Tuesday, March 8, 2011

Poor Man's RSS Feed - IP List Style

Similar to the last post, I came up with something that grabs known bad IP addresses. This should be used with caution because sometimes legitimate sites will be compromised, or shared services could be used.

Black listing, or null routing, an IP address could have undesired side effects. As always it is best to do default deny policy but in cases where that is not possible, this can be used as an alternative.

Sites used in the script:

DATE=`date +%m-%d-%Y`

# Let's grab the daily malware lists and save them into a sorted file...
wget -i /root/Malware/websites-to-download.txt --no-check-certificate -O /root/Malware/malwaresites-blacklist-ipaddy.txt
cat /root/Malware/malwaresites-blacklist-ipaddy.txt | sed 's/[ \t]*$//' | sort | uniq > /root/Malware/evil-ipaddy-list-$DATE.txt

# We are going to take the sorted file and look for any new IPs, if they appear then we'll mail the changes out
if [ -e /root/Malware/evil-ipaddy-list-$DATE.txt ]; then
comm -13 /root/Malware/previous-ipaddy-scan.txt /root/Malware/evil-ipaddy-list-$DATE.txt > /root/Malware/evilness_for_$DATE.txt
sendEmail -f malware_police@somedomain.com -t someone@somedomain.com -u $DATE Daily Evil IP Address BlockList -o message-file=/root/Malware/evilness_for_$DATE.txt -s ex-smtp.somedomain.com:25

# Once we are done with today's sorted file, we are going to save it for later comparison
ln -sf /root/Malware/evil-ipaddy-list-$DATE.txt /root/Malware/previous-ipaddy-scan.txt

1 comment:

  1. I've noticed that sometimes remnants of line entries including the "#" character show up.

    Add the following sed expression to remove those from showing up in the daily email:

    sed -e "/#/d"