Open Source Threat Intelligence and pf(4)

📆
🏷
openbsd, pf, security, osint

This will give me the flexibility to replace the table with the new values so I can act fast not only on additions but also on deletions from the list. No need to keep out somebody longer than neccessary.

Not sure on how to attack the first part. A shell script would be easier and faster to create. Privsep could be handled by doas for the part needing higher privileges and allow me to handle everything in a single script.

But as a start I am going to keep the script as is and see how it's going to work out for me. So without further ado, here's the script:

printf "zeustracker.abuse.ch badips "
ftp  -VMo- https://zeustracker.abuse.ch/blocklist.php?download=badips | \
        egrep "^([0-9]{1,3}\.){3}[0-9]{1,3}$" | \
        pfctl -t pf_osint -T add -f -

printf "feodotracker.abuse.ch ipblocklist "
ftp  -VMo- https://feodotracker.abuse.ch/blocklist/?download=ipblocklist | \
        egrep "^([0-9]{1,3}\.){3}[0-9]{1,3}$" | \
        pfctl -t pf_osint -T add -f -

printf "ransomwaretracker.abuse.ch "
ftp -VMo- https://ransomwaretracker.abuse.ch/feeds/csv/ | \
        egrep -o '([1-9]{1,3}\.){3}[1-9]{1,3}[^/"]*' | \
        tr '|' '\n' | sort | uniq | \
        egrep "^([0-9]{1,3}\.){3}[0-9]{1,3}$" | \
        pfctl -t pf_osint -T add -f -

printf "autoshun.org "
ftp -VMo- 'https://www.autoshun.org/download/?api_key=0&format=csv' | \
        cut -f1 -d',' | \
        egrep "^([0-9]{1,3}\.){3}[0-9]{1,3}$" | \
        pfctl -t pf_osint -T add -f -

printf "isc.sans.edu sources/attacks/ "
ftp -VMo- https://isc.sans.edu/api/sources/attacks/250/$(date '+%Y-%m-%d')/ | \
        xmllint --format - | \
        grep '<ip>' | \
        egrep -o "([0-9]{1,3}\.){3}[0-9]{1,3}" | \
        pfctl -t pf_osint -T add -f -

printf "expire entries that are older than 24hrs "
pfctl -t pf_osint -T expire 86400

<span class="capitalize">Caveat</span>: You need an API key for autoshun.org, so simply copy&pasting the above will not work. To get a key they want an E-Mail address, name and surname.

--EOF