Below are my plain text notes for adding crontab based automatic malware filters in my CentOS based nfsen.
This was done with nfsen 1.3.6p1 and nfdump 1.6.6 -- i have not yet upgraded to any newer versions which may may be different.
Note that this takes into account my setup's file-structure -- yours may differ.
###############################
NFSEN NETFLOW AUTOMATED FILTERS
###############################
###############################
HOW TO
###############################
For each of the following names: "Malware-Domain-List", "Hostile_IPs", "ZeusBotNet_CC" (if you change the names, you will have to change the scripts)
Create new Profile
Group under "malware"
Description "Crontab enabled automatic filter" (and whatever other info you like to add, maybe the URLs from the scripts below)
no start date
no end date
default max size
default expire
1:1 channels
Shadow Profile
Sources: select all the sources you like.
Filter: temporarily use "not any"
[Create]
This will create a "blank" filter for each of your sources.
Now Create the following scripts, mark executable and run-once manually; Afterward, add them to crontab.
note: The *-filter.txt files (created by the gui) should be marked writable.
###############################
✓ root@netflow: /usr/local/nfsen/profiles-stat/malware $ find ./ -name "*.sh"
###############################
./Malware-Domain-List/import-list.sh
./Hostile_IPs/import-list.sh
./ZeusBotNet_CC/import-list.sh
###############################
✓ root@netflow: /usr/local/nfsen/profiles-stat/malware $ cat Hostile_IPs/import-list.sh
###############################
#!/bin/bash
export PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/root/bin
cd /usr/local/nfsen/profiles-stat/malware/Hostile_IPs
printf "IP in [\n" > temp.txt
wget -qO- http://www.autoshun.org/files/shunlist.csv | tail -n +2 | awk -F, '{print $1}' >> temp.txt
printf "]\n" >> temp.txt
for f in *-filter.txt ; do
cp temp.txt $f
done
rm temp.txt
#-rw-rw-r--. 1 apache apache *-filter.txt
###############################
✓ root@netflow: /usr/local/nfsen/profiles-stat/malware $ cat ./Malware-Domain-List/import-list.sh
###############################
#!/bin/bash
export PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/root/bin
cd /usr/local/nfsen/profiles-stat/malware/Malware-Domain-List
printf "IP in [\n" > temp.txt
wget -qO- http://www.malwaredomainlist.com/hostslist/ip.txt >> temp.txt
printf "]\n" >> temp.txt
for f in *-filter.txt ; do
cp temp.txt $f
done
rm temp.txt
#-rw-rw-r--. 1 apache apache *-filter.txt
###############################
✓ root@netflow: /usr/local/nfsen/profiles-stat/malware $ cat ./ZeusBotNet_CC/import-list.sh
###############################
#!/bin/bash
export PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/root/bin
cd /usr/local/nfsen/profiles-stat/malware/ZeusBotNet_CC
printf "IP in [\n" > temp.txt
wget --no-check-certificate -qO- https://zeustracker.abuse.ch/blocklist.php?download=badips | tail -n +7 >> temp.txt
printf "]\n" >> temp.txt
for f in *-filter.txt ; do
cp temp.txt $f
done
rm temp.txt
#-rw-rw-r--. 1 apache apache *-filter.txt
###############################
✓ root@netflow: /usr/local/nfsen/profiles-stat/malware $ crontab -l | tail -n 4
###############################
0 * * * * /usr/local/nfsen/profiles-stat/malware/Hostile_IPs/import-list.sh
0 * * * * /usr/local/nfsen/profiles-stat/malware/Malware-Domain-List/import-list.sh
0 * * * * /usr/local/nfsen/profiles-stat/malware/ZeusBotNet_CC/import-list.sh
---
As Always, Good Luck!
Please comment or tip me or use any/all of my affiliate links; Thank YOU!
You can thank me with bitcoin.