[135436] in North American Network Operators' Group
Re: Update Spamhaus DROP list from Cisco CLI (TCL)
daemon@ATHENA.MIT.EDU (Peter Pauly)
Tue Jan 25 10:30:18 2011
In-Reply-To: <A1B9BAEA8FE39847BCD6C473E894B595027BF5E0@SDEXMB02.Proflowers.com>
Date: Tue, 25 Jan 2011 10:29:30 -0500
From: Peter Pauly <ppauly@gmail.com>
To: Thomas Magill <tmagill@providecommerce.com>
Cc: "nanog@nanog.org" <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
I made a version of Mr. Magill's script to read the dshield.org's
block list and create null routes for it. He deserves all of the
credit, but none of the blame in case it doesn't work for you. I'm not
a TCL programmer - use at your own risk.
Anyone else have any nifty TCL for Cisco scripts they can share? I'm
curious to know what's possible and what people have done.
############################################################
# updatedshield.tcl =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0=
=A0 =A0 =A0 =A0 =A0 =A0#
# =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =
=A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0#
# Peter Pauly =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =
=A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0#
# =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =
=A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0#
# based on the updatedrop.tcl script by: =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =
=A0 #
# Thomas Magill =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0=
=A0 =A0 =A0 =A0 =A0 =A0 =A0#
# =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =
=A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0#
# Reads Dshield.org block list and null routes it. =A0 =A0 =A0 =A0 #
# =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =
=A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0#
# alias exec updatedshield tclsh updatedshield.tcl =A0 =A0 =A0 =A0 #
# Untested in YOUR environment - use at your own risk =A0 =A0 =A0#
############################################################
proc convertmask {args} {
set mask [expr {~ 0 << ( 32 - $args )}]
format "%d.%d.%d.%d" [expr {$mask >> 24 & 255}] [expr {$mask >> 16 &
255}] [expr {$mask >> 8 & 255}] [expr {$mask & 255}]
}
proc getfile {url} {
=A0=A0 =A0 =A0 =A0global http
=A0=A0 =A0 =A0 =A0if {![regexp -nocase {^(http://)?([^:/]+)(:([0-9])+)?(/.*=
)} \
=A0=A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0$url x protocol server y =
port path]} {
=A0=A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0error "bogus URL: $url"
=A0=A0 =A0 =A0 =A0}
=A0=A0 =A0 =A0 =A0if {[string length $port] =3D=3D 0} {
=A0=A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0set port 80
=A0=A0 =A0 =A0 =A0}
=A0=A0 =A0 =A0 =A0set sock [socket $server $port]
=A0=A0 =A0 =A0 =A0puts $sock "GET $path HTTP/1.0"
=A0=A0 =A0 =A0 =A0puts $sock "Accept: */*"
=A0=A0 =A0 =A0 =A0puts $sock "Accept-Language: en-us"
=A0=A0 =A0 =A0 =A0puts $sock "Accept-Encoding: gzip, deflate"
=A0=A0 =A0 =A0 =A0puts $sock "Host: www.dshield.org"
=A0=A0 =A0 =A0 =A0puts $sock "Connection: Keep-Alive"
=A0=A0 =A0 =A0 =A0puts $sock "Cache-Control: no-cache"
=A0=A0 =A0 =A0 =A0puts $sock ""
=A0=A0 =A0flush $sock
=A0=A0 =A0 =A0 =A0return $sock
}
#REMOVE OLD Null Routes
set oldline [ exec "show run | inc Dshield_block" ]
foreach line [split $oldline "\n"] {
if {$line !=3D ""} {
=A0=A0ios_config "no $line"} {}
}
#UPDATE Blocklist
set newline [getfile www.dshield.org/block.txt]
while { [gets $newline line] >=3D 0 } {
=A0=A0if {[regexp {(?x)(\S+)\t(\S+)\t(\S+) } $line ignore ipaddr endip cidr=
]} {
if {$ipaddr =3D=3D "Start"} continue
set mask [convertmask $cidr]
ios_config "ip route $ipaddr $mask null0 name Dshield_block"
=A0=A0}
}
