CrowdSec Integration

Integration Steps

1. Ensure CrowdSec is Installed: Follow the official guide at docs.crowdsec.net if not already installed.
2. Create the ThreatHive Import Script:

   Save the following script to /usr/local/bin/import_threathive.sh and make it executable:

   #!/bin/bash
   
   BLOCKLIST_URL="https://threathive.net/hiveblocklist.txt"
   TMPFILE="/tmp/hiveblocklist.txt"
   IMPORTFILE="/tmp/hiveblocklist_bulk.json"
   
   # Download blocklist
   curl -s "$BLOCKLIST_URL" -o "$TMPFILE" || exit 1
   
   # Remove existing imported decisions
   sudo cscli decisions delete --origin "cscli-import" > /dev/null
   
   # Create bulk JSON
   echo "[" > "$IMPORTFILE"
   first=1
   while read -r ip; do
       [[ "$ip" =~ ^#.*$ || -z "$ip" ]] && continue
       if [ $first -eq 0 ]; then
           echo "," >> "$IMPORTFILE"
       fi
       echo "{\"type\": \"ban\", \"value\": \"$ip\", \"origin\": \"threathive\", \"scenario\": \"external blocklist\", \"duration\": \"24h\"}" >> "$IMPORTFILE"
       first=0
   done < "$TMPFILE"
   echo "]" >> "$IMPORTFILE"
   
   # Import in bulk
   sudo cscli decisions import -i "$IMPORTFILE" --duration 24h

   Make it executable:

   sudo chmod +x /usr/local/bin/import_threathive.sh

3. Run the Script Manually:

   Execute the script to fetch and ban the latest IPs:

   sudo /usr/local/bin/import_threathive.sh

   Sample output:

   INFO[0000] 0 decision(s) deleted
   Parsing json
   You are about to add 88994 decisions, this may take a while

4. Verify Imported Bans:

   Check that IPs were successfully added:

   sudo cscli decisions list

   You should see IPs like:

   | 204335 | threathive | Ip:1.0.254.208 | threathive | ban | ... |

5. Automate Daily Import with Cron:
   1. Edit the root crontab:

   sudo crontab -e

   2. Add this line to run the script every day at midnight and suppress output:

   0 0 * * * /usr/local/bin/import_threathive.sh > /dev/null 2>&1