Threat Level: green Handler on Duty: Guy Bruneau

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2017-12-08 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Using Our API To Adjust iptables Rules

Published: 2017-12-08
Last Updated: 2017-12-08 20:14:07 UTC
by Johannes Ullrich (Version: 1)
6 comment(s)

We are offering a simple (IMHO) API to allow you to script various queries against our databases. One dataset we offer is a list of IP addresses that are scanning the internet for exposed services. The most prominent of these services is likely Shodan. To avoid having any devices from your organization show up in Shodan, you may want to block all scans from known Shodan hosts. We do create a list of these IP addresses and update it daily. The respective API query to retrieve the list is:

https://isc.sans.edu/api/threatlist/shodan/

By default, the list is returned as XML. But it is pretty easy to change the format. All you need to do is add ?json, ?text ... This will make processing with simple scripts rather easy. The "text" format is probably easiest to process with shell tools, but just in case the format is changing later in some subtle way, it is probably safest to use JSON and have the "jq" utility parse it:

curl -s https://isc.sans.edu/api/threatlist/shodan?json | jq '.[] | {ipv4}' | grep ':' | awk '{ print $2 }' | tr -d '"'

This will return a list of all the IP addresses. To use this in iptables, I would recommend setting up a new table. Something like:

iptables -F shodan
iptables -A shodan -j RETURN
for ip in `curl -A "myemailadress" -s https://isc.sans.edu/api/threatlist/shodan?json | jq '.[] | {ipv4}' | grep ':' | awk '{ print $2 }' | tr -d '"'`
do  
  echo $ip
  if [[ $ip =~ ^[0-9\.]+$ ]]
  then
    iptables -A shodan -s $ip -j LOGDROP
  else
    echo "Bad IP Address. Aborting."    
    exit
  fi
done
iptables -D shodan 1

"LOGDROP is a table that will log the packet and drop it. You could also just drop it here, but this would be a bit dangerous as you wouldn't see these dropped packets in your logs which makes debugging problems extra fun.

For a full list of our API functions, see https://isc.sans.edu/api . Please note to use your e-mail address as a user agent. We do not require authentication, but if your script causes issues, then it would be nice if we can check with you vs. just block you.

Of course, test carefully and use at your own risk.

 

---
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS Technology Institute
STI|Twitter|

 
Keywords:
6 comment(s)
Diary Archives