Security
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How can I use Enterprise Security blocklists with Squid?

jcoates_splunk
Splunk Employee
Splunk Employee
‎07-22-2012 11:01 AM

I've got some dynamically gathered blocklist information in Splunk App for Enterprise Security... and I want to put those lists into my Squid configuration.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

jcoates_splunk
Splunk Employee
Splunk Employee
‎07-22-2012 11:07 AM

There are lots of tools to enable blocklist gathering in Squid, but since we've already gathered the data, why not just use the stuff that's already here? I use this script on my home server. That destination path is a little funny because I use SquidMan to manage my configuration.

squid.conf change:

acl blocklistIP src "Users/coates/Library/Preferences/squid_blocklist.txt"
http_access deny blocklistIP

shell script (runs via cron):

#!/bin/sh

if [ ! -z "$SPLUNK_HOME" ]
    then if [ -e "/Applications/splunk/" ] 
        then export SPLUNK_HOME=/Applications/splunk
    elif [ -e "/opt/splunk" ]
        then export SPLUNK_HOME=/Applications/splunk
    else
        echo "Please set \$SPLUNK_HOME"
    fi
fi

SRC=$SPLUNK_HOME/etc/apps/SA-ThreatIntelligence/lookups
DEST=$HOME/Library/Preferences/squid_blocklist.txt

rm -rf $DEST

# Ranges
cat $SRC/ip_piratebaylist.csv | awk 'BEGIN {FS=","} {print $1"/32"}' | tr -d '"' | grep -v [:numeric] >> $DEST
cat $SRC/ip_rapidsharelist.csv | awk 'BEGIN {FS=","} {print $1"/32"}' | tr -d '"' | grep -v [:numeric] >> $DEST
cat $SRC/sans_blocklist.csv | awk 'BEGIN {FS=","} {print $1"/32"}' | tr -d '"' | grep -v [:numeric] >> $DEST

# Solo addresses
cat $SRC/ip_proxylist.csv | awk 'BEGIN {FS=","} {print $1}' | awk 'BEGIN {FS="-"} {print $1"/32"}' | tr -d '"'  | grep -v [:numeric] >> $DEST
cat $SRC/ip_spywarelist.csv | awk 'BEGIN {FS=","} {print $1}' | awk 'BEGIN {FS="-"} {print $1"/32"}' | tr -d '"'  | grep -v [:numeric] >> $DEST
cat $SRC/ip_torlist.csv | awk 'BEGIN {FS=","} {print $1}' | awk 'BEGIN {FS="-"} {print $1"/32"}' | tr -d '"'  | grep -v [:numeric] >> $DEST
cat $SRC/ip_webattackerlist.csv | awk 'BEGIN {FS=","} {print $1}' | awk 'BEGIN {FS="-"} {print $1"/32"}' | tr -d '"'  | grep -v [:numeric] >> $DEST

sort $DEST | uniq > $DEST.tmp

cat $DEST.tmp | grep - | awk 'BEGIN {FS="."} {print $1"."$2"."$3}' > /tmp/badnets.txt
while read line; do grep -v $line $DEST.tmp |grep -v -; done < /tmp/badnets.txt > $DEST.tmp2

sort $DEST.tmp2 | uniq > $DEST

rm $DEST.tmp
rm $DEST.tmp2
rm /tmp/badnets.txt

View solution in original post

Reply
Solved! Jump to solution
Solution

jcoates_splunk
Splunk Employee
Splunk Employee
‎07-22-2012 11:07 AM

There are lots of tools to enable blocklist gathering in Squid, but since we've already gathered the data, why not just use the stuff that's already here? I use this script on my home server. That destination path is a little funny because I use SquidMan to manage my configuration.

squid.conf change:

acl blocklistIP src "Users/coates/Library/Preferences/squid_blocklist.txt"
http_access deny blocklistIP

shell script (runs via cron):

#!/bin/sh

if [ ! -z "$SPLUNK_HOME" ]
    then if [ -e "/Applications/splunk/" ] 
        then export SPLUNK_HOME=/Applications/splunk
    elif [ -e "/opt/splunk" ]
        then export SPLUNK_HOME=/Applications/splunk
    else
        echo "Please set \$SPLUNK_HOME"
    fi
fi

SRC=$SPLUNK_HOME/etc/apps/SA-ThreatIntelligence/lookups
DEST=$HOME/Library/Preferences/squid_blocklist.txt

rm -rf $DEST

# Ranges
cat $SRC/ip_piratebaylist.csv | awk 'BEGIN {FS=","} {print $1"/32"}' | tr -d '"' | grep -v [:numeric] >> $DEST
cat $SRC/ip_rapidsharelist.csv | awk 'BEGIN {FS=","} {print $1"/32"}' | tr -d '"' | grep -v [:numeric] >> $DEST
cat $SRC/sans_blocklist.csv | awk 'BEGIN {FS=","} {print $1"/32"}' | tr -d '"' | grep -v [:numeric] >> $DEST

# Solo addresses
cat $SRC/ip_proxylist.csv | awk 'BEGIN {FS=","} {print $1}' | awk 'BEGIN {FS="-"} {print $1"/32"}' | tr -d '"'  | grep -v [:numeric] >> $DEST
cat $SRC/ip_spywarelist.csv | awk 'BEGIN {FS=","} {print $1}' | awk 'BEGIN {FS="-"} {print $1"/32"}' | tr -d '"'  | grep -v [:numeric] >> $DEST
cat $SRC/ip_torlist.csv | awk 'BEGIN {FS=","} {print $1}' | awk 'BEGIN {FS="-"} {print $1"/32"}' | tr -d '"'  | grep -v [:numeric] >> $DEST
cat $SRC/ip_webattackerlist.csv | awk 'BEGIN {FS=","} {print $1}' | awk 'BEGIN {FS="-"} {print $1"/32"}' | tr -d '"'  | grep -v [:numeric] >> $DEST

sort $DEST | uniq > $DEST.tmp

cat $DEST.tmp | grep - | awk 'BEGIN {FS="."} {print $1"."$2"."$3}' > /tmp/badnets.txt
while read line; do grep -v $line $DEST.tmp |grep -v -; done < /tmp/badnets.txt > $DEST.tmp2

sort $DEST.tmp2 | uniq > $DEST

rm $DEST.tmp
rm $DEST.tmp2
rm /tmp/badnets.txt
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...