Stephen Reese

I recently came across a blog post demonstrating how to use the Emerging Threats rule sets in order to block malware calls to command and control (C&C) hosts. Using the script referenced in the blog post may work fine, but I want to review and update when I feel like it via SSH. Per the Emerging Threats wiki these rules probably only need to be updated once a week but YMMV.

Setup the ASA (one time):

configure terminal 
access-list dynamic-filter_acl extended permit ip any any 
dynamic-filter enable interface outside classify-list dynamic-filter_acl 
dynamic-filter drop blacklist interface outside 
dynamic-filter blacklist 

Download the C&C list from Emerging Threats:

$ wget

Convert the list to the required format:

$ sed 's/ET-drop/ET-cc/g' emerging-PIX-CC.rules | egrep "^access-list ET-cc deny"   
emerging-PIX-CC.rules | sed 's/access-list ET-cc deny ip/address/g;s/host //g;s/any   
/' | awk '{print $1,$2,$3}' > emerging-PIX-CC.rules.asa

Paste the list using Putty or similar. At current there are around 3000 rules so it takes a minute:

configure terminal
no dynamic-filter blacklist
blacklist dynamic-filter blacklist
address x.x.x.x y.y.y.y

Finally, it is important to note that there could be performance implications with implementing too many rules. Be warned you may shun legitimate sites on shared hosting providers and the like.


comments powered by Disqus