Re: Firewall Script Example: Automatically Block I...

xp · ‎2025-07-22

1）Purpose：

Utilize SmartEvent's Automatic Reaction feature to automatically execute a response script when specific attack events (such as Nikto scans) are detected, enhancing automation and real-time threat response.

2）Use Case：

A.Security administrators want to automatically block source IPs upon detecting intrusion behaviors like Nikto Security Scanner scans.

B.Integrates SmartEvent’s event detection with custom scripts to enable fast and automated response without manual intervention.

C.Ideal for test or production environments requiring immediate mitigation of known attack patterns, along with response logging.

3）Requirements：

SmartEvent Server and SmartEvent Correlation Unit must be deployed and enabled.

The relevant attack event (e.g., Nikto scan) must be identifiable in the logs and captured by the Correlation Unit.

An Automatic Reaction rule must be configured and linked to a script (the script should be placed in $RTDIR/bin/ext_commands/ on the SmartEvent Server and granted executable permissions).

the_rock · ‎2025-07-23

Will test it in the lab. Does it create a feed with bad IP addresses?

Andy

Best,
Andy

xp · ‎2025-07-23

Yes, it is recommended to create a drop policy in advance, using a predefined address group as the source. This group will be used to store IP addresses from the malicious IP feed.

the_rock · ‎2025-07-23

I assume its run on mgmt server?

Andy

Best,
Andy

xp · ‎2025-07-23

Yes, it runs on the management server. Upload the script to $RTDIR/bin/ext_commands/ and make it executable. Please refer to the "R82 Logging and Monitoring Administrator Guide" or the attachment for details.

the_rock · ‎2025-07-23

Will try in the morning...cheers. Thank you!

Andy

Best,
Andy

the_rock · ‎2025-07-24

Just ran it in my R82 mgmt lab and when I invoke the script, it never finishes, not sure why. I followed exact steps you outlined.

Andy

Best,
Andy

xp · ‎2025-07-24

Here are a few things you can check:

1. you can run cat /home/admin/ext_script.txt on the management server to view the full execution log of the script and identify where it might be hanging.

2. If there's no log output at all,please double-check that User Defined Event Policy is properly configured and deployed.The event may not be triggering the Automatic Reaction as expected.

3. Also,verify that the IPS logs are indeed being generated and that the "attack information" field contains the keyword "xxx(Nikto Security Scanner)",as this is required for the script trigger condition.

the_rock · ‎2025-07-24

I get below.

Andy

[Expert@CP-MANAGEMENT:0]# cat /home/admin/ext_script.txt
2025-07-24 08:08:11 - ===== 新事件触发 =====
[Expert@CP-MANAGEMENT:0]#

Best,
Andy

_Val_ · ‎2025-07-23

Hi @xp , please add some description: use case, purpose, requirements, etc

Are you a member of CheckMates?

Firewall Script Example: Automatically Block IPs