Skip to content

ioc2rpz for air gapped networks

Vadim edited this page Oct 24, 2018 · 9 revisions

ioc2rpz for air-gapped networks

Overview

ioc2rpz supports local files as sources and doesn't require an Internet connection so it perfectly suits a deployment mode in air-gapped environments.

The files with indicators should be manually moved from an Internet connected network using any storage device e.g. an USB-stick. Once local files were updated there are 2 options: - force zones reload via the GUI or an API call; - wait for automatic zone update. The sources are checked on updates by a checksum so the zones regenerated only when source-files were changed. After a zone update ioc2rpz can notify secondary DNS servers using DNS Notify messages.

Internet connected server/workstation

On an Internet connected server/workstation is recommended to run a scheduled task to fetch indicators of compromise. The indicators can be saved into a single file but it is recommended to separate domain/fqdn and IP based sources even where is no (or almost no) risk to exfiltrate data in air-gapped environments via DNS. If an environment allows it is recommended to do filtering and required source modifications on the internet connected system.

How to get RPZ feeds

Using standard network tools is it possible to download RPZ feeds and save them into files which can be later consumed by ioc2rpz in an air-gapped environment. Below you can find 2 crontab jobs for fqdn and IP based feeds. The jobs download feeds and same them into separate files. The RPZ IP rules are transformed into IP networks. A few modifications are required to support RPZ NS (fqdn and ip based) rules. domain_feeds.txt and ip_feeds.txt contain feed names and should be located in {{CACHEDIR}} directory. The feeds are also saved into the directory. Before running the jobs replace {{TSIGKEYNAME}}, {{TSIGKEY}} and {{SERVER}} placeholders with relevant values.

Crontab for domain/fqdn-based feeds:

42 * * * * cd {{CACHEDIR}}; cat domain_feeds.txt | while read line; do (dig -y {{TSIGKEYNAME}}:{{TSIGKEY}} @{{SERVER}} $line axfr | grep -v "^*." | tail -n +10 | sed "s/\.$line.*//" > $line);done

File domain_feeds.txt

base.rpz.infoblox.local
antimalware.rpz.infoblox.local
ransomware.rpz.infoblox.local
multi-domain.surbl.rpz.infoblox.local
fresh-domain.surbl.rpz.infoblox.local

Crontab for IP-based feeds:

42 * * * * cd {{CACHEDIR}}; cat ip_feeds.txt | while read line; do (dig -y {{TSIGKEYNAME}}:{{TSIGKEY}} @{{SERVER}} $line axfr | grep -v "^*." | tail -n +10 | sed "s/\.rpz-ip\.$line.*//" | awk -F "." '{print $5"."$4"."$3"."$2"/"$1}' > $line);done

File ip_feeds.txt

dhs-ais-ip.rpz.infoblox.local
nccic-ip.rpz.infoblox.local
antimalware-ip.rpz.infoblox.local
bot-ip.rpz.infoblox.local
exploitkit-ip.rpz.infoblox.local

ioc2rpz in air-gapped an network

There is no specific configuration related to air-gapped environments but it may be easy just use downloaded files on an internet connected system.