[nftables] how to use blocklist.txt file as a source for blacklisted ip-addresses ?
by ////// from LinuxQuestions.org on (#6HS9E)
hello all.
i have been writing a perl script that parses suricata logs and provides me with ip-addresses that are behind [Priority: 1-2] rated alerts.
i would like to use blacklist.txt file that nftables reads and use that file as a source of ip-addresses that should be blocked.
i am using arch linux atm.
i know some of these alerts are benign.
Code:06:10 PM: root@a-box:Downloads 637: $ perl /usr/local/bin/addnft.pl
172.64.203.2 -- ET POLICY curl User-Agent Outbound [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP}
172.64.202.2 -- ET POLICY curl User-Agent Outbound [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP}
192.168.50.1 -- ET DNS Query for .to TLD [**] [Classification: Potentially Bad Traffic] [Priority: 2] {UDP}
8.8.8.8 -- ET DNS Query for .to TLD [**] [Classification: Potentially Bad Traffic] [Priority: 2] {UDP}
136.243.170.167 -- ET POLICY Lets Encrypt Free SSL Cert Observed [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP}
138.201.178.194 -- ET POLICY Lets Encrypt Free SSL Cert Observed [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP}
88.99.71.227 -- ET POLICY Lets Encrypt Free SSL Cert Observed [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP}
23.88.75.112 -- ET POLICY Lets Encrypt Free SSL Cert Observed [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP}
5.9.141.126 -- ET POLICY Lets Encrypt Free SSL Cert Observed [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP}
162.55.240.246 -- ET POLICY Lets Encrypt Free SSL Cert Observed [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP}
188.40.17.79 -- ET POLICY Lets Encrypt Free SSL Cert Observed [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP}
23.88.75.117 -- ET POLICY Lets Encrypt Free SSL Cert Observed [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP}
162.55.240.243 -- ET POLICY Lets Encrypt Free SSL Cert Observed [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP}
149.40.50.43 -- ET DNS Excessive DNS Responses with 1 or more RR's (100+ in 10 seconds) - possible Cache Poisoning Attempt [**] [Classification: Potentially Bad Traffic] [Priority: 2] {UDP}
191.101.31.34 -- ET 3CORESec Poor Reputation IP group 14 [**] [Classification: Misc Attack] [Priority: 2] {ICMP}
154.47.20.166 -- ETN AGGRESSIVE IPs Group 28 [**] [Classification: Misc Attack] [Priority: 2] {ICMP}
154.6.151.101 -- ETN AGGRESSIVE IPs Group 19 [**] [Classification: Misc Attack] [Priority: 2] {ICMP}
165.231.182.11 -- ET COMPROMISED Known Compromised or Hostile Host Traffic group 7 [**] [Classification: Misc Attack] [Priority: 2] {ICMP}
149.40.50.37 -- ET DNS Excessive DNS Responses with 1 or more RR's (100+ in 10 seconds) - possible Cache Poisoning Attempt [**] [Classification: Potentially Bad Traffic] [Priority: 2] {UDP}
198.252.206.25 -- ET POLICY Lets Encrypt Free SSL Cert Observed [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP}
06:10 PM: root@a-box:Downloads 638: $
Attached Thumbnails
i have been writing a perl script that parses suricata logs and provides me with ip-addresses that are behind [Priority: 1-2] rated alerts.
i would like to use blacklist.txt file that nftables reads and use that file as a source of ip-addresses that should be blocked.
i am using arch linux atm.
i know some of these alerts are benign.
Code:06:10 PM: root@a-box:Downloads 637: $ perl /usr/local/bin/addnft.pl
172.64.203.2 -- ET POLICY curl User-Agent Outbound [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP}
172.64.202.2 -- ET POLICY curl User-Agent Outbound [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP}
192.168.50.1 -- ET DNS Query for .to TLD [**] [Classification: Potentially Bad Traffic] [Priority: 2] {UDP}
8.8.8.8 -- ET DNS Query for .to TLD [**] [Classification: Potentially Bad Traffic] [Priority: 2] {UDP}
136.243.170.167 -- ET POLICY Lets Encrypt Free SSL Cert Observed [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP}
138.201.178.194 -- ET POLICY Lets Encrypt Free SSL Cert Observed [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP}
88.99.71.227 -- ET POLICY Lets Encrypt Free SSL Cert Observed [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP}
23.88.75.112 -- ET POLICY Lets Encrypt Free SSL Cert Observed [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP}
5.9.141.126 -- ET POLICY Lets Encrypt Free SSL Cert Observed [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP}
162.55.240.246 -- ET POLICY Lets Encrypt Free SSL Cert Observed [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP}
188.40.17.79 -- ET POLICY Lets Encrypt Free SSL Cert Observed [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP}
23.88.75.117 -- ET POLICY Lets Encrypt Free SSL Cert Observed [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP}
162.55.240.243 -- ET POLICY Lets Encrypt Free SSL Cert Observed [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP}
149.40.50.43 -- ET DNS Excessive DNS Responses with 1 or more RR's (100+ in 10 seconds) - possible Cache Poisoning Attempt [**] [Classification: Potentially Bad Traffic] [Priority: 2] {UDP}
191.101.31.34 -- ET 3CORESec Poor Reputation IP group 14 [**] [Classification: Misc Attack] [Priority: 2] {ICMP}
154.47.20.166 -- ETN AGGRESSIVE IPs Group 28 [**] [Classification: Misc Attack] [Priority: 2] {ICMP}
154.6.151.101 -- ETN AGGRESSIVE IPs Group 19 [**] [Classification: Misc Attack] [Priority: 2] {ICMP}
165.231.182.11 -- ET COMPROMISED Known Compromised or Hostile Host Traffic group 7 [**] [Classification: Misc Attack] [Priority: 2] {ICMP}
149.40.50.37 -- ET DNS Excessive DNS Responses with 1 or more RR's (100+ in 10 seconds) - possible Cache Poisoning Attempt [**] [Classification: Potentially Bad Traffic] [Priority: 2] {UDP}
198.252.206.25 -- ET POLICY Lets Encrypt Free SSL Cert Observed [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP}
06:10 PM: root@a-box:Downloads 638: $
Attached Thumbnails