Lab 13: Parsing Threat Intell (pt. 2) - squatchulator/Tech-Journal GitHub Wiki
parsethreatintel.ps1
# Storyline: Pull a list of IPs to block from a threat intel website and generate a file with IP blocklists for Linux and Windows.
# Array of websites containing htreat intell
$drop_urls = @('https://rules.emergingthreats.net/blockrules/emerging-botcc.rules','https://rules.emergingthreats.net/blockrules/compromised-ips.txt')
cls
Write-Host "Your operating system is: $env:OS"
Write-Host "1. Windows"
Write-Host "2. Linux"
$inp = Read-Host "Select an option (1 or 2) to generate a ruleset for that operating system"
# Loop through the URLs for the rules list
foreach ($u in $drop_urls) {
# Extract the filename
$temp = $u.split("/")
# The last element in the array plucked off is the filename
$file_name = $temp[-1]
if (Test-Path $file_name) {
continue
} else {
# Download the rules list
Invoke-WebRequest -Uri $u -OutFile $file_name
}
}
# Array containing the filename
$input_paths = @('.\compromised-ips.txt','.\emerging-botcc.rules')
# Extract the IP addresses
# 108.190.109.107
# 108.191.2.72
$regex_drop = '\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b'
# Append the IP addresses to the temp IP list
select-string -Path $input_paths -Pattern $regex_drop | `
ForEach-Object { $_.Matches } | `
ForEach-Object { $_.Value } | Sort-Object | Get-Unique | `
Out-File -FilePath "ips-bad.tmp"
# Switch statement to handle selection of Windows or Linux ruleset
switch ($inp) {
"1" {
# Add remaining Microsoft firewall syntax and save results to a file.
(Get-Content -Path ".\ips-bad.tmp") | % `
{ $_ -replace "^",'netsh advfirewall firewall add rule name="BLOCK IP ADDRESS - ' -replace '$', '"' } | `
Out-File -FilePath ".\msfirewall.netsh"
}
"2" {
# After the IP, add the remaining IPTables syntax and save results to a file.
(Get-Content -Path ".\ips-bad.tmp") | % `
{ $_ -replace "^","iptables -A INPUT -s " -replace "$", "-j DROP" } | `
Out-File -FilePath ".\iptables.bash"
}
}