Windows and OSSEC ipsec blocks
Today I started toying with the idea of using OSSEC active response in Windows. My goal is to block a whole IP, you can do port or traffic type as you wish, if anyone wants that let me know. The first piece of work to share:
netsh ipsec static add policy description=”ossec block list”
netsh ipsec static add filter filterlist=”ossecfilter” srcaddr= 18.104.22.168 dstaddr=me protocol=tcp mirrored=yes
netsh ipsec static add rule policy=”ossec” filterlist=”ossecfilter” filteraction=block desc=”list of ips to block”
netsh ipsec static set policy assign=y
This blocks windowsnerd.com
Add another entry for slashdot. Ipsec doesn’t like having an empty entry so leave an addy in there to seed it for a delete in another step:
netsh ipsec static add filter filterlist=”ossecfilter” srcaddr= 22.214.171.124 dstaddr=me protocol=tcp mirrored=yes
Now if you open the ipsec MMC, you will see an applied ipsec policy, crack it open and you will see both entries for each IP.
Try going to windowsnerd.com, slashdot.com and another page. The first two will not work. All traffic has been blocked
netsh ipsec static delete filter filterlist=”ossecfilter” srcaddr= 126.96.36.199 dstaddr=me protocol=tcp mirrored=yes
Repeat – now you can block and unblock by running the static add and static delete command over and over. It will update the policy you created in the first step. Not quite as cool as adding to hosts.deny and firewall, but the same end result.
This example is for use on an application like OSSEC. If you desire, you can specify per port, IP addy, DNS name, whatever you want.