topic Re: Firewall Script Example: Automatically Block IPs in Events

Firewall Script Example: Automatically Block IPs

xp — Thu, 24 Jul 2025 06:00:17 GMT

1）Purpose：

Utilize SmartEvent's Automatic Reaction feature to automatically execute a response script when specific attack events (such as Nikto scans) are detected, enhancing automation and real-time threat response.

2）Use Case：

A.Security administrators want to automatically block source IPs upon detecting intrusion behaviors like Nikto Security Scanner scans.

B.Integrates SmartEvent’s event detection with custom scripts to enable fast and automated response without manual intervention.

C.Ideal for test or production environments requiring immediate mitigation of known attack patterns, along with response logging.

3）Requirements：

SmartEvent Server and SmartEvent Correlation Unit must be deployed and enabled.

The relevant attack event (e.g., Nikto scan) must be identifiable in the logs and captured by the Correlation Unit.

An Automatic Reaction rule must be configured and linked to a script (the script should be placed in $RTDIR/bin/ext_commands/ on the SmartEvent Server and granted executable permissions).

Re: Firewall Script Example: Automatically Block IPs

the_rock — Wed, 23 Jul 2025 23:12:17 GMT

Will test it in the lab. Does it create a feed with bad IP addresses?

Andy

Re: Firewall Script Example: Automatically Block IPs

xp — Thu, 24 Jul 2025 03:16:22 GMT

Yes, it is recommended to create a drop policy in advance, using a predefined address group as the source. This group will be used to store IP addresses from the malicious IP feed.

Re: Firewall Script Example: Automatically Block IPs

the_rock — Thu, 24 Jul 2025 03:29:19 GMT

I assume its run on mgmt server?

Andy

Re: Firewall Script Example: Automatically Block IPs

xp — Thu, 24 Jul 2025 03:49:21 GMT

Yes, it runs on the management server. Upload the script to $RTDIR/bin/ext_commands/ and make it executable. Please refer to the "R82 Logging and Monitoring Administrator Guide" or the attachment for details.

Re: Firewall Script Example: Automatically Block IPs

the_rock — Thu, 24 Jul 2025 04:05:40 GMT

Will try in the morning...cheers. Thank you!

Andy

Re: Firewall Script Example: Automatically Block IPs

_Val_ — Thu, 24 Jul 2025 04:59:46 GMT

Hi @xp , please add some description: use case, purpose, requirements, etc

Re: Firewall Script Example: Automatically Block IPs

the_rock — Thu, 24 Jul 2025 12:11:21 GMT

Just ran it in my R82 mgmt lab and when I invoke the script, it never finishes, not sure why. I followed exact steps you outlined.

Andy

Re: Firewall Script Example: Automatically Block IPs

xp — Thu, 24 Jul 2025 15:23:23 GMT

Here are a few things you can check:

1. you can run cat /home/admin/ext_script.txt on the management server to view the full execution log of the script and identify where it might be hanging.

2. If there's no log output at all,please double-check that User Defined Event Policy is properly configured and deployed.The event may not be triggering the Automatic Reaction as expected.

3. Also,verify that the IPS logs are indeed being generated and that the "attack information" field contains the keyword "xxx(Nikto Security Scanner)",as this is required for the script trigger condition.

Re: Firewall Script Example: Automatically Block IPs

the_rock — Thu, 24 Jul 2025 15:40:32 GMT

I get below.

Andy

[Expert@CP-MANAGEMENT:0]# cat /home/admin/ext_script.txt
2025-07-24 08:08:11 - ===== 新事件触发 =====
[Expert@CP-MANAGEMENT:0]#