Created on 09-30-2016 08:34 AM Edited on 05-26-2022 11:20 AM By Anonymous
Description
This article explains how you are able to manually pull and update malware domains and blocked ip information into a local repository and then direct AO to update the list without having AO to externally connect to the internet.
1. Download the following files from the sites below:
https://isc.sans.edu/feeds/suspiciousdomains_Low.txt
https://isc.sans.edu/feeds/suspiciousdomains_Medium.txt
https://isc.sans.edu/feeds/suspiciousdomains_High.txt
http://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt
https://zeustracker.abuse.ch/blocklist.php?download=domainblocklist (zeus_domainblocklist.txt)
https://zeustracker.abuse.ch/blocklist.php?download=ipblocklist (zeus_ipblocklist.txt)
http://www.malwaredomainlist.com/mdlcsv.php (export.csv)
http://www.malwaredomainlist.com/updatescsv.php (updates.csv)
NOTE: Please DO NOT import the downloaded files from AO's UI. The UI will accept the files, but the import will be incorrect.
2. Login to the super as root user
3. cd /var/www/html
4. mkdir malware
5. Please upload all the files from step 1 into this directory: /var/www/html/malware/
6. psql -U phoenix -d phoenixdb -c 'select * from ph_group_update_site;' > /var/www/html/malware/ph_group_update_site.orig
- This step is not required but recommended just as a backup so you may re-reference this before overwriting it.
7. psql -U phoenix -d phoenixdb
9. Update the table "ph_group_update_site" by performing the following - DO NOT COPY and PASTE without fully understanding what is provided below:
update ph_group_update_site set full_update_site='https://(FQDN_OF_SUPER)/malware/(Your downloaded filename)' where natural_id='PH_SYS_MAL_DOMAIN_MDL';
update ph_group_update_site set full_update_site='https://(FQDN_OF_SUPER)/malware/(Your downloaded filename)' where natural_id='PH_SYS_MAL_DOMAIN_SANS_LOW';
update ph_group_update_site set full_update_site='https://(FQDN_OF_SUPER)/malware/(Your downloaded filename)' where natural_id='PH_SYS_MAL_DOMAIN_SANS_MED';
update ph_group_update_site set full_update_site='https://(FQDN_OF_SUPER)/malware/(Your downloaded filename)' where natural_id='PH_SYS_MAL_DOMAIN_SANS_HIGH';
update ph_group_update_site set full_update_site='https://(FQDN_OF_SUPER)/malware/(Your downloaded filename)' where natural_id='PH_SYS_EMER_THREAT';
update ph_group_update_site set full_update_site='https://(FQDN_OF_SUPER)/malware/(Your downloaded filename)' where natural_id='PH_SYS_ZEUS_BLOCKED_IP';
update ph_group_update_site set full_update_site='https://(FQDN_OF_SUPER)/malware/(Your downloaded filename)' where natural_id='PH_SYS_MAL_DOMAIN_ZEUS';
EXAMPLE:
update ph_group_update_site set full_update_site='https://aki-sp.accelops.net/malware/export.csv'; where natural_id='PH_SYS_MAL_DOMAIN_MDL'
update ph_group_update_site set full_update_site='https://aki-sp.accelops.net/malware/suspiciousdomains_Low.txt' where natural_id='PH_SYS_MAL_DOMAIN_SANS_LOW';
update ph_group_update_site set full_update_site='https://aki-sp.accelops.net/malware/suspiciousdomains_Medium.txt' where natural_id='PH_SYS_MAL_DOMAIN_SANS_MED';
update ph_group_update_site set full_update_site='https://aki-sp.accelops.net/malware/suspiciousdomains_High.txt' where natural_id='PH_SYS_MAL_DOMAIN_SANS_HIGH';
update ph_group_update_site set full_update_site='https://aki-sp.accelops.net/malware/emerging-Block-IPs.txt' where natural_id='PH_SYS_EMER_THREAT';
update ph_group_update_site set full_update_site='https://aki-sp.accelops.net/malware/zeus_ipblocklist.txt' where natural_id='PH_SYS_ZEUS_BLOCKED_IP';
update ph_group_update_site set full_update_site='https://aki-sp.accelops.net/malware/zeus_domainblocklist.txt' where natural_id='PH_SYS_MAL_DOMAIN_ZEUS';
update ph_group_update_site set partial_update_site='https://aki-sp.accelops.net/malware/updates.csv' where natural_id='PH_SYS_MAL_DOMAIN_MDL';
10. \q
11. Now, create a schedule for auto update in AO's UI
N/A
Version Application
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.