Lab 4: Parsing Threat Intell - squatchulator/Tech-Journal GitHub Wiki
menu.bash
#!/bin/bash
# Storyline: Menu for admin, VPN, and Security Functions
function invalid_opt() {
echo ""
echo "Invalid option"
echo ""
sleep 2
}
function menu() {
# Just clears the screen
clear
echo "[1] Admin Menu"
echo "[2] Security Menu"
echo "[3] Exit"
read -p "Please enter a choice above: " choice
case "$choice" in
1) admin_menu
;;
2) security_menu
;;
3) exit 0
;;
*)
invalid_opt
# Call the main menu
menu
;;
esac
}
function admin_menu() {
clear
echo "[L]ist Running Processes"
echo "[V]PN Menu"
echo "[B]ack"
echo "[4] Exit"
read -p "Please enter a choice above: " choice
case "$choice" in
L|l) ps -ef |less
;;
N|n) netstat -an --inet |less
;;
V|v) vpn
;;
B|b) menu
;;
4) exit 0
;;
*)
invalid_opt
;;
esac
admin_menu
}
function security_menu () {
clear
echo "[L]ist all open network sockets"
echo "[C]heck for users with UID of 0"
echo "[D]isplay last 10 logged in users"
echo "[S]how currently logged in users"
echo "[B]lock list menu"
echo "[G]o back"
read -p "Please enter a choice above: " choice
case "$choice" in
L|l) netstat -an --inet |less
;;
C|c) id -nu 0 |less
;;
D|d) last -n 10 |less
;;
S|s) w less
;;
B|b) block_menu
;;
G|g) menu
;;
*)
invalid_opt
;;
esac
security_menu
}
function vpn() {
clear
echo "[A]dd a peer"
echo "[D]elete a peer"
echo "[B]ack to admin menu"
echo "[M]ain menu"
echo "[E]xit"
read -p "Please select an option: " choice
case "$choice" in
A|a)
bash peer.bash
tail -6 wg0.conf |less
;;
D|d) # Create a prompt for the user to delete
# Call the manage-user.bash and pass the proper switches and arguement to delete the user
;;
B|b) admin_menu
;;
M|m) menu
;;
E|e) exit 0
;;
*)
invalid_opt
;;
esac
vpn
}
function block_menu() {
clear
echo Generate a blocklist for:
echo "[I]P tables"
echo "[C]isco"
echo "[W]indows"
echo "[M]acOS"
echo "[P]arse Cisco URL"
echo "[B]ack"
read -p "Please select an option: " choice
case "$choice" in
I|i) bash parse-threat.bash -i
;;
C|c) bash parse-threat.bash -c
;;
N|n) bash parse-threat.bash -n
;;
W|w) bash parse-threat.bash -w
;;
M|m) bash parse-threat.bash -m
;;
P|p) bash parse-threat.bash -p
;;
B|b) menu
;;
*)
invalid_opt
;;
esac
block_menu
}
# Call the main function
menu
parse-threat.bash
#!/bin/bash
# Storyline: Extract IPs from emergingthreats.net and create a firewall ruleset
# This function is referred to when the user needs to download the emerging threats file.
# The 'egrep' command extracts IPs from the file in the format 'X.X.X.X/X'
# and saves the output to a file called badIPs.txt
function makeRules() {
wget http://rules.emergingthreats.net/blockrules/emerging-drop.suricata.rules -O /tmp/emerging-drop.suricata.rules
egrep -o '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.0/[0-9]{1,2}' /tmp/emerging-drop.suricata.rules | sort -u | tee badIPs.txt
}
# Checks to see if the file badIPs.txt exists already on the host.
# If the file exists, the user is prompted if they want to download it again or not.
if [ -f badIPs.txt ](/squatchulator/Tech-Journal/wiki/--f-badIPs.txt-)
then
read -p "Threat file already exists; would you like to redownload it?: " answer
case "$answer" in
y|Y)
echo "Downloading..."
makeRules
;;
n|N)
echo "Continuing..."
;;
*)
echo "Invalid entry."
exit 1
;;
esac
else
echo "Threat file does not yet exist. Creating file..."
makeRules
fi
clear
# Parameters that can be specified when this script is run.
# Example: bash parse-threats.bash -i will result in the IP tables block list generation.
while getopts 'icnwmpe' OPTION ; do
case "$OPTION" in
i) iptables=${OPTION}
;;
c) cisco=${OPTION}
;;
n) netscreen=${OPTION}
;;
w) wfirewall=${OPTION}
;;
m) macOS=${OPTION}
;;
p) parseCisco=${OPTION}
;;
e) exit 0
;;
*)
echo "Invalid entry."
exit 1
;;
esac
done
# Appends the echo output of badIPs.txt to the bottom of a file called badIPs.iptables
if [ ${iptables} ](/squatchulator/Tech-Journal/wiki/-${iptables}-)
then
for eachip in $(cat badIPs.txt)
do
echo "iptables -a input -s ${eachip} -j DROP" | tee -a badIPs.iptables
done
clear
echo 'IP tables for firewall drop rules now in file badIPs.iptables'
fi
# Appends the echo output of badIPs.txt to the bottom of a file called badIPs.cisco
if [ ${cisco} ](/squatchulator/Tech-Journal/wiki/-${cisco}-)
then
egrep -o '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.0' badIPs.txt | tee badIPs.nocidr
for eachip in $(cat badIPs.nocidr)
do
echo "deny ip host ${eachip} any" | tee -a badIPs.cisco
done
rm badIPs.nocidr
clear
echo 'IP tables for firewall drop rules now in file badIPs.cisco'
fi
# Appends the echo output of badIPs.txt to the bottom of a file called badIPs.windowsform
if [ ${wfirewall} ](/squatchulator/Tech-Journal/wiki/-${wfirewall}-)
then
egrep -o '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.0' badIPs.txt | tee badIPs.windowsform
for eachip in $(cat badIPs.windowsform)
do
echo "netsh advfirewall firewall add rule name=\"BLOCK IP ADDRESS - ${eachip}\" dir=in action=block remoteip=${eachip}" | tee -a badIPs.netsh
done
rm badIPs.windowsform
clear
echo 'IP tables for firewall drop rules now in file badIPs.netsh'
fi
# Appends the echo output of badIPs.txt to the bottom of a file called pf.conf
if [ ${macOS} ](/squatchulator/Tech-Journal/wiki/-${macOS}-)
then
echo '
scrub-anchor "com.apple/*"
nat-anchor "com.apple/*"
rdr-anchor "com.apple/*"
dummynet-anchor "com.apple/*"
anchor "com.apple/*"
load anchor "com.apple" from "/etc/pf.anchors/com.apple"
' | tee pf.conf
for eachip in $(cat badIPs.txt)
do
echo "block in from ${eachip} to any" | tee -a pf.conf
done
clear
echo 'IP tables for firewall drop rules now in file pf.conf'
fi
# Appends the parsed IP address outputs of the URL to the bottom of a file called ciscothreats.txt
if [ ${parseCisco} ](/squatchulator/Tech-Journal/wiki/-${parseCisco}-)
then
wget https://raw.githubusercontent.com/botherder/targetedthreats/master/targetedthreats.csv -O /tmp/targetedthreats.csv
awk '/domain/ {print}' /tmp/targetedthreats.csv | awk -F \" '{print $4}' | sort -u > threats.txt
echo 'class-map match-any BAD_URLS' | tee ciscothreats.txt
for eachip in $(cat threats.txt)
do
echo "match protocol http host \"${eachip}\"" | tee -a ciscothreats.txt
done
rm threats.txt
echo 'URL filters file created and parsed at ciscothreats.txt'
fi