Creating a Saved Script to Block a Destination IP Address

To create a saved script to block a destination IP address, we create a Python script to generate the email, and then call that script from Stellar Cyber.

Creating the Python Script

To create the Python script:

1. Create a file named blockip.py.

2. Make note of where you created it. Ours is in the home/aella/ directory.

3. Enter your script. A sample script is:

   #!/usr/bin/env python
   # -*- coding: utf-8 -*-
   # -*- author: Christian Rasmussen -*-
   # -*- github: http://github.com/apoltix/blockip -*-
   # -*- license: MIT License -*-# blockip: easy-to-use command to add or delete an IP address to the blocklist in iptablesimport sys
   import getopt
   import subprocess_name = "blockip"
   _version = "0.1"def main(argv):
      try:
         opts, args = getopt.getopt(argv, "ha:d:lv", ["help", "add=", "delete=", "list", "version"])
                        if len(opts) == 0:
            # Adding without -a or --add: iptables 1.2.3.4 2.3.4.5
            if len(args) > 0:
               opts = []
               for arg in args:
                  opts.append(("-a", arg))
            # Display help if no args exist
            else:
               opts = [("-h","")]
         exit_code = 0
         for opt, arg in opts:
            if opt in ("-h", "--help"):
               help()
            elif opt in ("-v", "--version"):
               print version()
            elif opt in ("-a", "--add"):
               exit_code = subprocess.call(["iptables", "-A", "INPUT", "-s", arg, "-j", "DROP"])
            elif opt in ("-d", "--delete"):
               exit_code = subprocess.call(["iptables", "-D", "INPUT", "-s", arg, "-j", "DROP"])
            elif opt in ("-l", "--list"):
               exit_code = subprocess.call(["iptables", "-L", "-n"])
         sys.exit(exit_code)
      except getopt.GetoptError, err:
         print "blockip error: " + str(err)
         sys.exit(2)
   def version():
      global _name, _version
      return _name + " " + _version
   def help():
      print version()
      print "Usage: blockip [ips|-h|-a ip|-d ip|-l]\n"
      print "-h, --help:                      Displays this message."
      print "ips:                             Adds IP-addresses to the block list. Example:\n\tblockip 1.2.3.4 2.3.4.5"
      print "-a ip, --add ip:         Adds an IP-address to the block list. Example:\n\tblockip -a 1.2.3.4"
      print "-d ip, --delete ip:              Removes an IP-address from the block list. Example:\n\tblockip -d 1.2.3.4"
      print "-l, --list:                      Lists the blocked IP-addresses."
      print "-v, --version:                   Displays the version of the utility."
   if __name__ == "__main__":
      main(sys.argv[1:])

4. Save the file.

Calling the Python Script from Stellar Cyber

To call the Python script from Stellar Cyber:

1. Log in to Stellar Cyber.

2. Click System | Configuration | Saved Scripts. The Script Template page appears.

   

3. Click Create to add a new script. The Add Script Template screen appears.

   

4. Enter the Name. Each script must have a unique name. This field does not support multibyte characters. You cannot edit the name after you submit. We entered Block Destination IP Address in Python.
5. Choose a Tenant Name. We chose Root Tenant. You cannot edit the tenant after you submit.

6. In the Script Body, call the script you created earlier. Our Script Body is:

   sudo python /home/aella/blockip.py -a {{_source.dstip}}

7. Click Submit. The script is saved and added to the table.