Threat Level: green Handler on Duty: Guy Bruneau

SANS ISC: Updating network object in ASA thru API - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Updating network object in ASA thru API
Am planning on fetching a list of bad IP addresses and update Cisco ASA network object thru API, of course I need to upgrade ASA to at least 9.3 to get API support. But before I go ahead and do that I'd like to get an input from this forum users, if there is any. Krypt0ni8

21 Posts
That function works if that's the question. While a threat intel feed can be helpful, applying it with full tust that all the bad IPs in the list or feed are really "bad" is rarely a good idea Rob VandenBrink

513 Posts
ISC Handler
Quoting Rob VandenBrink:That function works if that's the question. While a threat intel feed can be helpful, applying it with full tust that all the bad IPs in the list or feed are really "bad" is rarely a good idea


I saw a website posted on one of your diaries that have a list of TOR exit node which gets updated every 30 minutes, without getting into why I thought to myself maybe we should try this and block TOR on the edge FW. if you have any other sufficient solution please do share.
Krypt0ni8

21 Posts
you can use our API. For example: isc.sans.edu/api/threatlist/… (or isc.sans.edu/api/threatlist/… if you prefer it in that format) Johannes

3578 Posts
ISC Handler
Quoting Johannes:you can use our API. For example: https://isc.sans.edu/api/threatlist/torexit (or https://isc.sans.edu/api/threatlist/torexit?json if you prefer it in that format)


I just created/tested a python script that loops thru "ipv4" json list. I didn't need to put in my api's key is that ok??
Krypt0ni8

21 Posts
Correct. No authentication is required for our public APIs. Do me a favor and add an e-mail address to the user agent. That way, if there is a problem, I know who to contact instead of just blacklisting you :) Johannes

3578 Posts
ISC Handler
Quoting Johannes:Correct. No authentication is required for our public APIs. Do me a favor and add an e-mail address to the user agent. That way, if there is a problem, I know who to contact instead of just blacklisting you :)


Script updated/tested with user agent = '(Krypt0ni8)email'
Krypt0ni8

21 Posts

Sign Up for Free or Log In to start participating in the conversation!