Dear all,
I saw several script examples that used dshield downloading via a Linux box, and then upload it towards Mikrotik and then execute its contents.
I have used those examples, but thought that for the DShield one which updates frequently I might as well see if one could update it more frequently from within Mikrotik itself. The other lists don’t update as frequently as DShield.
I therefore created this script that adds the Class C IPs to a “blacklist_dynamic” address-list.
If DShield changes the Class of IPs that they “mention”, then this script will fail. But it would not be serious to implement that as well.
Please provide improvements where you see fit.
:local lineEnd 0;
:local lineStart 0;
:local lineContents "";
:local tempPos 0;
:local address "";
:local fileContent "";
:local fileLen 0;
:if ([:len [/file find name="block.txt"]] > 0) do={
:do {
/file remove "block.txt";
}
}
/tool fetch url="http://feeds.dshield.org/block.txt" mode=http
:set fileContent [/file get [/file find name=block.txt] contents] ;
:set fileLen [:len $fileContent];
:while ($lineEnd < $fileLen) do={
:set lineEnd [:find $fileContent "\n" $lineStart];
:if ([:len $lineEnd] = 0) do={
:set lineEnd $fileLen;
}
:set lineContents [:pick $fileContent $lineStart $lineEnd];
:set lineStart ($lineEnd + 1);
:set tempPos [:len [:find $lineContents "#"]];
:if ($tempPos = 0) do={
:set tempPos [:len [:find $lineContents ".0"]];
:if ($tempPos > 0) do={
:set address [:pick $lineContents 0 [:find $lineContents "\t"]];
:set address ($address . "/24");
:do {
/ip firewall address-list add address=$address comment="Suspicious IP Domain Behaviour - Downloaded Daily from DShield" disabled=no list="blacklist_dynamic" timeout=24:00:00
}
}
}
}