Password: "),

'password': password,

'secret': enablepass,

'fast_cli': True,

}

active = ConnectHandler(**asa)

print("Connected")

clearcommands = ['no access-list outside_access_in extended deny ip object-group EmergingThreats any','no object-group network EmergingThreats']

output = active.send_config_set(clearcommands)

print("old-list cleared")

print("Command sent")

for ip in iplist:

    sendlist = ['object-group network EmergingThreats', ip]

    output = active.send_config_set(sendlist)

blockrule = ['access-list outside_access_in line 1 extended deny ip object-group EmergingThreats any']
output = active.send_config_set(blockrule)
active.disconnect()

The python is pretty simple too. Weird bits are needed though to deal with the ASA. First the old rule has to be removed, then remove the object-group. Only then can I start pushing to updated list. This whole process takes a good bit of time. Again this is kinda of the nature of the beast with trying to automate with an ASA.

 

I think I’m going to play with this a bit more but with automating to VyOS and Azure NSG’s. I think the result will be much more efficient than this.