One of the things I wanted to automate recently was blacklisting IP addresses outright that attempt exploits and vulnerabilities against a network I am protecting with the Cisco SourceFire IPS/IDS device.  After spending some time working with their correlation rules, I realized that what I wanted to happen was not really available.  Here’s what I’d like the workflow to be:

  1. Someone attempts to exploit vulnerabilities against the public IP address routed through the Cisco SourceFire and generates an Impact 1 or Impact 2 severity intrusion event.
  2. If the same source IP attempts a second exploit vulnerability within 5 minutes that generates an Impact 1 or Impact 2 severity intrusion event, blacklist the source IP address.

This seems like something that should be reasonable to expect the device to inherently support — unfortunately, that seems not to be the case.

I was able to work around the lack of functionality to get somewhat close to the desired outcome by doing the following:

  1. Install the IP Blacklist Remediation module available for the Cisco SourceFire, located here on your SourceFire Defense Center.  NOTE:  This is a third party extension/module to the Cisco SourceFire platform.  Use this at your own risk.  I didn’t write it, I accept no liability whatsoever if you implement it and it sets your data center on fire, sends your corporate secrets to China, etc.
  2. Follow the instructions in the README file to configure the remediation action, instance, security intelligence feed, and access control policy.
    1. Make sure you use full https:// link when you’re providing the .HTML file in the security intelligence feed.  When configuring the remediation instance, you can just say ‘custom_blacklist.html’, but when configuring the security intelligence feed, you need to use ‘https://your.sourcefire.domainorip/custom_blacklist.html’

Once this is done, I got very close to what I wanted:

  1. Someone attempts to exploit vulnerabilities against the public IP address routed through the Cisco SourceFire and generates an Impact 1 or Impact 2 severity intrusion event.
  2. The IP address is added to the Local Blacklist and synchronized at the next Security Intelligence Feed update cycle.

My concern (and what I’m hoping someone out there can comment on) is that this seems overzealous, as it does blacklist every IP that ever tries a single exploit against any of the public IPs, and over time that seems unsustainable.  I’d love to have threshold capability so that it only added IP addresses if they tried multiple exploits.  I mean, the SourceFire *is* dropping the traffic anyway, so blacklisting the IP of anyone who has attempted a single exploit does seem like it will end up with a tremendous amount of IP addresses over time, which will generate unnecessary load on the system.

I also think it doesn’t add up that the SourceFire can’t do this internally with correlation rules and remediation actions, but after hours of searching, I could not come up with another way to achieve this.

Anyone have any ideas?