Firepower FMC - Remediation Module for Security Intelligence Blacklist

on

 https://community.cisco.com/t5/security-knowledge-base/remediation-module-for-security-intelligence-blacklist/ta-p/3144850/page/2/show-comments/true?attachment-id=26130

https://finkotek.com/firepower-custom-remediation-action/


Lab:



1. Install the module
    Policies > Modules > Install a new module

2. Create an instance of the new module, and configure remediation.
    Policies > Instance > Select a module type > Add
    















3. Create a correlation rule






























4. Create a correlation policy, add above rule.

















5. Assign the remediation instance to the rule





6. Create SI feed object


























7. Add the new blacklist in ACP



















Verification:

1. Create a custom IPS rule




















2. Enable the custom IPS rule









3. Ping 1.1.1.1 from PC 10.10.10.30

4. Check Intrusion event









5. Check correlation event














6. Verify SI event, and ping from PC stops because SI blocking.














Location of the local blacklist file: /var/sf/htdocs

root@fmc67:/var/sf/htdocs# ls | grep html
custom_blacklist.html
custom_blacklist_md5.html
html_templates
root@fmc67:/var/sf/htdocs#
root@fmc67:/var/sf/htdocs#
root@fmc67:/var/sf/htdocs# more custom_blacklist.html
10.10.10.30
root@fmc67:/var/sf/htdocs#

To remove IP from your custom Blacklist feed you need to simply edit custom_blacklist.html file with vi editor (need to be root) and do not forget to update MD5 hash file with this md5sum command:

sudo “md5sum /var/sf/htdocs/custom_blacklist.html > /var/sf/htdocs/custom_blacklist_md5.html”



Reference:


https://community.cisco.com/t5/security-knowledge-base/remediation-module-for-security-intelligence-blacklist/ta-p/3144850/show-comments/true

https://finkotek.com/firepower-custom-remediation-action/

Comments

Post a Comment