Beiträge

CommuniGate Pro Honeypot blacklisted IPs für einen Fortigate Threat Feed exportieren

#/usr/bin/perl -w
##############################################################################
#  CGPro Honeypot 2 Fortigate Threat Feed 
#  Version 1.0
#  Maintained by Juergen P. [core.at]
#
#  This script writes Temporary Blacklisted IP's from a CommuniGate Pro SMTP/SIP Honeypot 
#  to a File for offloading BAD host blocking to a Fortigate Firewall with FortiOS 6x
#  through the Fortigate Threat Feed Connector.
#  The Script should be run by cron (i suggest every 5 minutes) and write the output 
#  to a textfile into a specific CGPro users webspace(public) for downloading to the firewall
#  with the following FortiOS CLI configuration commands:
######
#  config system external-resource
#  edit <name>
#     set type {category | address | domain}
#     set category <value>
#     set comments [comments]
#     set resource <resource-url>   
#     set refresh-rate <minutes>
#     set last-update <datetime>
#     next
#   end
#####
# The Threat feed connector flushes the Table at each run, so IPs which are not blocked anymore, are removed.
# The size of the file can be a maximum of 10 MB, or 128,000 lines of text, whichever is most restrictive.
#####
#  Replace $CGServerAddress, $Login and $Password below with the correct Values in Section 2
#  To run in interactive mode for testing, uncomment Section 1 and comment out Section 2
#  Replace $filename with the filename you defined in the Fortinet Fortigate config.
#
##############################################################################
use strict;
# Make sure the "CLI.pm" is in current directory
use CLI;
my $Data ="";
my $x =""; #counter
my $filename ="/var/CommuniGate/SharedDomains/core.at/postmaster.macnt/account.web/honeypotlist.txt";
####
#### Section 1
####
#       print "Server address: ";       # Print the server name prompt
#       my $CGServerAddress = <STDIN>;  # Read the domain name from standard input
#       chomp $CGServerAddress;        # Remove \n if present
#
#       print "Login (Enter for \"postmaster\"): ";
#       my $Login = <STDIN>;
#       chomp $Login;
#       if ($Login eq '') { $Login = "postmaster"; }
#
#       print "Password: ";
#       my $Password = <STDIN>;
#       chomp $Password;
#
#### End of Section 1
### Section 2
my $CGServerAddress = "x.x.x.x";        # CGPro Server IP
my $Login="postmaster";                 # CGPro postmaster Account
my $Password="myPassword";              # CGPro postmaster Password
#### End of Section 2
# Open TCP connection to given address port 106 (PWD, or CGPro CLI).
# Submit username and password. If login fail, the program will stop.
my $cli = new CGP::CLI( { PeerAddr => $CGServerAddress,
PeerPort => 106,
login    => $Login,
password => $Password } )
|| die "Can't login to CGPro: ".$CGP::ERR_STRING."\n";
if($Data = $cli->GetTempBlacklistedIPs()) {
#    my $a = split(/,/,$Data);     # Number of Elements (uncomment, if needed)
my @b = split(/,/,$Data);     # Array of IPs including time in seconds
open(my $OUTFILE, '>', "$filename") || die "could not open output file: $!";
select $OUTFILE;
foreach $x (@b) {
$x=~ s/\].*//;   # remove everything after "]"
$x= substr $x,1; # remove first "["
print "$x\n"     # write IP to file
}
#print "$a\n";  # Print Number of elements
}
else
{
($cli->isSuccess) ? print "No Output created.\n"
: die "Error: ".$cli->getErrMessage.", quitting";  }
$cli->Logout;                 # Close the CLI session and disconnect
__END__

Fortinet Fortigate Threat Feed Connector

Quelle: Fortinet

Threat Feed Connectors

This feature introduces the ability to dynamically import external block list text files from an HTTP server. The text files can contain IP addresses and domain names. These dynamic block lists are called ‚Threat Feeds‘. You can block access to the addresses in the text files by adding one or more threat feeds to:

  • DNS Filter profiles (using Domain Name and IP Address threat feeds)
  • Web Filter profiles and SSL inspection exemptions (using FortiGuard Category threat feeds)
  • Proxy policies (using IP Address threat feeds)
  • AntiVirus profiles (using Malware Hash threat feeds)

FortiOS keeps threat feeds up to date by dynamically re-downloading them from the HTTP server according to the refresh rate.

Threat Feeds can be configured under Security Fabric > Fabric Connectorsby creating new Threat Feeds.

The New Fabric Connector edit page provides the following fields:

  • Name – The name you want to assign to the feed. The usage of the name in the interface depends on the category of threat feed you select:
  • Domain Name – The Name will appear as an „Remote Category“ in DNS Filter profiles.
  • FortiGuard Category – The Name will appear as a „Remote Category“ in Web Filter profiles and SSL inspection exemptions.
  • IP Address – The Name will appear as an „External IP Block List“ in DNS Filter profiles and as a „Source/Destination“ in IPv4, IPv6, and Proxy policies.
  • Malware Hash – The Name will be automatically used for Virus Outbreak Prevention on AntiVirus Profiles where „External Malware Block List“ is enabled.
  • URI of external resource – The link to an external resource file. The file should be a plain text file with one domain each line and supports simple wildcard.
  • HTTP basic authentication – The username and password for external authentication on the threat feed’s URI. This can be disabled if the feed does not require authentication.
  • Refresh Rate – The time interval to refresh external resource (1 – 43200 minutes).
  • The size of the file can be 10 MB, or 128,000 lines of text, whichever is most restrictive.

The domain resource is a text file which contains a domain name for each line and supports simple wildcard. For example:

mail.*.or.th
*-special.de.vu
http://www.*de.vu
610-pawn.com
aaliyah-hq-gallery.de.vu
abcgolocal.com

The address resource is a text file which contains an IP/IP range for each line (note that only IPv4 is supported in DNS profiles, so IPv6 addresses will be ignored). For example:

1.1.1.1
10.0.0.70
2.1.1.1
100.0.0.1-100.0.0.100
10.0.0.99-10.0.0.201
1.2.2.2/24

FortiOS configuration

config system external-resource
edit <name>
set type {category | address | domain}
set category <value>
set comments [comments]
set resource <resource-url>
set refresh-rate <minutes>
set last-update <datetime>
next
end