Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/konstruktoid/ansible-event-otx
Dynamic firewall using Event Driven Ansible and AlienVault's OTX
https://github.com/konstruktoid/ansible-event-otx
alienvault-otx ansible event-driven-ansible firewall-configuration
Last synced: 25 days ago
JSON representation
Dynamic firewall using Event Driven Ansible and AlienVault's OTX
- Host: GitHub
- URL: https://github.com/konstruktoid/ansible-event-otx
- Owner: konstruktoid
- License: apache-2.0
- Created: 2022-12-05T21:55:26.000Z (almost 2 years ago)
- Default Branch: main
- Last Pushed: 2024-04-26T08:54:55.000Z (7 months ago)
- Last Synced: 2024-05-01T13:49:55.556Z (7 months ago)
- Topics: alienvault-otx, ansible, event-driven-ansible, firewall-configuration
- Language: Python
- Homepage:
- Size: 186 KB
- Stars: 2
- Watchers: 3
- Forks: 0
- Open Issues: 1
-
Metadata Files:
- Readme: README.md
- Funding: .github/FUNDING.yml
- License: LICENSE
- Codeowners: .github/CODEOWNERS
Awesome Lists containing this project
README
# Dynamic firewall using Event Driven Ansible and AlienVault's OTX
This is a example of how to use [ansible-rulebook](https://github.com/ansible/ansible-rulebook/)
to dynamically update a firewall blocklist using
[AlienVault's Open Threat Exchange (OTX)](https://otx.alienvault.com/) as an
event source.
## Quickstart
If you prefer working with Fedora, replace `ubuntu` with `fedora` in the code
block below.
```sh
vagrant up ubuntu
vagrant ssh ubuntu
git clone https://github.com/ansible/event-driven-ansible.git
cd event-driven-ansible || exit 1
ansible-galaxy collection install --force .
cd .. || exit 1
export OTX_APIKEY="YOUR_OTX_APIKEY"
cp /vagrant/*.yml .
ansible-rulebook --inventory inventory --rulebook otx.yml --source-dir /vagrant/
```
## Structure
```console
.
├── otx.py
├── otx.yml
└── otx_ufw.yml
```
### Event source - `otx.py`
Stream subscribed OTX events.
#### Arguments
##### count
Minimum count of related pulses that is required for the
IP to be added to the blocklist.
### Rulebook - `otx.yml`
```yml
- name: otx events
hosts: all
sources:
- name: Match all messages
ansible.eda.otx:
count: "1"
rules:
- name: Send to playboox
condition: event.otx is defined
action:
run_playbook:
name: otx_ufw.yml
```
### Playbook - `otx_ufw.yml`
```yml
- name: otx events
hosts: all
tasks:
- name: Deny OTX indicator address
become: true
community.general.ufw:
rule: deny
src: '{{ event.otx.ip }}'
comment: "ansible managed - OTX indicator"
```