Import IP's of malware hosting server to SteelCentral NetProfiler

Overview

This tiny little python script downloads a list of IP Addresses known to host Malware, formats it correctly and uploads it into a NetProfiler in the HostGroup Type provided as a parameter.

You can also convert and upload your own list instead of the list from the Internet.


This allows you to create a report to see e.g. whether you're internal hosts talk to such sites. The sites included some Command and Control Server als well, so you might be able to check whether your internal hosts are part of a (inactive) botnet.

The Script is based on a Visual Basic version of my colleague @Martin_Rosjorde


 

Customizations

All variables can be customised with parameters given when calling the script.

Run the script with the "-h" parameter and you'll get some help.


ATTENTION

In the current Version (1.2) this script will overwrite the Hostgroup Type with the new content. You might want to use a special HostGroup Type oder e.g. "ByFunction"

A Version which updates the HostgroupType with the new content is currently under development.


I invite everyone to work with me on this. The script is hosted at:

https://gitlab.com/ZyckoProfessionalServices/RVBD_SteelProfiler_ImportMalwareIPs


The current Version is 1.2, the next Version (with update functionality) will be 1.3.


UPDATE: Version 1.3 is released. This Version will now create a new HostGroupType specified by the user instead of relying on an already existing one. This allows you to create a special (e.g. ByMalware) Group.



The script

 

 

ZyckoProfessionalServices / RVBD_SteelProfiler_ImportMalwareIPs | GitLab

 

#!/usr/bin/env python
# -*- coding: utf-8 -*-

"""
This module uses the Riverbed SteelCentral (Profiler and NetExpress) API to update a certain Hostgroup with
IP Addresses from either a specified custom file (see module help) or, if inout file is not specified, with
the current known Malware IP Addresses from http://www.malwaredomainlist.com

Attention: In this Version (1.3.0) the HostGroupType content will be overwritten with the new content. I therefor
suggest you create a special HostGroupType, e.g. "ByMalware"
"""

__author__ = 'Andre Dieball (andre.dieball@zycko.de)'
__copyright__ = 'Copyright (c) 2015 Zycko Networks GmbH - Andre Dieball'
__license__ = 'GPLv3'
__vcs_id__ = '$Id$'
__version__ = '1.3.0'

def main():
   import urllib2
   import base64
   import httplib
   import json
   import argparse
   import sys



   parser = argparse.ArgumentParser()
   parser.add_argument("BASIC_AUTH", type=str,
   help="REQUIRED: Basic Authentication in the format of 'username:password' "
   "you have to put it in single quotes!")
   parser.add_argument("IP", type=str,
   help="REQUIRED: IP Address or Hostname of the Riverbed NetExpress / Profiler")
   parser.add_argument("Hostgroup", type=str,
   help="REQUIRED: Name or ID of the HostGroupType to update (case-sensitive)"
   "ATTENTION: Content of HostGroupType will be overwritten!!!")
   parser.add_argument("--create", action='store_true',
   help="OPTIONAL: Specify -c if the HostGroupType needs to get created first."
   "If you use this switch and specify a HostGroupType which already exist,"
   "you'll get an error message (HTTP Error 409) but the script will continue"
   "to populate the HostGroupType specified.")

   args = parser.parse_args()


   malwareurl = "http://www.malwaredomainlist.com/hostslist/ip.txt"

   # Downloading the Malware IP Address List
   print "Downloading with urllib2"
   f = urllib2.urlopen(malwareurl)
   result = f.read().split("\r\n")
   ips = [x + "/32" for x in result if x]

   result = []

   # Creating the HostGroupType if required and specified
   if args.create:
   createurl = "https://" + args.IP + "/api/profiler/1.4/host_group_types/"
   createbody = json.dumps({
   "name": args.Hostgroup,
   "favorite": False,
   "description": "MalwareIP Addresses"
   })
   createheaders = {"Authorization"  : "Basic %s" % base64.b64encode(args.BASIC_AUTH),
   "Content-Type"   : "application/json"}

   if sys.version_info >= (2,7,9):
   import ssl
   createconn = httplib.HTTPSConnection(args.IP, 443, context=ssl._create_unverified_context())
   else:
   createconn = httplib.HTTPSConnection(args.IP, 443)

   createconn.request('POST', createurl, body=createbody, headers=createheaders)
   createresponse = createconn.getresponse()

   if createresponse.status == 201:
   print "New HostGroupType created successfully"
   elif createresponse.status == 409:
   print "HostGroupType already exist!"
   elif createresponse.status == 401:
   print "Something is wrong with your Authentication credentials"
   else:
   print "Something went wrong dude!"
   print "HTTP Status returned: " + str(createresponse.status)

   # formatting the Malware IP Address List in the correct format IP_ADDRESS/CIDR NAME
   for item in ips:
   result.append({'cidr': item, 'name': 'Malware'})

   uploadurl = "https://" + args.IP + "/api/profiler/1.4/host_group_types/" + args.Hostgroup + "/config/"

   # Constructiong the API Header, Body and URL Request
   body = json.dumps(result)

   if sys.version_info >= (2,7,9):
   import ssl
   conn = httplib.HTTPSConnection(args.IP, 443, context=ssl._create_unverified_context())
   else:
   conn = httplib.HTTPSConnection(args.IP, 443)



   headers = {"Authorization"  : "Basic %s" % base64.b64encode(args.BASIC_AUTH),
   "Content-Type"   : "application/json"}


   # Pushing the created List to the Profiler via API
   conn.request('PUT', uploadurl, body=body, headers=headers)
   response = conn.getresponse()

   if response.status == 204 and response.reason == "No Content":
   print "Upload was successful, please double check HostGroup in Profiler now!"
   elif response.status == 401:
   print "Something is wrong with your Authentication credentials"
   else:
   print "Something went wrong dude!"

if __name__ == '__main__':
   main()