Archive

Posts Tagged ‘awesome’

Netting the Botnets with Cisco ASA Without a License

May 14th, 2011 4 comments

So I was tinkering with my ASA the other day. I was interested in this neat Botnet Traffic Filter thingy they’d been clamoring about. Cisco frequently pitches how their products are made with magic and rainbows and cruelty-free unicorn meat, and I tend to be a bit skeptical. But a lot of people have been talking about it recently in my circles, and I really can’t help but tinker with things anyways.

After some reading, Cisco words it like the Botnet Filter is pretty much useless without a proper license. However it is enabled and ready to use in all ASAs 8.2(x) and above… the license only activates the subscription service, the base functionality works just fine. Below is a script I wrote to manually apply and update blacklists using the Botnet Filter on an ASA without bothering with a subscription license. It’s a bash script which does most of the work and depends additionally on the expect scripting interpreter for operating on the ASA itself. The script looks for an external tftp server but can be easily written to use a local /tftpboot directory instead. Older versions of the script failed seldom but in amusingly spectacular ways, so the current version is somewhat lengthy due to the sanity checks I built into it.

A big problem with blacklists tends to be keeping them current. A stale blacklist is worse than useless as the IPs may belong to legitimate sites after some time. I’ve used the lists over at Emerging Threats for a while now, and they’re very frequently updated. The script can be easily modified for use with any published or local list.. 5 minutes of work adapted this script from using the C&C list to the larger “-ALL” list. Just do some find/replace magic and modify the regex syntax that changes ACL entries into dynamic-filter formatted “address x.x.x.x m.a.s.k” lines.

I apologize in advance for the terrible line wrapping in the code, I need to find a new theme. Note that the box running this is OpenBSD, you’ll probably have to change your bash path. UUOC police: It’s my cat and I’ll do what I want with it.

Ez-wget links to the below script and the larger “-ALL” variant as a modification example.

asa-botlist.txt

asa-botlist_all.txt

#!/usr/local/bin/bash
#
# asa-botlist.sh - written by Iggdawg
#
# This script uses a feature in the Cisco ASA Botnet Filter feature. Although
# a licensed feature that requires a paid subscription, this feature also
# allows administrators to use the "dynamic-filter blacklist" directive for
# manual blacklisting.  Emerging Threats (http://www.emergingthreats.net)
# publishes well maintained blacklists from many sources. This script applies
# that list as a manual blacklist on the ASA, and keeps it up to date with diffs
# rather than removing and re-applying the list every time to change as little
# as possible with each transaction.
#
#

# Variables, modify to your liking
PATH=/bin:/usr/bin:/sbin:/usr/sbin:/usr/local/bin:/usr/local/sbin
export PATH

# NOTE: I use scp with certificates to ransport stuff to the tftp server.
# Expect the script to fail if you're not set up to do this.
TFTPSERV="tftp server IP address"
FWIP="firewall IP address"
USERNAME="tftp server user"
FWUSERNAME="firewall user"
PASSWORD="firewall password"
ENPASSWORD="firewall enable password"
FWHOSTNAME="firewall hostname"
BASEPATH="/tmp"

#Blacklist Revisions
touch $BASEPATH/emerging-PIX-CC.rev
Rev0="$(cat $BASEPATH/emerging-PIX-CC.rev)"
Rev1="$(lynx --source http://rules.emergingthreats.net/fwrules/FWrev)"

# script depends on expect, check for it

EXP="$(which expect)"

if [ $? -ne 0 ] ; then
  echo "Expect binary not found, exiting"
  exit 1
elif [ -e "$EXP" ] ; then
  echo "Expect binary found, running"
fi

# check list revision

if [ -s $BASEPATH/emerging-PIX-CC.rev ] ; then
  if [ $Rev0 -ge $Rev1 ] ; then
    echo "Current revision $Rev1 matches last revision processed $Rev0, Exiting"
    exit 0
  else
    echo "Current revision $Rev1 is newer than last revision processed $Rev0, Working"
  fi
else
  echo "No existing blacklist revision number. Possible file errors. Starting from scratch with $Rev1"
  echo "Snagging most current list:"
  wget http://rules.emergingthreats.net/fwrules/emerging-PIX-CC.rules -O $BASEPATH/emerging-PIX-CC.rules

  # update revision now so script won't re-run in case of some random failure:
  awk '/Rev/ {print $3}' $BASEPATH/emerging-PIX-CC.rules > $BASEPATH/emerging-PIX-CC.rev

  # start processing
  # rewrite ET-drop to ET-cc so the list is consistant, then parse
  sed 's/ET-drop/ET-cc/g' $BASEPATH/emerging-PIX-CC.rules | egrep "^access-list ET-cc deny" $BASEPATH/emerging-PIX-CC.rules | sed 's/access-list ET-cc deny ip/address/g;s/host //g;s/any/255.255.255.255/g' | awk '{print $1,$2,$3}' > $BASEPATH/emerging-PIX-CC.rules.pix

  # can't verify current version, remove all old entries and apply current list.
  # this will be a temporary list, preserving "raw" list so diffs don't break next time
  echo "no dynamic-filter blacklist" > $BASEPATH/emerging-PIX-CC.rules.pix.tmp
  echo "dynamic-filter blacklist" >> $BASEPATH/emerging-PIX-CC.rules.pix.tmp
  cat $BASEPATH/emerging-PIX-CC.rules.pix >> $BASEPATH/emerging-PIX-CC.rules.pix.tmp

  chmod 666 $BASEPATH/emerging-PIX-CC.rules.pix.tmp
  chown nobody:nogroup $BASEPATH/emerging-PIX-CC.rules.pix.tmp

  echo "Sending files to TFTP server"

  echo "emerging-PIX-CC.rules.pix..."
  scp $BASEPATH/emerging-PIX-CC.rules.pix.tmp $USERNAME@$TFTPSERV:/tftpboot/emerging-PIX-CC.rules.pix.tmp

  # log into the firewall and tell it to snag the diffs
  #
  # uncomment to call expect script from its own file
  #$EXP /some/script

  $EXP - << EndMark   spawn ssh -l $FWUSERNAME $FWIP   expect "*assword:"     exp_send -- "$PASSWORD\r"   expect "$FWHOSTNAME>"
    exp_send -- "enable\r"
  expect "Password:"
    exp_send -- "$ENPASSWORD\r"
  expect "$FWHOSTNAME#"
    exp_send -- "
  copy /noconfirm tftp://$TFTPSERV/emerging-PIX-CC.rules.pix.tmp running-config
    \r"
  expect "$FWHOSTNAME#"
    exp_send -- "exit\r"
  interact
EndMark

exit 0
fi

echo ""
echo ""
echo ""
# If old revision exists but the list is missing, script will diff against an
# empty file and just use whole current list. ASA silently dismisses
# duplication of existing address entries, so this is not harmful.
if [ -e $BASEPATH/emerging-PIX-CC.rules.pix ] ; then
  mv $BASEPATH/emerging-PIX-CC.rules.pix $BASEPATH/emerging-PIX-CC.rules.pix.old
else
  echo "Revision file exists, but last blacklist file missing. Will apply whole list."
  touch $BASEPATH/emerging-PIX-CC.rules.pix.old
fi

# clean up
echo "" > $BASEPATH/emerging-PIX-CC.rules.egress.pix

# grab current
echo "Snagging most current list:"
wget http://rules.emergingthreats.net/fwrules/emerging-PIX-CC.rules -O $BASEPATH/emerging-PIX-CC.rules

# update revision now so script won't re-run in case of some random failure:
echo "Updating revision"
awk '/Rev/ {print $3}' $BASEPATH/emerging-PIX-CC.rules > $BASEPATH/emerging-PIX-CC.rev

# start processing
# rewrite ET-drop to ET-cc so the list is consistant, then parse
sed 's/ET-drop/ET-cc/g' $BASEPATH/emerging-PIX-CC.rules | egrep "^access-list ET-cc deny" $BASEPATH/emerging-PIX-CC.rules | sed 's/access-list ET-cc deny ip/address/g;s/host //g;s/any/255.255.255.255/g' | awk '{print $1,$2,$3}' >> $BASEPATH/emerging-PIX-CC.rules.pix

echo "Processing blacklist diffs"
diff $BASEPATH/emerging-PIX-CC.rules.pix $BASEPATH/emerging-PIX-CC.rules.pix.old | grep ^\< | sed 's/\< //g' > $BASEPATH/emerging-PIX-CC.rules.ingress
diff $BASEPATH/emerging-PIX-CC.rules.pix $BASEPATH/emerging-PIX-CC.rules.pix.old | grep ^\> | sed 's/\> //g' > $BASEPATH/emerging-PIX-CC.rules.egress

# check for errors in processing
echo "" > $BASEPATH/ingress.exceptions
echo "" > $BASEPATH/egress.exceptions

echo "Blacklist diff errors:"
echo ""

awk '{print $2}' $BASEPATH/emerging-PIX-CC.rules.egress | while read LINE ; do
  grep $LINE $BASEPATH/emerging-PIX-CC.rules.ingress > $BASEPATH/ingress.exceptions
done
echo "$BASEPATH/emerging-PIX-CC.rules.ingress:"
cat $BASEPATH/ingress.exceptions

awk '{print $2}' $BASEPATH/emerging-PIX-CC.rules.ingress | while read LINE; do
  grep $LINE $BASEPATH/emerging-PIX-CC.rules.egress > $BASEPATH/egress.exceptions
done

echo "$BASEPATH/emerging-PIX-CC.rules.egress:"
cat $BASEPATH/egress.exceptions

# bring it all together and dump it on a tftp server
echo "Combining diffs"

echo "dynamic-filter blacklist" > $BASEPATH/emerging-PIX-CC.rules.diff.pix

sed 's/^/no\ /g' < $BASEPATH/emerging-PIX-CC.rules.egress >> $BASEPATH/emerging-PIX-CC.rules.egress.pix
cat $BASEPATH/emerging-PIX-CC.rules.egress.pix $BASEPATH/emerging-PIX-CC.rules.ingress >> $BASEPATH/emerging-PIX-CC.rules.diff.pix

# some tftp servers are weird about permisssions
chmod 666 $BASEPATH/emerging-PIX-CC.rules.diff.pix
chown nobody:nogroup $BASEPATH/emerging-PIX-CC.rules.diff.pix

chmod 666 $BASEPATH/emerging-PIX-CC.rules.pix
chown nobody:nogroup $BASEPATH/emerging-PIX-CC.rules.pix

echo "Sending files to TFTP server"

echo "emerging-PIX-CC.rules.pix..."
scp $BASEPATH/emerging-PIX-CC.rules.pix $USERNAME@$TFTPSERV:/tftpboot/emerging-PIX-CC.rules.pix

echo "emerging-PIX-CC.rules.diff.pix..."
scp $BASEPATH/emerging-PIX-CC.rules.diff.pix $USERNAME@$TFTPSERV:/tftpboot/emerging-PIX-CC.rules.diff.pix

# log into the firewall and tell it to snag the diffs
#
# uncomment to call expect script from its own file
#$EXP /some/script

$EXP - << EndMark spawn ssh -l $FWUSERNAME $FWIP expect "*assword:"   exp_send -- "$PASSWORD\r" expect "$FWHOSTNAME>"
  exp_send -- "enable\r"
expect "Password:"
  exp_send -- "$ENPASSWORD\r"
expect "$FWHOSTNAME#"
  exp_send -- "
copy /noconfirm tftp://$TFTPSERV/emerging-PIX-CC.rules.diff.pix running-config
  \r"
expect "$FWHOSTNAME#"
  exp_send -- "exit\r"
interact
EndMark

exit 0
Categories: Uncategorized Tags: , , ,

Puppy Fever

September 6th, 2010 No comments

So we got a puppy. A year ago or so when we moved into dorchester we had originally been looking for a dog friendly place since wed both been wanting one. We settled on the place we took because it was too nice to pass up. But they didn’t allow dogs. Sad face :(. We had it set as a primary action item for our next place at it would be dog friendly. A few weeks ago we moved into Jefferson Hills in Framingham (many thanks to jess and especially Jay for helping out). Not only is it 4 miles from my work, but there’re dog friendly up to 45 lbs. Jay getting an awesome little black lab puppy sure didn’t help let us get settled before the puppy fever set in. Last week we picked up an awesome Cocker Spaniel / Collie mix at Save a Dog shelter in Sudbury MA. We named him Dexter, after Dexter Morgan. you know… Because he’s adorable and sometimes causes a ruckus. He’s estimated to. Be no bigger than 40 lbs, and the shelter we got him at was great. He’s very well behaved and potty trained like a little champ. But I’ll stop typing now and show off the money shots.

Behold, Dexter. How in the world did this little guy end up at a shelter??

Categories: Uncategorized Tags: , ,

No Force Required

June 30th, 2010 No comments

So this company Wicked Lasers recently came out with a new toy. When I look at it, I think to myself “I should never own anything like this” and “I have to have one” at the same time. Previously, high powered laser “pointers” would go for pretty ridiculous amounts. Usually the high hundreds to over a thousand dollars. The reason this device is surprising is not only that it is ridiculously powerful (1 watt is massive for a diode laser), but it’s only $200 because they were able to get the diodes for very on their end. The other laser they show in the beginning of the video is $2000, for example (and ~400 mW). Ok enough blabbing. I’m really only posting this because I wanted to show the video. Love the transition from the little laser’s “oh look you can kind of see the beam even without smoke!” to the big one’s “… Holy shit”

Original source: Gizmodo

Returning to the intertubes

June 13th, 2010 No comments

So I’ve been away from blog-land for a while.  I recently migrated my main server for iggdawg.com from FreeBSD to Ubuntu, mostly due to lack of CUDA support on FreeBSD.  The details aren’t important, and you probably aren’t here to listen to techno-babble.  Unfortunately during the move, a Bad Thing happened and I managed to lose my WordPress database.  This sort of put me off to blogging in general for a while since WordPress has been my main medium for a while, and I really wasn’t motivated to start from scratch.  Recently though I was looking around the software again, tinkering with the idea of starting it all up again, when I found that WordPress had a quick and dirty livejournal import tool.  I’d been crossposting to LJ since I started using my own blog, simply because I’ve been on it for so long.  It never even occurred to me that I more or less had a backup copy of everything sitting around.

So the upshot of all this is that not only did I get all my posts back, but I have my entire livejournal history imported into WordPress.  All the way back to 2002 when I first hooked up to LJ to keep in touch with Brian.  To boot now I have all my comments from people sync’d up as well.  The only downside is that my imported posts now have that little “you can comment over at iggdawg.com too!” footer from my crossposts.  I can’t think of an easy way to zap all of them, and its ironically self-serving ugliness serves as a scar to be more careful with my backups and server migrations.

Anyways, it’s good to be back writing on my internets again.  Moderate cleverness and tolerable complaining are coming soon to an internet near you!

A little early…

February 11th, 2010 1 comment

…But happy early V-Day from the random awesomeness that is the internet. I don’t usually make “hey check out this pic” posts, but this one is kind of a gem. And it’s almost seasonal.

Originally published at The IggBlog. You can comment here or there.

Taaaarp

January 27th, 2010 No comments

Woot.com shirt of the day today. So pissed it sold out before I saw it

Windows 7 (and Vista 32) “God Mode”

January 6th, 2010 4 comments

So this little diddy popped up on Digg today (and I’m sure slashdot). It basically makes you a “super control panel” where you can tweek all your settings and set up / configure anything all from one nice neat place. It’s “meant” for Windows 7, but works just fine on Vista 32 bit. Apparently it messes up Vista 64bit though, so steer clear if you have a 64bit version of Vista. But anyways, here we go…. Make a folder, and name it the following:

GodMode.{ED7BA470-8E54-465E-825C-99712043E01C}

The icon will change to a control panel sort of icon, and you’re good to go. just double click on it and check out all the options. A few other good ones for network types like myself that hate having to drill down through menus to get to network related features:

Network Connections.{7007ACC7-3202-11D1-AAD2-00805FC1270E}
Wireless Networks.{1FA9085F-25A2-489B-85D4-86326EEDCD87}

Give them a shot, internets. You won’t be sorry.

Original Reference: Clicky

Originally published at The IggBlog. You can comment here or there.

Categories: Uncategorized Tags: , ,

Happy Thanksgiving

November 26th, 2009 1 comment

Happy Thanksgiving everyone! Im thankful for a lot this year. I’m thankful for Emily. She’s my angel, and has done me more good than I desirve. The squad of insufferable asshats that i work with, that allow me to work without a filter. Matt, jay, and all the friends that put up with me in a regular basis. My family that i wish i could visit more. And the internet that lets me keep in touch with the world, and the friends that i dont see nearly enough (lookin at you Brian, i’ll be bothering you soon). Eat too much and drink too much, everyone. You’re all pretty awesome.

Originally published at The IggBlog. You can comment here or there.

Categories: Uncategorized Tags: ,

Day 2

November 5th, 2009 1 comment

As sort of an update to yesterday’s post and a followup on an earlier idea… When satellite radio came out I noticed there were no stations I’d really listen to. Maybe one or two tops. But I listened to internet radio all the time. I was tickled when I figured out how I could get my PDA at the time to get internet radio over bluetooth, so I could listen to it uninterrupted when I had to use the bathroom. This was before PDAs had wifi (and people even used PDAs). I always said if there’s a way I could get internet radio in my car, I’d jump on it so fast. I’d even pay for it. And everyone that knows me knows how much I love free shit. I’ve been listening to my favorite internet radio streams and even Pandora in the car through my iphone, and it’s everything I thought it could be.

Unlimited data… who’s bright idea was that? You really want to take a guy like me who almost literally lives online, and stamp a free all access pass on my hand? I like mobile internet, and I do a LOT of driving/walking/errand-running. 10 out of 10 for style, minus several million for good thinking. But hey, you offered it up and I’m more than willing to make use of the 30 bucks a month a pay for unlimited internet, IM, SSH/VNC, and internet radio… which, as I always said, I’m more than happy to do. Here’s to you, internet.

Originally published at The IggBlog. You can comment here or there.

Categories: Uncategorized Tags: ,

Crappy phone falling apart? There’s an app for that.

November 4th, 2009 2 comments

My stupid red slider phone was showing signs of aging and abuse, and I was starting to outgrow it. It was pro at using the internet 120×120 pixels at a time, texting, and streaming internet to my laptops via bluetooth (still a favorite trick of mine). But the signs of aging and abuse were starting to show… the chassis was made of cheap plastic and was getting beat (the battery cover didn’t really “stay on” so much anymore), and the battery life was standing up well to time, but still degrading. And there may or may not have been a rapid deceleration incident involving my hand and some asphalt. The phone was a trooper no doubt, but my 2 years was up and I had the opportunity to look around.

There was a buzz about my workplace when the new iPhone 3GS came out. The regular iPhone 3G was getting cheaper, and my company is in bed with AT&T. When the new 3GS came out, the price for an 8 gig 3G dropped to 50 bucks for employees here, along with a discounted rate plan including enterprise unlimited this-and-that. That put it into “I’d be stupid not to” territory. So 50 bucks later and a few clicks on a web form, and I have myself an iPhone. Don’t get me wrong, I hate Apple as a company. I think they have terrible business practices when dealing with other companies, and their dedication to customer lock-in is worse than Microsoft. But They have some really good hardware. My boss put it best, “I had so many reasons to hate the iPhone before I got it, but now it’s probably the coolest thing I own”. Gonna have to agree with him there. I still hate the company, but this is an awesome little piece of hardware.

Originally published at The IggBlog. You can comment here or there.