Technical Note: [Accelops KB] How to update Malware Domain/Block IP without internet connectivity
Description
Summary of Article
This article explains how you are able to manually pull and update malware domains and blocked ip information into a local repository and then direct AO to update the list without having AO to externally connect to the internet.
Steps to Implement
1. Download the following files from the sites below:
https://isc.sans.edu/feeds/suspiciousdomains_Low.txt
https://isc.sans.edu/feeds/suspiciousdomains_Medium.txt
https://isc.sans.edu/feeds/suspiciousdomains_High.txt
http://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt
https://zeustracker.abuse.ch/blocklist.php?download=domainblocklist (zeus_domainblocklist.txt)
https://zeustracker.abuse.ch/blocklist.php?download=ipblocklist (zeus_ipblocklist.txt)
http://www.malwaredomainlist.com/mdlcsv.php (export.csv)
http://www.malwaredomainlist.com/updatescsv.php (updates.csv)
NOTE: Please DO NOT import the downloaded files from AO's UI. The UI will accept the files, but the import will be incorrect.
2. Login to the super as root user
3. cd /var/www/html
4. mkdir malware
5. Please upload all the files from step 1 into this directory: /var/www/html/malware/
6. psql -U phoenix -d phoenixdb -c 'select * from ph_group_update_site;' > /var/www/html/malware/ph_group_update_site.orig
- This step is not required but recommended just as a backup so you may re-reference this before overwriting it.
7. psql -U phoenix -d phoenixdb
9. Update the table "ph_group_update_site" by performing the following - DO NOT COPY and PASTE without fully understanding what is provided below:
update ph_group_update_site set full_update_site='https://(FQDN_OF_SUPER)/malware/(Your downloaded filename)' where natural_id='PH_SYS_MAL_DOMAIN_MDL';
update ph_group_update_site set full_update_site='https://(FQDN_OF_SUPER)/malware/(Your downloaded filename)' where natural_id='PH_SYS_MAL_DOMAIN_SANS_LOW';
update ph_group_update_site set full_update_site='https://(FQDN_OF_SUPER)/malware/(Your downloaded filename)' where natural_id='PH_SYS_MAL_DOMAIN_SANS_MED';
update ph_group_update_site set full_update_site='https://(FQDN_OF_SUPER)/malware/(Your downloaded filename)' where natural_id='PH_SYS_MAL_DOMAIN_SANS_HIGH';
update ph_group_update_site set full_update_site='https://(FQDN_OF_SUPER)/malware/(Your downloaded filename)' where natural_id='PH_SYS_EMER_THREAT';
update ph_group_update_site set full_update_site='https://(FQDN_OF_SUPER)/malware/(Your downloaded filename)' where natural_id='PH_SYS_ZEUS_BLOCKED_IP';
update ph_group_update_site set full_update_site='https://(FQDN_OF_SUPER)/malware/(Your downloaded filename)' where natural_id='PH_SYS_MAL_DOMAIN_ZEUS';
EXAMPLE:
update ph_group_update_site set full_update_site='https://aki-sp.accelops.net/malware/export.csv'; where natural_id='PH_SYS_MAL_DOMAIN_MDL'
update ph_group_update_site set full_update_site='https://aki-sp.accelops.net/malware/suspiciousdomains_Low.txt' where natural_id='PH_SYS_MAL_DOMAIN_SANS_LOW';
update ph_group_update_site set full_update_site='https://aki-sp.accelops.net/malware/suspiciousdomains_Medium.txt' where natural_id='PH_SYS_MAL_DOMAIN_SANS_MED';
update ph_group_update_site set full_update_site='https://aki-sp.accelops.net/malware/suspiciousdomains_High.txt' where natural_id='PH_SYS_MAL_DOMAIN_SANS_HIGH';
update ph_group_update_site set full_update_site='https://aki-sp.accelops.net/malware/emerging-Block-IPs.txt' where natural_id='PH_SYS_EMER_THREAT';
update ph_group_update_site set full_update_site='https://aki-sp.accelops.net/malware/zeus_ipblocklist.txt' where natural_id='PH_SYS_ZEUS_BLOCKED_IP';
update ph_group_update_site set full_update_site='https://aki-sp.accelops.net/malware/zeus_domainblocklist.txt' where natural_id='PH_SYS_MAL_DOMAIN_ZEUS';
update ph_group_update_site set partial_update_site='https://aki-sp.accelops.net/malware/updates.csv' where natural_id='PH_SYS_MAL_DOMAIN_MDL';
10. \q
11. Now, create a schedule for auto update in AO's UI
Additional Information
N/A
Version Application