Open Source Threat Intelligence and pf(4)

📆: 08 Jan 2018
🏷: Openbsd, Pf, Security, Osint

I came up with the idea to utilize Open Source Threat Feeds, or OSINT on my private setup and quickly cooked up the shell script below in a rough, first try. The funny thing is that I more or less instantantly got hits from the 5346 IP addresses in the table:

@0 block drop log quick from <pf_osint:5346> to any
  [ Evaluations: 502       Packets: 20        Bytes: 800         States: 0     ]
  [ Inserted: uid 0 pid 68515 State Creations: 0     ]

🧐. The script is currently designed to run every 3 hours and to remove all IP addresses which had been added to the table after a day. I am not too happy about some of the parts right now, first of all: I’d like to seperate download and parsing out to a non-privileged process and feed one large junk of data to pfctl(8).

This will give me the flexibility to replace the table with the new values so I can act fast not only on additions but also on deletions from the list. No need to keep out somebody longer than neccessary.

Not sure on how to attack the first part. A shell script would be easier and faster to create. Privsep could be handled by doas for the part needing higher privileges and allow me to handle everything in a single script.

But as a start I am going to keep the script as is and see how it’s going to work out for me. So without further ado, here’s the script:

printf "zeustracker.abuse.ch badips "
ftp  -VMo- https://zeustracker.abuse.ch/blocklist.php?download=badips | \
        egrep "^([0-9]{1,3}\.){3}[0-9]{1,3}$" | \
        pfctl -t pf_osint -T add -f -

printf "feodotracker.abuse.ch ipblocklist "
ftp  -VMo- https://feodotracker.abuse.ch/blocklist/?download=ipblocklist | \
        egrep "^([0-9]{1,3}\.){3}[0-9]{1,3}$" | \
        pfctl -t pf_osint -T add -f -

printf "ransomwaretracker.abuse.ch "
ftp -VMo- https://ransomwaretracker.abuse.ch/feeds/csv/ | \
        egrep -o '([1-9]{1,3}\.){3}[1-9]{1,3}[^/"]*' | \
        tr '|' '\n' | sort | uniq | \
        egrep "^([0-9]{1,3}\.){3}[0-9]{1,3}$" | \
        pfctl -t pf_osint -T add -f -

printf "autoshun.org "
ftp -VMo- 'https://www.autoshun.org/download/?api_key=0&format=csv' | \
        cut -f1 -d',' | \
        egrep "^([0-9]{1,3}\.){3}[0-9]{1,3}$" | \
        pfctl -t pf_osint -T add -f -

printf "isc.sans.edu sources/attacks/ "
ftp -VMo- https://isc.sans.edu/api/sources/attacks/250/$(date '+%Y-%m-%d')/ | \
        xmllint --format - | \
        grep '<ip>' | \
        egrep -o "([0-9]{1,3}\.){3}[0-9]{1,3}" | \
        pfctl -t pf_osint -T add -f -

printf "expire entries that are older than 24hrs "
pfctl -t pf_osint -T expire 86400

Caveat: You need an API key for autoshun.org, so simply copy&pasting the above will not work. To get a key they want an E-Mail address, name and surname.

--EOF