Active List of malicious ip addresses
I need to build a Active List which contains list of malicious ip addresses and it should be updated dynamically.
I know that I need to have a script for that. I don't know how this will work exactly.
Can any one share if done before?
This can work like that: script writes its output to file or syslog - output is read by connector and sent to ESM and in ESM you've got rule (lightweight) that update ActiveList.
If you got syslog connector just make script to send its output in CEF to this connector.
Once you have some base events fed to ESM, you need to follow the below steps:
1. Create an Active List first (make sure you setup TTL for the AL).
2. Then you need to create a lightweight Rule to monitor these events (no correlation events are generated by Manager when this type of the rule fires).
3. The Active List will populate data as the Rule action once the Rule fires.
I hope it helps,
Nellie is correct but I would like to add one thing about light weight rules... they do not have a throttle in the event it runs away. So when writing your rule to populate the list, be careful, I am the voice of experience, I have seen it happen, you can make your ESM's performance go way down, your new AL fill to 100% and all your friends not want to talk to you until the new rule is fixed.
We have asked for a feature request to make the LW rule like the standard rule that can auto throttle off (disable) in the event the rule runs away.
Do not forget, if someone answers your question, mark their reply as "answered" as this helps others spot solutions.
You can use the script called badharvest, which connects to public malicious sources databases,grabs info from them and then pushes it via CEF syslog.
You can find the source code here: https://protect724.hp.com/message/63284#63284