Creating and Using a Local Blacklist

September 23, 2019
F
Creating and Using a Local Blacklist

To use this feature, you must be using version 3.4.0 or higher (we strongly recommend 3.4.1 or higher).

Overview: To create your own blacklist, you’ll create a file (“/etc/AC-Hunter/blacklist/ips.txt”) on the Rita/AC-Hunter system with the ipv4 and ipv6 addresses listed one per line, instruct Rita to use this file by editing “rita.yaml”, and load these new addresses into Mongo. Once this is done, these addresses will be tagged as blacklisted on new data imported from Zeek (though old Zeek logs will not be modified).

Detailed steps:

1. Add the following block to “/etc/AC-Hunter/rita.yaml” , verbatim. We don’t recommend changing the filename in this release.  Note that the second and third lines need to be indented with spaces.

BlackListed:
  # Lists containing both IPv4 and IPv6 addresses are acceptable
  CustomIPBlacklists: ["/etc/AC-Hunter/blacklist/ips.txt"]

2. Create “/etc/AC-Hunter/blacklist/ips.txt” and add your IPs, one per line.

3. After creating this file – and every time you make a change to it – run the following commands:

If you’re running AC-Hunter 4.0.0 or higher:

rita test-config
hunt run --rm db_client mongo_cmd.sh 'db.getSiblingDB("rita-bl").dropDatabase()'
hunt up -d --force-recreate

 

If you’re running AI-Hunter 3.8.0 or lower:

cd ~/AIH-source/AI-Hunter-latest/
rita test-config
./hunt run --rm db_client mongo_cmd.sh 'db.getSiblingDB("rita-bl").dropDatabase()'
./hunt up -d --force-recreate

The “rita test-config” will tell you if there are any errors in the rita configuration file.

The ip addresses you’ve placed in ips.txt will be tagged as blacklisted in log files imported from this point on. Logs that were imported previously will not show these IP addresses as blacklisted.

Direct Link to this FAQ Item: https://portal.activecountermeasures.com/support/faq/?Display_FAQ=1890

Category: AC-Hunter General
Tags: