SSL Blacklist, Feodotracker

Hi, I am using Emergingthreats.net Community rules.
I am not sure some of them are checked and some not
For Example:

1. I would like to add Suricata Ruleset from abuse.ch

How could I add them to the IPFire ?

THanks

2. I am not sure how ET ruleset works
   I see a lot of the Rulesets for EThreats are not checked.

IF I check "emerging-coinminer.rules "

ET COINMINER CoinMiner Malicious Authline Seen in JAR Backdoor
is not checked. This is just one of many, is it because of outdated rule? or something else?

I think I found an answer to the “unchecked” issue with ET ruleset

Hi Trish

an alternative to IDS/IPS would be to use the lists to create an ipset the firewall uses instead.

For example, on the Feodo there is the recommended IP blocklist. You can use it to create ipset to be blocked. It takes up less resources from the fw if its a huge list of IPs (CN for instance has @#$! of them, not that I am saying you should block the whole country, just that the list is exceptionally large) than say iptables entries, not sure how it compares to snort. The list is more a index that iptables checks against. If the IP exists it does what it’s supposed to do with it.

/sbin/iptables -I CUSTOMFORWARD -i red0 -m set --match-set feodo dst -j DROP
/sbin/iptables -I CUSTOMINPUT -i red0 -m set --match-set feodo src -j DROP
/sbin/iptables -I CUSTOMOUTPUT -i red0 -m set --match-set feodo dst -j DROP

That ^ would drop the traffic.
Obviously you can mod it according to what you want to achieve.
If you have interest in this let me know, and I can provide the rest of the info.

Andreas, this is great!! Thank you
Yes I would love to know more

Seeing that you want SSLBL, URLhaus, and Feodo, I will make all the instructions for them.
More details on this can be found here

The problem with the URLhaus is that we need require IPs for the sets, and there is no list with it.
So what is the URLhaus used for? Malware. In that case I would suggest a different route, namely DNS blocking. But that again is a different topic, which has or is being discussed somewhere here, search for “block known malware/ransomeware” or something along those lines.

Step 1:
You will need to create network sets that will be used to populate with IPs (single and CIDR) to be blocked, dropped, rejected, or what have you.

ipset create feodo hash:ip
ipset create sslbl hash:ip
ipset save > /etc/ipset/ipset.conf

The above will create the needed sets, and save, so the FW will remember them on a reboot.

Step 2:
You need to add two scripts to /etc/sysconfig/scripts that will populate the sets.

mkdir /etc/sysconfig/scripts
vi /etc/sysconfig/scripts/feodo.sh
copy past the following…

#!/bin/bash
echo $0 executing at > /tmp/feodo.sh.log
date >> /tmp/feodo.sh.log

NETGROUP="feodo"

>/tmp/block-feodo
#curl -s https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/feodo.ipset | grep '^[0-9]' | sed '/:/d' | sed -e 's/;.*//' | sort | uniq >> /tmp/block-feodo
curl -s https://feodotracker.abuse.ch/downloads/feodotracker.rules | sed -e 's/].*//g' | sed 's|.*\[\(.*\)|\1|' | sed -e 's/#.*//g' | sed '/at.*/d' | sort | uniq >> /tmp/block-feodo

sudo ipset -q -L $NETGROUP > /dev/null 2>&1
if [ "$?" != 0 ]; then
   echo "firewall network group $NETGROUP doesn't exist yet"
   exit 1
fi

NEWGROUP=$NETGROUP-$$
sudo ipset create $NEWGROUP hash:ip
if [ "$?" != 0 ]; then
  echo "There was an error trying to create temporary set"
  exit 1
fi

count=0;
for i in `cat /tmp/block-feodo`;
do
  sudo ipset -q -A $NEWGROUP $i
  if [ "$?" != 0 ]; then
     echo "There was an error trying to add $i"
     exit 1
  fi
  let "count++"
done
sudo ipset swap $NEWGROUP $NETGROUP
if [ "$?" != 0 ]; then
  echo "There was an error trying to swap temporary set"
  exit 1
fi
sudo ipset destroy $NEWGROUP
rm /tmp/block-feodo
echo Added $count entries to $NETGROUP;
echo /n >> /tmp/feodo.sh.log
echo $0 ending execution at >> /tmp/feodo.sh.log
date >> /tmp/feodo.sh.log
exit 0

to save and quit press ESC and type :wq

vi /etc/sysconfig/scripts/sslbl.sh
copy past the following…

#!/bin/bash
echo $0 executing at > /tmp/sslbl.sh.log
date >> /tmp/sslbl.sh.log

NETGROUP="sslbl"

>/tmp/block-sslbl
#curl -s https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/sslbl.ipset | grep '^[0-9]' | sed '/:/d' | sed -e 's/;.*//' | sort | uniq >> /tmp/block-sslbl
curl -s https://sslbl.abuse.ch/blacklist/sslipblacklist.txt | grep '^[0-9]' | sed '/:/d' | sed -e 's/;.*//' | sed -e 's/#.*//g' | sed '/at.*/d' | sed -e 's/ .*//' | sort | uniq >> /tmp/block-sslbl

sudo ipset -q -L $NETGROUP > /dev/null 2>&1
if [ "$?" != 0 ]; then
   echo "firewall network group $NETGROUP doesn't exist yet"
   exit 1
fi

NEWGROUP=$NETGROUP-$$
sudo ipset create $NEWGROUP hash:ip
if [ "$?" != 0 ]; then
  echo "There was an error trying to create temporary set"
  exit 1
fi

count=0;
for i in `cat /tmp/block-sslbl`;
do
  sudo ipset -q -A $NEWGROUP $i
  if [ "$?" != 0 ]; then
     echo "There was an error trying to add $i"
     exit 1
  fi
  let "count++"
done
sudo ipset swap $NEWGROUP $NETGROUP
if [ "$?" != 0 ]; then
  echo "There was an error trying to swap temporary set"
  exit 1
fi
sudo ipset destroy $NEWGROUP
rm /tmp/block-sslbl
echo Added $count entries to $NETGROUP;
echo /n >> /tmp/sslbl.sh.log
echo $0 ending execution at >> /tmp/sslbl.sh.log
date >> /tmp/sslbl.sh.log
exit 0

to save and quit press ESC and type :wq

Step 3:
Edit crontab to run the scripts daily or what ever intervals you like.
I would not run them more than every 12 hours, as the lists may not have changed.
No need to add additional load to the list suppliers, that are doing this for free. Don’t abuse things.

fcrontab -e

Below the last line add the following, with a blank line after.

# Update FW scripts, run nightly, and reload firewall.local
05 0 * * *      /etc/sysconfig/scripts/feodo.sh
05 0 * * *      /etc/sysconfig/scripts/sslbl.sh

# Reload firewall.local
25 0 * * *       /etc/sysconfig/firewall.local reload

to save and quit press ESC and type :wq

To check if it was saved correctly

fcrontab -l

Step 4:
Next the .sh files need to be executable.

chmod +x /etc/sysconfig/scripts/*.sh

Step 5:
Now we need to add the firewall rules, what to do when things match up.

vi /etc/sysconfig/firewall.local

Scroll down to the line that say

## add your 'start' rules here

Either you have something below it, or there is nothing, That is where you will add the following lines.

/sbin/iptables -I CUSTOMFORWARD -i red0 -m set --match-set feodo dst -j DROP
/sbin/iptables -I CUSTOMINPUT -i red0 -m set --match-set feodo src -j DROP
/sbin/iptables -I CUSTOMOUTPUT -i red0 -m set --match-set feodo dst -j DROP
/sbin/iptables -I CUSTOMFORWARD -i red0 -m set --match-set sslbl dst -j DROP
/sbin/iptables -I CUSTOMINPUT -i red0 -m set --match-set sslbl src -j DROP
/sbin/iptables -I CUSTOMOUTPUT -i red0 -m set --match-set sslbl dst -j DROP

And further below…

        ## add your 'stop' rules here
        # IPSET flushing related chains
        /sbin/iptables -F CUSTOMFORWARD
        /sbin/iptables -F CUSTOMINPUT
        /sbin/iptables -F CUSTOMOUTPUT

again, to save and quit press ESC and type :wq

Step 6:
Now you can run the scripts, this will take a bit…

/etc/sysconfig/scripts/feodo.sh
/etc/sysconfig/scripts/fsslbl.sh

If all was done right the scripts should create an output file in /tmp showing when last they were updated, etc. Those files get deleted and recreated when the scripts run.

Step 7:
To check if the lists were populated run the ipset -t list command.
and /etc/sysconfig/firewall.local reload to reload the rule set.

Done.

You should now have the ipsets in conjunction with the FW do the heavy lifting.
I hope that was easy enough to follow.

PS.
Obviously the above scripts and iptabels can be modded to block countries and other things as well, provided they are IP based.

For example, you want to block .CN, except now you won’t be dealing with IPs only but CIDR lists containing subnets as well. The hash will now not be :ip but :net

ipset create blacklist_china hash:net
vi /etc/sysconfig/scripts/blacklist_china.sh

#!/bin/bash
echo $0 executing at > /tmp/blacklist_china.sh.log
date >> /tmp/blacklist_china.sh.log

NETGROUP="blacklist_china"

>/tmp/block-cn
curl -s http://cdn.iwik.org/ipcountry/CN.cidr | grep '^[0-9]' | sed '/:/d' | sed -e 's/;.*//' | sort | uniq >> /tmp/block-cn

sudo ipset -q -L $NETGROUP > /dev/null 2>&1
if [ "$?" != 0 ]; then
   echo "firewall network group $NETGROUP doesn't exist yet"
   exit 1
fi

NEWGROUP=$NETGROUP-$$
sudo ipset create $NEWGROUP hash:net
if [ "$?" != 0 ]; then
  echo "There was an error trying to create temporary set"
  exit 1
fi

count=0;
for i in `cat /tmp/block-cn`;
do
  sudo ipset -q -A $NEWGROUP $i
  if [ "$?" != 0 ]; then
     echo "There was an error trying to add $i"
     exit 1
  fi
  let "count++"
done
sudo ipset swap $NEWGROUP $NETGROUP
if [ "$?" != 0 ]; then
  echo "There was an error trying to swap temporary set"
  exit 1
fi
sudo ipset destroy $NEWGROUP
rm /tmp/block-cn
echo Added $count entries to $NETGROUP;
echo /n >> /tmp/blacklist_china.sh.log
echo $0 ending execution at >> /tmp/blacklist_china.sh.log
date >> /tmp/blacklist_china.sh.log
exit 0

crontab entry

# Update Country blacklists
15 0 * * *      /etc/sysconfig/scripts/blacklist_china.sh

vi /etc/sysconfig/firewall.local

    # Bad Country CIDR ipset lists
    #
    /sbin/iptables -I CUSTOMFORWARD -i red0 -m set --match-set blacklist_china dst -j DROP
    /sbin/iptables -I CUSTOMINPUT -i red0 -m set --match-set blacklist_china src -j DROP
    /sbin/iptables -I CUSTOMOUTPUT -i red0 -m set --match-set blacklist_china dst -j DROP

The same flush rules apply, so no need to add anything behind stop.

/etc/sysconfig/firewall.local reload

Done, you are no longer talking to anything in China.
Obviously these rules are only as good as the source material, so keeping these lists up to date is crucial.

Have fun

Hi @trish,

sorry for replying late.

I am not sure some of them are checked and some not

Those are defaults provided by the IPS ruleset maintainer - usually, rules disabled by default cause false positives or other collateral damage in certain environments, and unless you have a special need, it is usually wise to let them turned off.

How could I add them to the IPFire ?

By simply enabling the corresponding rule sections. Please refer to the documentation for further details.

As mentioned here, the missing JA3 support is a bug and currently prevents the usage of some IDS rulesets, particularly some provided by abuse.ch.

I see a lot of the Rulesets for EThreats are not checked.

See above.

Thanks, and best regards,
Peter Müller

Hi @troll-op ,

sounds good!
Has it proven itself over the months?
Any “stumbling blocks”?
Any idea how to generate an individual log for the IP-Block-Config? As a textfile or a html-file on the ipfire? Because for diagnostics it would be necessary.

PS The link IPFire Community seems to be not available anymore.

Regards,

Jan

Hi Jan

yeah that link pointed back to the older, now defunct, community page.
The stumbling blocks come when the sources you use to create the ipsets from changes. For example some of the FireHol dor org and Abuse dot ch libraries changed, which causes incomplete or failed sets. You need to check that by doing a ipset -n list
If you see something along the lines of dshield_1d_98711 then you know that that ipset failed to update. A reference should be in the log file that will not have been deleted in the /tmp folder, in this case /tmp/dshield_1d.log or something along those lines.

Regarding weather it has proven itself, yes. I have been using this probably for the past 8+ years. It has made my life easier, and kept the FW humming along nicely. It keeps the iptables slim, and does exactly what the UTM devices charge you licence/service fees for. Obviously there is always room for improvements.

Hope that helps… cheers

Hi Andreas,

thanks for the feedback.
Did it another way: Prohibit Emotet/TrickBot by IP Blocklist or how to proceed? - #7 by janr
But your solution was an impulse.

Sunny weekend,

Jan