LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Home Forums Tutorials Articles Register
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
Reload this Page [nftables] how to use blocklist.txt file as a source for blacklisted ip-addresses ?
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 01-11-2024, 10:08 AM   #1
//////
Member
 
Registered: Nov 2005
Location: Land of Linux :: Finland
Distribution: Arch Linux && OpenBSD 7.4 && Pop!_OS && Kali && Qubes-Os
Posts: 824

Rep: Reputation: 350Reputation: 350Reputation: 350Reputation: 350
[nftables] how to use blocklist.txt file as a source for blacklisted ip-addresses ?

hello all.

i have been writing a perl script that parses suricata logs and provides me with ip-addresses that are behind [Priority: 1-2] rated alerts.
i would like to use blacklist.txt file that nftables reads and use that file as a source of ip-addresses that should be blocked.

i am using arch linux atm.


i know some of these alerts are benign.
Code:
06:10 PM: root@a-box:Downloads 637: $ perl /usr/local/bin/addnft.pl
172.64.203.2 --  ET POLICY curl User-Agent Outbound [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP}
172.64.202.2 --  ET POLICY curl User-Agent Outbound [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP}
192.168.50.1 --  ET DNS Query for .to TLD [**] [Classification: Potentially Bad Traffic] [Priority: 2] {UDP}
8.8.8.8 --  ET DNS Query for .to TLD [**] [Classification: Potentially Bad Traffic] [Priority: 2] {UDP}
136.243.170.167 --  ET POLICY Lets Encrypt Free SSL Cert Observed [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP}
138.201.178.194 --  ET POLICY Lets Encrypt Free SSL Cert Observed [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP}
88.99.71.227 --  ET POLICY Lets Encrypt Free SSL Cert Observed [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP}
23.88.75.112 --  ET POLICY Lets Encrypt Free SSL Cert Observed [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP}
5.9.141.126 --  ET POLICY Lets Encrypt Free SSL Cert Observed [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP}
162.55.240.246 --  ET POLICY Lets Encrypt Free SSL Cert Observed [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP}
188.40.17.79 --  ET POLICY Lets Encrypt Free SSL Cert Observed [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP}
23.88.75.117 --  ET POLICY Lets Encrypt Free SSL Cert Observed [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP}
162.55.240.243 --  ET POLICY Lets Encrypt Free SSL Cert Observed [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP}
149.40.50.43 --  ET DNS Excessive DNS Responses with 1 or more RR's (100+ in 10 seconds) - possible Cache Poisoning Attempt [**] [Classification: Potentially Bad Traffic] [Priority: 2] {UDP}
191.101.31.34 --  ET 3CORESec Poor Reputation IP group 14 [**] [Classification: Misc Attack] [Priority: 2] {ICMP}
154.47.20.166 --  ETN AGGRESSIVE IPs Group 28 [**] [Classification: Misc Attack] [Priority: 2] {ICMP}
154.6.151.101 --  ETN AGGRESSIVE IPs Group 19 [**] [Classification: Misc Attack] [Priority: 2] {ICMP}
165.231.182.11 --  ET COMPROMISED Known Compromised or Hostile Host Traffic group 7 [**] [Classification: Misc Attack] [Priority: 2] {ICMP}
149.40.50.37 --  ET DNS Excessive DNS Responses with 1 or more RR's (100+ in 10 seconds) - possible Cache Poisoning Attempt [**] [Classification: Potentially Bad Traffic] [Priority: 2] {UDP}
198.252.206.25 --  ET POLICY Lets Encrypt Free SSL Cert Observed [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP}
06:10 PM: root@a-box:Downloads 638: $
Attached Thumbnails
Click image for larger version Name: temp.png Views: 10 Size: 188.7 KB ID: 42379  
Last edited by //////; 01-11-2024 at 10:22 AM. Reason: failed to post all info.
 
Old 01-12-2024, 07:06 PM   #2
Turbocapitalist
LQ Guru
Contributing Member
 
Registered: Apr 2005
Distribution: Linux Mint, Devuan, OpenBSD
Posts: 7,335
Blog Entries: 3

Rep: Reputation: 3731Reputation: 3731Reputation: 3731Reputation: 3731Reputation: 3731Reputation: 3731Reputation: 3731Reputation: 3731Reputation: 3731Reputation: 3731Reputation: 3731
NFTables could read a properly formatted text file directly using an include statement. Depending on your work flow, it might be easier if you could have a shell, AWK, or perl script read the text file or logs. Either way, you'd add the entries to a set.

So if you have a named set, with or without timeouts,

Code:
. . .
        set blacklist {
                type ipv4_addr
                flags interval
                auto-merge
                elements = { 199.201.64.0/22, 204.15.20.0/22, }
        }
. . .
then you can have a script update it,

Code:
#!/bin/sh
. . .
nft add element inet filter blacklist { $address }
. . .
where $address contains an IPv4 address or CIDR address range.

I presume it is similar for IPv6.
Last edited by Turbocapitalist; 01-12-2024 at 07:07 PM.
 
1 members found this post helpful.
Old 01-13-2024, 07:33 AM   #3
//////
Member
 
Registered: Nov 2005
Location: Land of Linux :: Finland
Distribution: Arch Linux && OpenBSD 7.4 && Pop!_OS && Kali && Qubes-Os
Posts: 824

Original Poster
Rep: Reputation: 350Reputation: 350Reputation: 350Reputation: 350
thanks man

and yeah, ive got perl / bash scripts that parses those alerts.
i believe i can finish my scripts with your help.
 
  


Reply

Tags
blacklist, blocklist, nftables, perl



Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
cat file.txt > file.txt (resulted in blank file) axolinx Linux - Newbie 4 11-04-2022 07:20 PM
[SOLVED] read txt file into an array and make a second txt file zimbot Linux - General 12 09-05-2015 01:39 PM
Copy the contents of a txt file to other txt files (with similar names) by cp command Aquarius_Girl Linux - Newbie 7 07-03-2010 12:54 AM
cat onelinefile.txt >> newfile.txt; cat twofile.txt >> newfile.txt keep newline? tmcguinness Programming 4 02-12-2009 06:38 AM
How can read from file.txt C++ where can save this file(file.txt) to start reading sam_22 Programming 1 01-11-2007 05:11 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 05:31 PM.

Contact Us - Advertising Info - Rules - Privacy - LQ Merchandise - Donations - Contributing Member - LQ Sitemap -
Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration