SYS 320 Week4 Lab - JadenGil/Jaden-Tech-Journal GitHub Wiki
Parse-Threat.bash
#!/bin/bash
# Jason Quiroga
# Storyline: Extract IPs from emergingthreats.net and create a firewall ruleset
# Regex to extract the networks
# 5. 134. 128. 0/ 19
function create_badIPs() {
`# Pull the emerging-drop.suricata.rules file from the website and make it into the file emerging-drop.suricata.rules in the tmp directory`
`wget https://rules.emergingthreats.net/blockrules/emerging-drop.suricata.rules -O /tmp/emerging-drop.suricata.rules`
`# read the emerging-drop.suricata.rules file and organize it to create the badips.txt file`
`egrep -o '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.0/[0-9]{1,2}' /tmp/emerging-drop.suricata.rules | sort -u | tee badips.txt`
}
# Check to see if the badIPs.txt file already exists and if not download it. (DELIVERABLE 1)
if [ -f badIPs.txt ](/JadenGil/Jaden-Tech-Journal/wiki/--f-badIPs.txt--)
then
read -p "The badIPs.txt file already exists. Would you like to redownload it? [y][n]: " answer
case "$answer" in
y|Y)
echo "Creating badIPs.txt..."
create_badIPs
;;
n|N)
echo "Not redownloading badIPs.txt..."
;;
*)
echo "Invalid value."
exit 1
;;
esac
`else`
`echo "The badIPs.txt file does not exist yet. Downloading file..."`
`create_badIPs`
`fi`
# Creating switches. Based on their selection, create an inbound drop rule for the respective firewall. (DELIVERABLE 2)
# Switches for IPTables (I), Cisco (C), Netscreen (N), Windows Firewall (F), and Mac OS X (M). Also Parse TargetedThreats file (P)
while getopts 'icnfmp' OPTION ; do
`case "$OPTION" in`
`i) iptables=${OPTION}`
`;;`
`c) cisco=${OPTION}`
`;;`
`f) wfirewall=${OPTION}`
`;;`
`m) macOS=${OPTION}`
`;;`
`p) parseCisco=${OPTION}`
`;;`
`*) `
`echo "Invalid Value"`
`exit 1`
`;;`
`esac`
done
# If iptables is input then create the iptables drop rule
if [ ${iptables} ](/JadenGil/Jaden-Tech-Journal/wiki/-${iptables}--)
then
for eachip in $(cat badips.txt)
do
echo "iptables -a input -s ${eachip} -j drop" | tee -a badips.iptables
done
clear
echo "Created IPTables firewall drop rules in file \"badips.iptables\""
fi
# Cisco
if [ ${cisco} ](/JadenGil/Jaden-Tech-Journal/wiki/-${cisco}-)
then
egrep -o '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.0' badips.txt | tee badips.nocidr
for eachip in $(cat badips.nocidr)
do
echo "deny ip host ${eachip} any" | tee -a badips.cisco
done
rm badips.nocidr
clear
echo 'Created IP Tables for firewall drop rules in file "badips.cisco"'
fi
# Windows Firewall
if [ ${wfirewall} ](/JadenGil/Jaden-Tech-Journal/wiki/-${wfirewall}-)
then
egrep -o '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.0' badips.txt | tee badips.windowsform
for eachip in $(cat badips.windowsform)
do
echo "netsh advfirewall firewall add rule name=\"BLOCK IP ADDRESS - ${eachip}\" dir=in action=block remoteip=${eachip}" | tee -a badips.netsh
done
rm badips.windowsform
clear
echo "Created IPTables for firewall drop rules in file \"badips.netsh\""
fi
# MacOS
if [ ${macOS} ](/JadenGil/Jaden-Tech-Journal/wiki/-${macOS}-)
then
echo '
scrub-anchor "com.apple/*"
nat-anchor "com.apple/*"
rdr-anchor "com.apple/*"
dummynet-anchor "com.apple/*"
anchor "com.apple/*"
load anchor "com.apple" from "/etc/pf.anchors/com.apple"
`' | tee pf.conf`
`for eachip in $(cat badips.txt)`
`do`
`echo "block in from ${eachip} to any" | tee -a pf.conf`
`done`
`clear`
`echo "Created IP tables for firewall drop rules in file \"pf.conf\""`
fi
# Parse Cisco
if [ ${parseCisco} ](/JadenGil/Jaden-Tech-Journal/wiki/-${parseCisco}-)
then
wget https://raw.githubusercontent.com/botherder/targetedthreats/master/targetedthreats.csv -O /tmp/targetedthreats.csv
awk '/domain/ {print}' /tmp/targetedthreats.csv | awk -F \" '{print }' | sort -u > threats.txt
echo 'class-map match-any BAD_URLS' | tee ciscothreats.txt
for eachip in $(cat threats.txt)
do
echo "match protocol http host \"${eachip}\"" | tee -a ciscothreats.txt
done
rm threats.txt
echo 'Cisco URL filters file successfully parsed and created at "ciscothreats.txt"'
fi
I used the example code for my parse threat bash code so this does not belong to me.
Updated Menu.bash
#!/bin/bash
# Storyline: Menu for AD, VPN, and Sec functions
function invalid_opt() {
echo ""
echo "Invalid Option"
echo ""
sleep 2
}
function menu() {
`# clears the screen`
`clear`
`echo "[1] Admin Menu"`
`echo "[2] Security Menu"`
`echo "[3] Block List Menu"`
`echo "[E]xit"`
`read -p "Please enter a choice above: " choice`
`case "$choice" in`
`1) admin_menu`
`;;`
`2) security_menu`
`;;`
`3) blocklist_menu`
`;;`
`E|e) exit 0`
`;;`
`*)`
`invalid_opt`
`# Call the Menu`
`menu`
`;;`
`esac`
}
function admin_menu() {
`clear`
`echo "[L]ist Running Processes"`
`echo "[N]etwork Sockets"`
`echo "[V]PN Menu"`
`echo "[4] Exit"`
`read -p "Please enter a choice above: " choice`
`case "$choice" in`
`L|l) ps -ef |less`
`;;`
`N|n) netstat -an --inet |less`
`;;`
`V|v) vpn_menu |less`
`;;`
`4) exit 0`
`;;`
`*)`
`invalid_opt`
`;;`
`esac`
admin_menu
}
function vpn_menu() {
`clear`
`echo "[A]dd a peer"`
`echo "[D]elete a peer"`
`echo "[B]ack to admin menu"`
`echo "[M]ain Menu"`
`echo "[E]xit"`
`read -p "Please enter a choice above: " choice`
`case "$choice" in`
`A|a)`
`bash peer.bash`
`tail -6 wg0.conf |less`
`;;`
`D|d)`
`# Create a prompt for the user`
`# Call the manage-user.bash and pass the proper switches and arguments`
`# to delete the user`
`;;`
`B|b) admin_menu`
`;;`
`M|m) menu`
`;;`
`E|e) exit 0`
`;;`
`*)`
`invalid_opt`
`;;`
`esac`
vpn_menu
}
# Creating switches. Based on their selection, create an inbound drop rule for the respective firewall. (DELIVERABLE 2)
# Switches for IPTables (I), Cisco (C), Netscreen (N), Windows Firewall (F), and Mac OS X (M). Also Parse TargetedThreats file (P)
function blocklist_menu() {
`# Cisco`
`clear`
`echo "[C]isco"`
`echo "[W]indows Firewall"`
`echo "[M]acOS"`
`echo "[P]arse Cisco"`
`echo "[E]xit"`
`read -p "Please enter a choice above: " choice`
`case "$choice" in`
`C|c)`
`egrep -o '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.0' badips.txt | tee badips.nocidr`
`for eachip in $(cat badips.nocidr)`
`do`
`echo "deny ip host ${eachip} any" | tee -a badips.cisco`
`done`
`rm badips.nocidr`
`clear`
`echo 'Created IP Tables for firewall drop rules in file "badips.cisco"'`
`;;`
`# Windows Firewall`
`W|w)`
`egrep -o '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.0' badips.txt | tee badips.windowsform`
`for eachip in $(cat badips.windowsform)`
`do`
`echo "netsh advfirewall firewall add rule name=\"BLOCK IP ADDRESS - ${eachip}\" dir=in action=block remoteip=${eachip}" | tee -a badips.netsh`
`done`
`rm badips.windowsform`
`clear`
`echo "Created IPTables for firewall drop rules in file \"badips.netsh\""`
`;;`
`# MacOS`
`M|m)`
`echo '`
`scrub-anchor "com.apple/*"`
`nat-anchor "com.apple/*"`
`rdr-anchor "com.apple/*"`
`dummynet-anchor "com.apple/*"`
`anchor "com.apple/*"`
`load anchor "com.apple" from "/etc/pf.anchors/com.apple"`
`' | tee pf.conf`
`for eachip in $(cat badips.txt)`
`do`
`echo "block in from ${eachip} to any" | tee -a pf.conf`
`done`
`clear`
`echo "Created IP tables for firewall drop rules in file \"pf.conf\""`
`;;`
`# Parse Cisco`
`P|p)`
`wget https://raw.githubusercontent.com/botherder/targetedthreats/master/targetedthreats.csv -O /tmp/targetedthreats.csv`
`awk '/domain/ {print}' /tmp/targetedthreats.csv | awk -F \" '{print }' | sort -u > threats.txt`
`echo 'class-map match-any BAD_URLS' | tee ciscothreats.txt`
`for eachip in $(cat threats.txt)`
`do`
`echo "match protocol http host \"${eachip}\"" | tee -a ciscothreats.txt`
`done`
`rm threats.txt`
`echo 'Cisco URL filters file successfully parsed and created at "ciscothreats.txt"'`
`;;`
`E|e) exit 0`
`;;`
`*)`
`invalid_opt`
`;;`
esac
blocklist_menu
}
# Call the Menu
menu