Page tree

Contents

Prerequisites

Confirm that the appliance can also access/download files from the Internet. In particular you should check that your appliance can connect with ftp.threatstop.com to do this:

ping ftp.threatstop.com

The Cisco PIX firewall does not have a DNS resolver so an external script must be used to work with ThreatSTOP. The script we currently have is written in Perl and requires some modules to be installed. The modules needed are:

  • Config::General
  • Getopt::Long
  • Net::DNS
  • Net::Appliance::Session

Configuration

Note:

If this is a new device, please allow up to 15 minutes for our systems to be updated.

Caution:

The script will only run in a UNIX environment and will not run on Windows.

When setting up your devices on the ThreatSTOP website, do not use the IP address of the PIX, but the public IP address of the computer that will run the script. The DNS query must come from the computer that is running the script or it will not work. If you do not know the public IP address of that computer, go to http://www.threatstop.com/cgi-bin/validip.pl. It will show you what IP address to use.

Download the script.

The way the script works is that it first queries the ThreatSTOP DNS server to get the IP addresses in your block lists. Then it makes an SSH connection to the firewall and gets the current list of IP addresses in the object group. It then compares those addresses to what is in the new list and adds or deletes entries as needed. The first time the script is run, it will take a few minutes depending on how many IP addresses are being added. After this initial setup, future updates will go much faster since it only adds or deletes entries as needed.
This script does not support User-Defined Allow Lists.

Here is the configuration file for this device. Please copy and paste it into the threatstop.conf file.

##Global Configuration Parameters
<globals>
  ## The ThreatSTOP DNS Server
  server 192.124.129.42
</globals>

## Device Parameters - Edit this for your needs
<device 192.168.1.1>
## Authentication Items
   username SSH_USERNAME
   password SSH_PASSWORD
   enable ENABLE_PASSWORD
   platform FWSM3
   transport SSH
   timeout 60
   netgroup threatstop
   netgroupshimip 10.255.255.255
   ## ThreatSTOP list that apply to this device
   <lists>
      deny <block list name>..threatstop.local
   </lists>
</device>

Note:

Previously the DNS server for ThreatSTOP was 192.124.129.42 while still active for legacy customers, this address should not be used by new customers.

You will need to modify the configuration to match your environment.

  • PIX IP Address: The line <device 192.168.1.1> will need to be changed with the IP address of the PIX. You will need to make sure that the system running the script can connect to the PIX via SSH.
  • username: Username that you use to SSH to the PIX.
  • password: Password for the SSH user.
  • enable: The enable password for the PIX.
  • platform: This tells the script what kind of Cisco device it is connecting to. You do not need to modify this.
  • transport: The type of connection to make to the PIX.
  • timeout: SSH timeout period, in seconds.
  • netgroup: The name of the network object group to use on the PIX.
  • netgroupshimip: This is used in case there are no results returned from the DNS queries. When this happens, all the IP addresses in the group could be deleted. If this happens and there is a rule using the group, the PIX could stop forwarding traffic for all connections. To keep this from happening, we add the IP address to the group. You should set this to an IP address that your PIX will never see. We recommend using one of the RFC1918 IP addresses. For example: If your internal network is 192.168.1.0/24, you can set this to 172.16.255.255.

To run the script, execute the following command:

shell# perl ts-pix.pl -c threatstop.conf

Here is a sample run of the script that has ThreatSTOP enabled, with 20 IP addresses to block and four that are no longer active.

shell# perl ts-pix.pl -c threatstop.conf
Beginning ThreatSTOP updates ...

Processing PIX Host "192.168.1.1"
Querying 5 lists ... Done
5 lists for 192.168.1.1 returned 5247 results.
Logging in ... Done
Entering Privleged Mode ... Done
Retrieving current members of "threatstop" network group ... Done
"threatstop" network group currently has 5266 members.

5266 IPs are still active in ThreatSTOP list.
20 IPs are new in ThreatSTOP list.
4 IPs are stale and will be removed.

Removing old addresses ... Done
Adding new addresses ... Done
Finished updating 192.168.1.1

ThreatSTOP updates complete.

At this point, all we have done is create and populate a object group. We do not create any rules on the PIX. The exact rule would depend on your configuration, but the following rule will block all incoming and outgoing traffic that have a source or destination IP address that is in the "threatstop" object group:

(config)# access-list 101 deny ip object-group threatstop any log

If you have multiple PIX routers you want to setup, create additional "device" sections in the configuration file with the appropriate information. The script will finish configuring the first device before moving on to the next one.
We update the lists every two hours. Here is an example cron job that you can use:

#Update the ThreatSTOP lists. Every 2 hours, 15 minutes after the hour (00:15, 02:15, 04:15, etc.)
15    /2                /path/to/the/script/ts-pix.pl -c
/path/to/config/file/threatstop.conf

Restore to Previous State

If you decide to return to your pre-ThreatSTOP configuration, you will need to perform the following actions to disable and remove ThreatSTOP from your system:

  1. Stop the VM from updating the firewall by deleting the user crontab:

    crontab -r

  2. Remove the ThreatSTOP address groups from the policies using them (or delete the policies completely).
  3. Delete the ThreatSTOP address groups (TSBlock-(number) and TSAllow-(number)).

 

There is no content with the specified labels