Dynamic Block Lists and Spamhaus

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Dynamic Block Lists and Spamhaus

L4 Transporter

Does anyone know if the Spamhaus format drop lists (that use ";" delimiters to denote descriptive text) are accepted as PA Dynamic Block lists?

http://www.spamhaus.org/drop/drop.txt

Rgds

5 REPLIES 5

L3 Networker

I don't think you can use any sort of delimiter.  It looks like you'll need to quote the entries too.  So if the list looks like this:

; Spamhaus DROP List 11/09/12 - (c) 2012 The Spamhaus Project

; Last-Modified: Fri, 9 Nov 2012 14:04:03 GMT

; Expires: Sat, 10 Nov 2012 20:45:42 GMT

5.34.242.0/24 ; SBL154880

14.192.0.0/19 ; SBL123577

14.192.48.0/21 ; SBL131019

14.192.56.0/22 ; SBL131020

31.11.43.0/24 ; SBL113323

It would need to become this:

"5.34.242.0/24"

"14.192.0.0/19"

...et cetera

From the on-line help:

Dynamic Block Lists

Objects > Dynamic Block Lists

Use the Dynamic Block Lists page to create an address object based on an imported list of IP addresses. The source of the list must be a text file and must be located on a web server. You can set the Repeat option to automatically update the list on the device hourly, daily, weekly, or monthly. After creating a dynamic block list object, you can then use the address object in the source and destination fields for security policies. Each imported list can contain up to 5,000 IP addresses (IPv4 and/or IPv6), IP ranges, or subnets.

The list must contain one IP address, range, or subnet per line, for example:

“192.168.80.150/32” indicates one address, and “192.168.80.0/24” indicates all addresses from 192.168.80.0 through 192.168.80.255.

Example:

“2001:db8:123:1::1” or “2001:db8:123:1::/64”

IP Range:

To specify an address range, select IP Range, and enter a range of addresses. The format is:

ip_addressip_address

where each address can be IPv4 or IPv6.

Example:

“2001:db8:123:1::1 - 2001:db8:123:1::22”

Field

Description

Name

Enter a name to identify the Dynamic Block List (up to 32 characters). This name will appear when se...

Description

Enter a description for the block list (up to 255 characters).

Source

Enter an HTTP or HTTPS URL path that contains the text file. For example, http:\\1.1.1.1\myfile.txt....

Repeat

Specify the frequency in which the list should be imported. You can choose hourly, daily, weekly, or...

Test Source URL

Test that the source URL or server path is available.

Cheers.

It's a shame that PA doesn't natively support the the Spamhaus DROP list, as it's only very slightly different from the noted format and is probably one of the most common publicly available (with strong provenance) block lists that is perfectly suited for leveraging in this form of object.

Not applicable

Hi,

There is no need to put quote to an entry.

regarding the spamhaus, you can use a linux web server with a crontab that generate a text file, this command can do the trick:

curl -L http://www.spamhaus.org/drop/drop.txt | grep -Eo '([0-9]{1,3}\.){3}[0-9]{1,3}/[0-9]{2}' > /path/to/the/file/spamhaus.txt

you can use a crontab to schedule the file update (once a day is enough with spamhaus):

Edit the crontab file:

crontab -e

insert this command (this will update every day at 6:00am the file /path/to/the/file/spamhaus.txt) :

0 6  *  *  *  curl -L http://www.spamhaus.org/drop/drop.txt | grep -Eo '([0-9]{1,3}\.){3}[0-9]{1,3}/[0-9]{2}' > /path/to/the/file/spamhaus.txt

and close the crontab editor

create a dynamic block list object pointing to the correct url to download the generated file.

regards

Thanks cviaud.

It would be really good if the dynamic objects could accept grep commands so this content parsing could be supported natively - there could be a nice little community creating and sharing rules for publically available block lists.  I guess it may also open a door to self-DoS if customers write bad code though!

Rgds

FYI, the Spamhaus DROP list is included with the EmergingThreats list. This list is directly importable without any preprocessing.

http://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt

  • 6741 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!