Die Beschreibung zur Verwendung befindet sich im Quellcode.

#/usr/bin/perl -w

##############################################################################
# CGPro Honeypot 2 Fortigate Threat Feed
# Version 1.0
# Maintained by Juergen P. [core.at]
#
# This sample script writes Temporary Blacklisted IP's from a CommuniGate Pro SMTP/SIP Honeypot
# to a File for offloading BAD host blocking to a Fortigate Firewall with Forti OS 6x
# via the Fortigate Threat Feed Connector. You should adopt it to your needs.
# The Script should be run via cron (i suggest every 5 minutes) and write the o utput
# to a textfile into a specific CGPro users webspace(public) for downloading to the firewall
# via the following FortiOS CLI configuration commands:
######
# config system external-resource
# edit <name>
# set type {category | address | domain}
# set category <value>
# set comments [comments]
# set resource <resource-url>
# set refresh-rate <minutes>
# set last-update <datetime>
# next
# end
#####
#
# The Threat feed connector flushes the Table at each run, so IPs which are not blocked anymore, are removed.
# The size of the file can be a maximum of 10 MB, or 128,000 lines of text, whic hever is most restrictive.
#####
# Replace $CGServerAddress, $Login and $Password below with the correct Values in Section 2
# To run in interactive mode for testing, uncomment Section 1 and comment out S ection 2
# Replace $filename with the filename you defined in the Fortinet Fortigate con fig.
#
##############################################################################
use strict;

# Make sure the "CLI.pm" is in current directory
use CLI;
use LWP::UserAgent;
my $Data ="";
my $x =""; #counter
my $filename ="/var/CommuniGate/SharedDomains/my.domain/postmaster.macnt/account.w eb/honeypotlist.txt";
my $ua=new LWP::UserAgent;
my $request="";
my $response="";
my $content="";
my $url="";
####
#### Section 1
####
# print "Server address: "; # Print the server name prompt
# my $CGServerAddress = <STDIN>; # Read the domain name from standard inp ut
# chomp $CGServerAddress; # Remove \n if present
#
# print "Login (Enter for \"postmaster\"): ";
# my $Login = <STDIN>;
# chomp $Login;
# if ($Login eq '') { $Login = "postmaster"; }
#
# print "Password: ";
# my $Password = <STDIN>;
# chomp $Password;
#
#### End of Section 1

### Section 2

my $CGServerAddress = "1.2.3.4"; # CGPro Server IP
my $Login="postmaster"; # CGPro postmaster Account
my $Password="MyPassword"; # CGPro postmaster Password

#### End of Section 2

# Open TCP connection to given address port 106 (PWD, or CGPro CLI).
# Submit username and password. If login fail, the program will stop.

my $cli = new CGP::CLI( { PeerAddr => $CGServerAddress,
PeerPort => 106,
login => $Login,
password => $Password } )
|| die "Can't login to CGPro: ".$CGP::ERR_STRING."\n";

if($Data = $cli->GetTempBlacklistedIPs()) {
# my $a = split(/,/,$Data); # Number of Elements (uncomment, if needed)
my @b = split(/,/,$Data); # Array of IPs including time in seconds
open(my $OUTFILE, '>', "$filename") || die "could not open output file: $!" ;
select $OUTFILE;
foreach $x (@b) {
$x=~ s/\].*//; # remove everything after "]"
$x= substr $x,1; # remove first "["
print "$x\n"; # write IP to file

$ua->timeout(120);
$url='http://my.rbl.domain/drop.php?ipaddress='.$x.'&black orwhite=b&notes=blacklisted';
$request = new HTTP::Request('GET', $url);
$response = $ua->request($request);
$content = $response->content();
print $url;
print $content;

}
#print "$a\n"; # Print Number of elements

}
else
{
($cli->isSuccess) ? print "No Output created.\n"
: die "Error: ".$cli->getErrMessage.", quitting"; }

$cli->Logout; # Close the CLI session and disconnect

__END__

 

Threat Feed Connectors

This feature introduces
the ability to dynamically import external block list text files from an
HTTP server. The text files can contain IP addresses and domain names.
These dynamic block lists are called ‚Threat Feeds‘. You can block
access to the addresses in the text files by adding one or more threat
feeds to:

FortiOS keeps threat feeds up to date by dynamically re-downloading them from the HTTP server according to the refresh rate.

Threat Feeds can be configured under Security Fabric > Fabric Connectorsby creating new Threat Feeds.

The New Fabric Connector edit page provides the following fields:

The domain resource is a text file which contains a domain name for each line and supports simple wildcard. For example:

mail.*.or.th
*-special.de.vu
http://www.*de.vu
610-pawn.com
aaliyah-hq-gallery.de.vu
abcgolocal.com

The address resource is a
text file which contains an IP/IP range for each line (note that only
IPv4 is supported in DNS profiles, so IPv6 addresses will be ignored).
For example:

1.1.1.1
10.0.0.70
2.1.1.1
100.0.0.1-100.0.0.100
10.0.0.99-10.0.0.201
1.2.2.2/24

FortiOS configuration

config system external-resource
edit
set type {category | address | domain}
set category
set comments [comments]
set resource
set refresh-rate
set last-update
next
end