New Ranks & Badges For The Community!
Notice something different? The ranks and associated badges have gone "Star Fleet". See what they all mean HERE
Highlighted
Commodore Commodore
Commodore
451 views

Active List of malicious ip addresses

Hello,

I need to build a Active List which contains list of malicious ip addresses and it should be updated dynamically.

I know that I need to have a script for that. I don't know how this will work exactly.

Can any one share if done before?

Thanks

Labels (1)
0 Likes
4 Replies
Highlighted
Commodore
Commodore

Hi Ravi,

This can work like that: script writes its output to file or syslog - output is read by connector and sent to ESM and in ESM you've got rule (lightweight) that update ActiveList.

If you got syslog connector just make script to send its output in CEF to this connector.

Regards.

0 Likes
Highlighted
Cadet 2nd Class Cadet 2nd Class
Cadet 2nd Class

Once you have some base events fed to ESM, you need to follow the below steps:

1. Create an Active List first (make sure you setup TTL for the AL).

2. Then you need to create a lightweight Rule to monitor these events (no correlation events are generated by Manager when this type of the rule fires).

3. The Active List will populate data as the Rule action once the Rule fires.

I hope it helps,

-Nellie

0 Likes
Highlighted
Cadet 2nd Class Cadet 2nd Class
Cadet 2nd Class

Ravi -

Nellie is correct but I would like to add one thing about light weight rules... they do not have a throttle in the event it runs away.  So when writing your rule to populate the list, be careful, I am the voice of experience, I have seen it happen, you can make your ESM's performance go way down, your new AL fill to 100% and all your friends not want to talk to you until the new rule is fixed.

We have asked for a feature request to make the LW rule like the standard rule that can auto throttle off (disable) in the event the rule runs away.

Do not forget, if someone answers your question, mark their reply as "answered" as this helps others spot solutions.

scotty

0 Likes
Highlighted
Absent Member.
Absent Member.

Hello Ravi,

You can use the script called badharvest, which connects to public malicious sources databases,grabs info from them and then pushes it via CEF syslog.

You can find the source code here: https://protect724.hp.com/message/63284#63284

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.