Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How can I use Enterprise Security blocklists with Squid?

jcoates_splunk
Splunk Employee
Splunk Employee
‎07-22-2012 11:01 AM

I've got some dynamically gathered blocklist information in Splunk App for Enterprise Security... and I want to put those lists into my Squid configuration.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

jcoates_splunk
Splunk Employee
Splunk Employee
‎07-22-2012 11:07 AM

There are lots of tools to enable blocklist gathering in Squid, but since we've already gathered the data, why not just use the stuff that's already here? I use this script on my home server. That destination path is a little funny because I use SquidMan to manage my configuration.

squid.conf change:

acl blocklistIP src "Users/coates/Library/Preferences/squid_blocklist.txt"
http_access deny blocklistIP

shell script (runs via cron):

#!/bin/sh

if [ ! -z "$SPLUNK_HOME" ]
    then if [ -e "/Applications/splunk/" ] 
        then export SPLUNK_HOME=/Applications/splunk
    elif [ -e "/opt/splunk" ]
        then export SPLUNK_HOME=/Applications/splunk
    else
        echo "Please set \$SPLUNK_HOME"
    fi
fi

SRC=$SPLUNK_HOME/etc/apps/SA-ThreatIntelligence/lookups
DEST=$HOME/Library/Preferences/squid_blocklist.txt

rm -rf $DEST

# Ranges
cat $SRC/ip_piratebaylist.csv | awk 'BEGIN {FS=","} {print $1"/32"}' | tr -d '"' | grep -v [:numeric] >> $DEST
cat $SRC/ip_rapidsharelist.csv | awk 'BEGIN {FS=","} {print $1"/32"}' | tr -d '"' | grep -v [:numeric] >> $DEST
cat $SRC/sans_blocklist.csv | awk 'BEGIN {FS=","} {print $1"/32"}' | tr -d '"' | grep -v [:numeric] >> $DEST

# Solo addresses
cat $SRC/ip_proxylist.csv | awk 'BEGIN {FS=","} {print $1}' | awk 'BEGIN {FS="-"} {print $1"/32"}' | tr -d '"'  | grep -v [:numeric] >> $DEST
cat $SRC/ip_spywarelist.csv | awk 'BEGIN {FS=","} {print $1}' | awk 'BEGIN {FS="-"} {print $1"/32"}' | tr -d '"'  | grep -v [:numeric] >> $DEST
cat $SRC/ip_torlist.csv | awk 'BEGIN {FS=","} {print $1}' | awk 'BEGIN {FS="-"} {print $1"/32"}' | tr -d '"'  | grep -v [:numeric] >> $DEST
cat $SRC/ip_webattackerlist.csv | awk 'BEGIN {FS=","} {print $1}' | awk 'BEGIN {FS="-"} {print $1"/32"}' | tr -d '"'  | grep -v [:numeric] >> $DEST

sort $DEST | uniq > $DEST.tmp

cat $DEST.tmp | grep - | awk 'BEGIN {FS="."} {print $1"."$2"."$3}' > /tmp/badnets.txt
while read line; do grep -v $line $DEST.tmp |grep -v -; done < /tmp/badnets.txt > $DEST.tmp2

sort $DEST.tmp2 | uniq > $DEST

rm $DEST.tmp
rm $DEST.tmp2
rm /tmp/badnets.txt

View solution in original post

Reply
Solved! Jump to solution
Solution

jcoates_splunk
Splunk Employee
Splunk Employee
‎07-22-2012 11:07 AM

There are lots of tools to enable blocklist gathering in Squid, but since we've already gathered the data, why not just use the stuff that's already here? I use this script on my home server. That destination path is a little funny because I use SquidMan to manage my configuration.

squid.conf change:

acl blocklistIP src "Users/coates/Library/Preferences/squid_blocklist.txt"
http_access deny blocklistIP

shell script (runs via cron):

#!/bin/sh

if [ ! -z "$SPLUNK_HOME" ]
    then if [ -e "/Applications/splunk/" ] 
        then export SPLUNK_HOME=/Applications/splunk
    elif [ -e "/opt/splunk" ]
        then export SPLUNK_HOME=/Applications/splunk
    else
        echo "Please set \$SPLUNK_HOME"
    fi
fi

SRC=$SPLUNK_HOME/etc/apps/SA-ThreatIntelligence/lookups
DEST=$HOME/Library/Preferences/squid_blocklist.txt

rm -rf $DEST

# Ranges
cat $SRC/ip_piratebaylist.csv | awk 'BEGIN {FS=","} {print $1"/32"}' | tr -d '"' | grep -v [:numeric] >> $DEST
cat $SRC/ip_rapidsharelist.csv | awk 'BEGIN {FS=","} {print $1"/32"}' | tr -d '"' | grep -v [:numeric] >> $DEST
cat $SRC/sans_blocklist.csv | awk 'BEGIN {FS=","} {print $1"/32"}' | tr -d '"' | grep -v [:numeric] >> $DEST

# Solo addresses
cat $SRC/ip_proxylist.csv | awk 'BEGIN {FS=","} {print $1}' | awk 'BEGIN {FS="-"} {print $1"/32"}' | tr -d '"'  | grep -v [:numeric] >> $DEST
cat $SRC/ip_spywarelist.csv | awk 'BEGIN {FS=","} {print $1}' | awk 'BEGIN {FS="-"} {print $1"/32"}' | tr -d '"'  | grep -v [:numeric] >> $DEST
cat $SRC/ip_torlist.csv | awk 'BEGIN {FS=","} {print $1}' | awk 'BEGIN {FS="-"} {print $1"/32"}' | tr -d '"'  | grep -v [:numeric] >> $DEST
cat $SRC/ip_webattackerlist.csv | awk 'BEGIN {FS=","} {print $1}' | awk 'BEGIN {FS="-"} {print $1"/32"}' | tr -d '"'  | grep -v [:numeric] >> $DEST

sort $DEST | uniq > $DEST.tmp

cat $DEST.tmp | grep - | awk 'BEGIN {FS="."} {print $1"."$2"."$3}' > /tmp/badnets.txt
while read line; do grep -v $line $DEST.tmp |grep -v -; done < /tmp/badnets.txt > $DEST.tmp2

sort $DEST.tmp2 | uniq > $DEST

rm $DEST.tmp
rm $DEST.tmp2
rm /tmp/badnets.txt
Reply
Get Updates on the Splunk Community!

New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...

The latest enhancements across the Splunk Observability portfolio deliver greater flexibility, better data and ...

Alerting Best Practices: How to Create Good Detectors

At their best, detectors and the alerts they trigger notify teams when applications aren’t performing as ...

Discover Powerful New Features in Splunk Cloud Platform: Enhanced Analytics, ...

Hey Splunky people! We are excited to share the latest updates in Splunk Cloud Platform 9.3.2408. In this ...