Simply put, this gathers a list of possible malicious IP addresses using the datasets on GitHub gathered by FireHOL. This can be used in Splunk to sweep you environment or setup alerts when traffic is detected.
- Bash
- Curl
- Git
Open a terminal and run the following commands:
git clone https://github.com/ecstatic-nobel/Firehol-Sweep.git
cd Firehol-SweepIf you want to change the source of the IP sets:
- Navigate to FireHOL's blocklist-ipset GitHub project
- Paste the name of the IP set on a separate line in
firehol_ipsets.txt
To run the script, run the following command from the project directory:
bash create_lookup.sh CLONEDIR OUTPUTFILEThe CLONEDIR is the directory where you want to clone the FireHOL blocklist-ipsets project. The OUTPUTFILE is the path to the new lookup table that will be generated. A sample lookup table can be found here.
To remove the project completely, run the following commands:
rm -rf Firehol-Sweep