Threat Level: green Handler on Duty: Yee Ching Tok

SANS ISC: Updating network object in ASA thru API - SANS Internet Storm Center SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms: https://isctv.sans.edu

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Updating network object in ASA thru API
Am planning on fetching a list of bad IP addresses and update Cisco ASA network object thru API, of course I need to upgrade ASA to at least 9.3 to get API support. But before I go ahead and do that I'd like to get an input from this forum users, if there is any. Krypt0ni8

21 Posts
thread locked Quote Subscribe Jun 8th 2016
5 years ago
That function works if that's the question. While a threat intel feed can be helpful, applying it with full tust that all the bad IPs in the list or feed are really "bad" is rarely a good idea Rob VandenBrink

577 Posts
ISC Handler
Thread locked. Quote Jun 21st 2016
5 years ago
Quoting Rob VandenBrink:That function works if that's the question. While a threat intel feed can be helpful, applying it with full tust that all the bad IPs in the list or feed are really "bad" is rarely a good idea


I saw a website posted on one of your diaries that have a list of TOR exit node which gets updated every 30 minutes, without getting into why I thought to myself maybe we should try this and block TOR on the edge FW. if you have any other sufficient solution please do share. 		Krypt0ni8

21 Posts
Thread locked. Quote Jun 21st 2016
5 years ago
you can use our API. For example: isc.sans.edu/api/threatlist/… (or isc.sans.edu/api/threatlist/… if you prefer it in that format) Johannes

4476 Posts
ISC Handler
Thread locked. Quote Jun 21st 2016
5 years ago
Quoting Johannes:you can use our API. For example: https://isc.sans.edu/api/threatlist/torexit (or https://isc.sans.edu/api/threatlist/torexit?json if you prefer it in that format)


I just created/tested a python script that loops thru "ipv4" json list. I didn't need to put in my api's key is that ok?? 		Krypt0ni8

21 Posts
Thread locked. Quote Jun 21st 2016
5 years ago
Correct. No authentication is required for our public APIs. Do me a favor and add an e-mail address to the user agent. That way, if there is a problem, I know who to contact instead of just blocklisting you :) Johannes

4476 Posts
ISC Handler
Thread locked. Quote Jun 21st 2016
5 years ago
Quoting Johannes:Correct. No authentication is required for our public APIs. Do me a favor and add an e-mail address to the user agent. That way, if there is a problem, I know who to contact instead of just blocklisting you :)


Script updated/tested with user agent = '(Krypt0ni8)email' 		Krypt0ni8

21 Posts
Thread locked. Quote Jun 21st 2016
5 years ago

Sign Up for Free or Log In to start participating in the conversation!