Bulk import MS-ISAC malware domains into Untangle Firewall’s web filter

Being a member of MS-ISAC I get the weekly IP and domain list block emails that are identified by the MS-ISAC community as being malicious. One of the challenges I have is getting this data into Untangle Firewall for my government clients.

If you are familiar with Untangle Firewall, then you will know that Importing malware IPs into Untangle is easy: just take the IP address, use the Excel “concatenate” function adding a “,” delimiter between the IP addresses or CIDR blocks, the copy/paste into a firewall rule.

But importing URLs into Untangle is a pain! There is no easy way to copy/paste bulk domains into Untangle and trying to manipulate a .JSON file manually is difficult.

But then “Unravel” came along. Unravel uses PHP and .NET 4.0 to import a .txt or .csv bulk file and spits out a .JSON file that you can prepend, append, or replace your Block Sites with.

Need some step by step action?

  1. Download Unravel here: https://frab.eu/dev/unravel/
    1. If that link breaks use my alternate URL here: https://www.dropbox.com/s/enmb5ripl48bzcx/unravel.zip?dl=0
      MD5 file hash: 125A095CF3AF619A3274DA279CED7DBD
  2. Extract Unravel to a directory.
  3. Compile your destination block URLs. If you just want a simple block with no description, dump them into a .txt file.
  4. Fire up a command prompt and navigate to your Unravel directory then run the command: unravel.exe WriteJson [sourcefile].[txt or csv] badsites.json.
  5. Next, import your file into Untangle. Don’t forget to backup your source rule set first.
  6. You should now see your block list following your existing rule set. Simply click “save” and you’re all done!

As you add more sites to your .txt file, continue to generate new .JSON files for your domains. Remember to backup your existing list first then prepend or append newly added domains. Duplicate domains will be added to your block list so you’ll need to ensure duplicates are removed prior to importing.

Happy blocking!

Leave a Reply

Your email address will not be published. Required fields are marked *